How we change what others think, feel, believe and do

Social Engineering

Techniques > General persuasion > Social Engineering

Principles | Techniques | Covering tracks | Defending against it | See also

Social Engineering is a term used by computer hackers who seek to get confidential information from company employees by which they can have their way with company computer systems. The methods they use are simple and effective as illustrated here. The core principle is to play on the trust that people naturally give to one another. The massive cost is the erosion of trust and, in consequence, society.

Hackers are not the only people to use these methods and head-hunters, sales people and more may act as 'social engineers' to extract the information they need from unwitting employees whose first goal is to get their job done with the minimum hassle.

Principles

Bold impersonation

The basic method the social engineer uses is to phone up a company employee and ask them for the information wanted. Of course employees do not just dish out company secrets--but do they? If they believe they are talking to another employee then many will happily help a colleague. Impersonation is thus one of the fundamentals of social engineering.

Learn the lingo

The first trick, before asking for the detail wanted, is to sound like an employee, using company jargon and dropping names of other employees. This may be found in websites, magazines and across conversations, including eavesdropping on the chat of others in nearby bars and restaurants.

Fragmentation

Information is typically picked up one small piece at a time across multiple conversations and one of the a skills of the social engineer is patient piecing together of all the fragments found into a coherent picture.

This method also helps avoid detection as each person giving you information sees what they say as harmless -- it is only in combination that they become powerful.

Techniques

Impersonation

One way to get information is to impersonate a manager, whose authority is less likely to be challenged. Particularly if the name of a real manager is known, along with details the manager would know, then many employees would think twice about refusing the request.

At the other end of the scale to managers are the deep techies and support people. These folks have credibility on two counts. First, they might reasonably want to know the detail the social engineer seeks. They also have the authority of an expert and can be framed as 'doing important work' or 'helping angry customer'.

In a similar way HR and Finance experts can be impersonated to acquire personal and financial information.

Embedding

The social engineer seldom asks the key question up front but will embed it in the middle of the conversation. Even after getting the information they need they will ask more questions so the last thing remembered by the other person is a harmless distraction.

Grooming

The social engineer may build trust with a particular employee, questioning them about various irrelevant information over a number of calls before asking for the target information. The prior grooming builds a relationship and establishes strong credibility such that a request that would normally be refused is agreed 'just this once' for the friend.

Emergency

When we are faced with a crisis we typically look around for help. The social engineer might thus create or fake an emergency or some other pretext, from customer issues to computer crashes. They can then step in as the rescuing hero, although to save the day they do want you to give them that little bit of extra help - that password or downloading a special patch - that enables the rescue and gives them what they want.

And...

Other techniques social engineers may use include:

• Familiarity: Recording a company's 'hold' music and using it back on you.
• Fear: Telling you your personal credit rating is at risk or otherwise scaring you into unthinking reaction.
• Phone spoofing: so the call number you see is not the real source number used (often using VoIP).
• Dumpster diving: going through your trash for information.
• Phishing: Sending fake emails that request details and links to 'lookalike' trick sites.
• Shoulder surfing: Watching you enter key details.
• Remote imaging: Using high-resolution cameras from a distance to capture key information.
• Auditing: Acting like an auditor - in person too.
• Dig elsewhere: on Facebook, in the bar around the corner, on your website, etc.

Covering tracks

A critical task for the social engineer is to avoid detection. Before the event this could mean information is refused. Afterwards it could lead to prison. Thus they seldom appear in person, preferring the more anonymous phone or email. Pay-as-you-go phones are bought (for cash) and destroyed afterwards. Even voice-tone shifters may be used if there is risk of recording.

Done well, however, nobody ever knows that the social engineer was ever there. To the people they spoke to, they were just another caller in a non-stop stream, although perhaps just a bit nicer than the run-of-the-mill grumpy voice.

Defending against it

Social engineers know many more tricks than those discussed here. They get around robust firewalls and other security by exploiting the weakness of human nature.

If you want to defend against what can be highly damaging and criminal activities, then the first line of is a good education about social engineering and the methods used.

It can also help to perform a serious analysis of processes and procedures around security management, checking methods by which secure information is supplied and how often it is assessed and revised.

This should be coupled with assessment and trial attacks to prove that the education has worked. If the attacks succeed, do not blame the people -- it simply means your education was not good enough, so redouble your efforts to make your people proof to these pernicious problems.

See also

Mitnick, K.D. (2003). The Art of Deception, New York: Wiley