Social engineering (SE) or perception management is a way for an attacker to trick a legitimate computer user into providing useful information that helps the attacker gain unauthorized access to their computer system (1). It is also used in identity fraud or theft cases as well as in corporate or industrial espionage. The attacker usually poses as someone to be trusted so that the victim will feel at ease sharing information. There are many different ways to carry out an SE attack such as over the phone, forged e-mail, and even in person. Some examples of SE attacks will be discussed in this paper. Also to be examined are ways of preventing becoming a victim of such an attack.
Methods used in SE attacks, because they use human behavior, are limited only by the attacker's creativity. SE attacks work because human beings have many psychological characteristics that can be taken advantage of (2). Following are some examples of the methods used in SE attacks.
On the Phone
An easy way to gain valuable information is over the phone. For example, an attacker could call a secretary at a company and say that he is a temp worker who is having some trouble gaining access to the company's system. The secretary might simply give a password, or even better, may go on and on giving detailed instructions in an effort to be helpful to the new employee (2).
The phone method was used in one case where hackers called an executive's secretary and were given the executive's employee number. A second call exploited the knowledge of the executive's employee number in order to obtain the executive's cost center number, which was then used to receive overnight courier service delivery of the company's internal phone directory. The hackers then called the office in charge of new employees and were able to obtain a list of new employees. Posing as information systems employees, they then called new employees saying that they wanted to go over security awareness over the phone. Through these discussions they obtained information such as type of systems used in the company, employee computer ID's and passwords. Combined with this information, the hackers called the company's help desk and got the numbers for the company's modems. In the end, they gained access to the company's computer system by calling the modems and using the ID's and passwords (1).
Self-proclaimed hacker "bernz" gives a very detailed account of how to go about gaining information through the mail. Mail is cheap and it's not tapped. All you really need to get started is envelopes, stamps, your computer and possibly a PO box. His tried and tested method goes as follows: Using a program such as PageMaker to make documents that look official and believable. A good document to create is one that looks something like a sweepstakes entry form. There should only be a few lines of information that the "mark" has to fill in, but the information requested should be of value such as a social security number, a phone number, etc. Also suggested is requesting a password in case phone contact is ever needed. "bernz" says that many times when a person submits a password, it is likely that it will be the password they use on the Internet. After receiving replies to the "sweepstakes", it is very easy to either use what information has been provided or to follow up with a phone call to gain even more information (3).
Big companies spy on each other constantly. So much so that there is actually a professional association of corporate spies that can be hired - the Society for Competitive Intelligence Professionals (SCIP) (4). This type of organization supplies "plausible deniability" to corporations who are spying on other corporations. In the event that the spying is discovered and criminal charges are brought, the corporation can deny knowledge of any illegal activity since the "intelligence professional" signs documents saying that he/she would abide by all ethical rules and if a crime was committed, the corporation knows nothing about any illegal activity (4).
In the winter of 1997, Barry (a corporate spy for hire) was called upon by SCIP to run an operation against Kraft Foods on behalf of Schwan's Sales Enterprises. Barry posed as a reporter for the Wall Street Journal, as an environmentalist and as a graduate student and was able to collect all the necessary information in just two days.
Other ways of using impersonation are:
-Simply walking through a large office dressed in business attire. Most other employees will think that he is a new employee and he is allowed free reign to snoop around through cubicles, look at computer screens, etc. Sometimes office workers will write their usernames and passwords on a post-it note and stick it to their computer monitor (5).
-In the same office, an attacker could stand in front of a computer and shout out "Hey, I forgot the password, anyone know it?" Chances are very good that more than one person will provide the password (5).
-Posing as a systems maintenance technician to run tests. Many times, especially in a large office situation, the user will provide key information and then get up and leave to allow the "tech" to do his work (6).
The most typical SE attack online is through email. The e-mail is completely false, of course, but looks as though it came from someone with the Internet Service Provider (ISP). The e-mail could say something like:
Dear AOL User:
Recently we switched to Windows NT and in the process we lost the folder that contained your account information. So that we may provide you with uninterrupted service to the Internet, please send us your account name and password. Thank you for your time and patience in this matter.
Bill Jones from AOL (7)
Another way attackers obtain passwords online is to pose as a systems operator in an IRC (Internet Relay Chat) and ask for information that way. Because many people use credit cards to pay for their online service, credit card numbers and expiration dates can be obtained in much the same way as passwords (i.e. "We've lost your credit card information and to ensure proper billing, please resubmit at this time"). This information can then be used to make purchases on the unsuspecting person's credit card and taken a little further can lead to outright identity theft.
Reverse Social Engineering (RSE) can be described as "a legitimate user of a system asking the hacker questions for information" (2). According to Rick Nelson (2), RSE consists of three major parts: sabotage, advertising and assisting. For example, an attacker can sabotage a workstation, and then advertise that he can be called upon to help solve the problem. An employee sees the "malfunction":
**ERROR 03 - Restricted Access Denied** - File access not allowed by user. Consult with Mr. Downs at (310) 555-1414 for file permission information. (2)
The employee then calls Mr. Downs for help on solving the problem. Since "Mr. Downs" created the problem in the first place, he has no trouble helping the employee solve it, thus fostering a sense of trust. While he is helping solve the problem, the attacker can easily obtain vast amounts of information from this employee.
It should go without saying that with just a little common sense, most SE attacks can be avoided. Sensitive information such as social security numbers, credit card numbers, addresses, etc. should never be given unless you have made the call yourself. One of the easiest ways for attackers to gain this sort of information is through posing as telemarketers, and unfortunately, many people fall for this SE attack. Online, it should be kept in mind that network administrators never need to know your password and if you are requested to disclose it, it is always an SE attack (8).
At the office, education is one of the best ways to avoid becoming a victim. A knowledgeable user of a system can be told to never give out account information without permission of a supervisor (2) and be taught how to spot a SE attack. The Computer Emergency Response Team/Coordination Center (CERT/CC) received several incident reports concerning users receiving requests to take an action that resulted in the capturing of their password (9). The messages appeared to be from a site administrator or root, but an individual at a remote site who was trying to gain access to the local machine via the user's account may have sent them. A message received looked like this:
OmniCore is experimenting in online - high-resolution graphics display on the UNIX BSD 4.3 system and it's derivatives. But we need your help in testing our new product - Turbo Tetris. So, if you are not busy, please try out the Tetris game in your machine's /tmp directory. Just type: /tmp/ttetris. Because of the graphics handling and screen-reinitialization, you will be prompted to log on again. Please do so, and use your real password. Thanks for your support. You'll be hearing from us soon!
The company sent out a memo with actions to be followed if an employee should be presented with the above message or something like it.
Following are some basic ways suggested to handle situations that may arise in the office setting:
-If you cannot personally identify a caller who asks for personal information about you, about your computer system or any other sensitive information, do not give it. Verify the caller's identity by calling them back at the their proper phone number as listed in your company's telephone directory (1).
-Passwords are sensitive and should remain unknown to everyone but you. Systems administrators or maintenance techs that need to work on your computer do not need your password. They will have their own password that will allow them access to do their job (1).
-Verify all systems maintenance techs from outside vendors that come on site to perform repairs or maintenance. A simple phone call can verify this (1).
-Be knowledgeable about common SE attacks and know how to spot them (2).
Using SE, the attacker is using the weakest link, the human user, to gain information. Hackers, Crackers, Corporate spies, etc. know that they can exploit this weakness. "drOz", a self-proclaimed hacker gives instructions on how to use SE techniques, and states very plainly: "I do not condone this (type of attack) on the idiots of America. But keep in mind that if this does work, that the idiot who gave you the information (is at fault) for being such a dumbass" (7). This is not a very eloquent way of putting it, but the point is crystal clear. SE is a low-tech attack that works well because of human psychology characteristics that can be easily exploited. Fostering trust, soliciting, finding common ground, blending in, playing on sympathy and guilt are some of the ways an attacker gets the information desired. As stated above, the possibilities are endless and limited only by the attacker's creativity, so this short paper is nowhere near a complete account of SE attack techniques and safeguards.
Computer users need to be aware that any personal information given out can potentially be used against them, whether it is at home or in the office setting. Following security guidelines, being knowledgeable about the systems being used and plain old common sense can usually thwart an SE attack. No matter how "new and improved" system security may be, if a user unknowingly gives away key pieces of information, that security is completely useless.
(1) "Social Engineering" [Online], Available: www.smdc.army.mil/SecurityGuide/v1comput/Social.htm
(2) Nelson, R. "Methods of Hacking: Social Engineering" [Online], Available: www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html
(3) Bernz. "What is Social Engineering?" [Online], Available: http://morehouse.org/hin/blckcrwl/hack/soceng.txt
(4) Mokhiber, R. and Weissman, R. (2001). "Corporate Spooks". [Online], Available: www.commondreams.org.views01/0306-03.htm
(5) "Crime, Security, and Privacy: Social Engineering" [Online], Available: www.msci.memphis.edu/~ryburnp/cl/cis/crime.html
(6) Guttman, et al. "User's Security Handbook" [Online], Available: http://sunite.dk/RFC/rfc/rfc2504.html
(7) DrOz. "Getting a Free ISP Account(s)" [Online], Available: www.starbuzz.net/LEENTech/library/account.txt
(8) Network ICE Corporation (1998-2001). "Social Engineering" [Online], Available: www.netice.com/advICE/Underground/Hacking/Methods/WetWare/Social_Engineering.htm
(9) CERT Advisory CA-1991-04 (1997). "Social Engineering". [Online], Available: www.cert.org/advisories/CA-1991-04.html