Hi, This Is Bob From IT
To help demonstrate what exactly Social Engineering is, let me play out a scenario for you...
Mr Jones works for a large corporation. He's not very tech savvy and out of the blue one day, he gets a phone call.
'Mr Jones' Hello, Mr Jones, Acquisitions...
'Helpdesk Bob' Hey, Mr Jones, it's Bob from the Help Desk. We're having an issue with your account, it seems as though someone's been calling down trying to get your password changed. We need to verify that you are the one who wants to change it. Have you tried calling us to change it?
'Mr Jones' Hey Bob, no, it's not me; I'm in my account fine right now. They were trying to get my password changed?
'Helpdesk Bob' Yeah, they had your company ID and everything. At least I think it was your company ID.
'Mr Jones' Well, here, let me verify my ID for you. It's 1234567.
'HDB' Yup, that's what we have; I wonder how they got that.
'Mr Jones' I don't know, I'm pretty safe with that kind of stuff. Is my account safe? I don't want to lose anything.
'HDB' Hmmm, just to be sure, let's go ahead and change your password.
'Mr Jones' Ok, how do I do that?
'HDB' Ok, that's easy, have you been migrated to Vista yet?
'Mr Jones' Um, what's that?
'HDB' When the computer starts up, does it say Windows Vista with a circle in the middle of the screen?
'Mr Jones' Yeah, it just changed; they were doing something to my computer last week. They always do stuff to my computer when I go away; I'm tempted to have them give me a laptop so I can take it home with me so they stop messing with my computer.
'HDB' Ok, do this, do that, now do you see where it says password? Go ahead and put it in there.
'Mr Jones' Ok, it's done. Now what
'HDB' Go ahead and read it back to me so I can verify it for you...
After the call, Mr Jones hangs up and feels MUCH more secure knowing that the Help Desk alerted him of an issue. He felt SO confident in fact that he had the 'Helpdesk' call a few of his co-workers to make sure they were safe. Mr Jones also asks if he can call Bob back if he has any problems.
Bob now has an 'inside' source to get any information he wants. Even if he has to actually fix an issue here or there. and he doesn't have to worry about Mr. Jones calling the real helpdesk because he gave him the special on-call cell phone number. (in reality, this is a disposable paid for in cash phone that can be dumped when he's done with it).
What Mr Jones DIDN'T realize was that Help Desk Bob was sitting in a bombed out building in the middle of nowhere with a satellite connection and a recording of an office setting playing. Mr Jones just gave out the keys to company. With a little more social engineering, he can call the real help desk, get them to allow him privileges to download a VPN client to his laptop and remote in and do whatever he wants.
It's easy to scare people into giving you their information. It's even easier to get people to help you because they want to try and keep you from getting into trouble.
Social Engineering is defined by Webster’s as:
The management of human beings in accordance with their place and function in society. This definition was created in 1899.
The definition still holds true. You are 'managing' people according to their function. You're getting them to do things that they probably shouldn't. Using either scare tactics, tricky wording, making them think they're helping you or themselves.
When you put someone at ease, or when you put someone into a situation they think they're going to be in trouble for, you make them more susceptible to giving something up.
Let's see what information was received by the above scenario:
- Mr Jones works in acquisitions He's still a valid employee (maybe not for long) He was just recently migrated to Vista He isn't very tech savvy He doesn't call the help desk very often (because he doesn't know the procedures) Bob knows his company ID and password He knows that Mr Jones doesn't have a laptop He knows Bob travels He also now knows the same information for a number of Mr Jones's co-workers.
He is able to start mapping out the company's internal structure as well.
All of this from a simple phone call and a little bit of prodding and lying.
The same thing is done pretty much with every Phishing e-mail that someone receives. A phishing e-mail is one in which it is designed to look identical to the information one may receive from their financial institution, cell phone company, cable company, etc. But instead of a good link to their site, it leads to a site that is ready to steal all of your information at the drop of a hat. Phishing or Spear-Phishing (targeting specific individuals or group of people) is yet another form of Social Engineering.
You really need to be careful what you say to whom, you need to watch what's going on and question EVERYTHING. If you owe money, this is a great way to socially engineer your credit card number, social security number, etc. A company may call you up.
It may look like the phone number from your credit institution, but with today's ability to use Voice Over Internet Protocol (VOIP) and have a VOIP server on a thumb drive, they can make it look like it's coming from your own phone number. it takes 15 minutes to set up a quick down and dirty VOIP server and they've got tons of stuff they can do with it.
Bob is now able to (if he wanted to) get a few of Mr. Jones’s customers and drop in to see how they're doing. He can get a suit, find out when Mr. Jones’s contacts are going to be out of the office and pay a visit asking to see that person. When that person isn't there, he can say, wow, I thought for sure we set up the time to meet today. Then weasel his way into getting access to the network to shoot off an e-mail to Mr Red and reschedule. All the while, mapping out the network and laying his back door programs to do the hard part for him.
Social engineering can also be done on the phone system or on computers. The phone system can be 'phreaked' or 'hacked' and can provide tons of information. Let's say Bob our hacker from above, is trying to gather additional information from customers of Mr Jones. Bob calls at strange hours to Mr Jones number, he obviously get's his voice mail and finds out that Mr Jones is going to Las Vegas for a weeklong vacation.
There are many things Bob can do with this information. If he's in the area, he can get a picture of Mr Jones, find out his interests, and study up on him and socially engineer his way into dinner, drinks and partying with Mr Jones. Get tons of information from him under false pretense and be on his way. The other way Bob could go with this is visiting Mr Jones's customers, like he did above.
He may also want to 'pay a visit' as a 'service guy' to Mr Jones's house. Mr Jones is the type of guy that would most likely leave a key laying around and as a 'service guy', Bob could roll up in a non-descript white van with some kind of magnetic sticker on the door, let himself in and take what he wants.
Dumpster diving is yet another form of Social Engineering. Be careful of what you throw out. Shred anything that has your name, address, any information on you whatsoever. Anything that is in a trash can (unless posted otherwise) is garbage and is available freely for anyone to take. If you have a trash can outside, bring it in to the garage, but DON'T leave it outside. Once you put your trash down on the curb, it's fair game.
Dumpsters at corporations are usually not guarded or usually don't have signs stating that they are private property, if they don't, they're also fair game and anything taken from them is taken legally. This is how police get a lot of information without a warrant. This is also a way for police to get probable cause to get a warrant. This is also a way police can get DNA from someone, if they spit gum into a trash can, throw out a coffee or soda can or cup, that can lead to fingerprints, DNA samples, the works.
Yes, social engineering is many things and it is scary. There was a point in my time that I wouldn't talk to any business over the phone if I didn't have to and in fact have told many companies that I wouldn't speak to them unless I called them from a known good number. I still to this day though, do shred anything with any personally identifiable information (PII) on it before burning it, then wait till the morning of to put my trash down for the garbage collector. But, then again, I'm a bit more paranoid than most.
Social engineering can be used for both good and evil, it's all the way that it's used. Either way, both criminals and 'cops' use it. I'm even sure that there are CIA, NSA, Military personnel overseas that use it while interrogating prisoners or questioning people to get what they want.
The biggest thing to remember is that social engineering works on these factors;
- People want to help People don't want to get in trouble People want to think people have good intentions People are stupid.
Yes, this does also work on kids (getting them to do what they’re supposed to) and women (getting a date, etc, use your imagination).
My favorite quote that I live by is the following;
I am a social engineer because there is no patch for human stupidity.
Have you ever used social engineering?
Have you ever been the victim of social engineering?
Was this article helpful?
Let me know in the comments.
And again, thanks for taking the time to read this. I know it's a long one, but it's something that needs to be brought to light.
~Norm W. Information Security Correspondent
Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.