Watch a recreation of the phone call that won the 2017 DEFCON Social Engineering CTF!
Social engineering: the hack that requires no knowledge of code. Despite its relative simplicity the risks associated with social engineering are just as serious as the numerous hacks that have populated recent headlines. For everyday citizens awareness of social engineering scams and the methods they use that prey on weaknesses in human behavior should be at an all time high. Everyone is a target and you should be vigilantly aware of anyone asking for personal or private information.
What exactly is Social Engineering?
- Social engineers are smooth talking con-men who would get you to reveal your most secure passwords before you can say “4 please” in the elevator.
- Why spend thousands of dollars on sophisticated hacking software when you could just trick someone into telling you the password?
Human Hacking: Cautionary Tales
- A powerful CEO was brought to ruin through a charity scam.Social engineers found out he had a family member who was battling cancer and other information through his Facebook page. Using that emotional attachment, they tugged at his heartstrings and he was asked to donate money to a cancer research fund. The PDF that was sent, however, was malware that took control of his computer
- A seemingly harmless family enters a theme parkonly to discover that they have left their print out coupon behind at home. Appealing to the human nature of the ticket booth, they ask the workers if they may bring up the email file and print out the coupon, or even just to show that they indeed have a coupon. Unfortunately, that harmless family is a group of actors looking to get in the park's system by bringing up a harmful file on their computers.
Luckily, these were all just tests run by Chris Hadnagy, author of Social Engineering: The Art of Human Hacking. He is hired by companies to show how criminals can get information. Both of these stories are perfect examples of social engineering; hacking people rather than software.
January 5th 2011- “How strong is your Shmooze” DefCon Security Conference campaign to increase awareness of social engineering. Contestants tried to extract as much potentially harmful information as possible from target businesses through social engineering. Google, Microsoft, Apple, Cisco, BP, Shell, Ford, PG&E, Coke, and Pepsi "failed" the test and of the 50 employees that were targeted, only 3 did not reveal any information and terminated the call.
In Security - How social engineers trick us into divulging sensitive security information via media
How social engineers trick us into divulging sensitive security information via media (Social engineering in ads and emails)
- "Someone has a secret crush on you! Download this application to find out who it is!"
- On Facebook, these malicious codes infected more than 3 million users with spyware
- Created by an Australia and U.S.-based firm called Mobile Messenger
- Four percent of Facebook users have downloaded the application
- "Did you see this video/picture of you? Check out this link!"
- Fake Facebook email notification leading to malware
- Instead of including the friend’s name that tagged the photo or video, the email just says "your friend"
- @facebook.com vs. @faceboook.com
- "This is Chris from tech services. I've been notified of an infection on your computer
- Usually in phone call form, claiming to represent Microsoft or another trusted source
- Offshore -can reroute number for disguising purposes
- Malware installed from a scam can:
- Log typing and keystrokes to save passwords
- Track purchases, email and browsing history
- Control computer remotely
- Access all documents and files on computer
- In order to "fix" your computer, scammers require hundreds of dollars in fines and expenses
- The act of posing as a trusted entity in order to extract sensitive information through email
- In 2009, 100 people were jailed in the "largest international phishing case" resulting in a $1.5 million haul
- Phishing happens several thousands of times a day across the world
- Phishing emails 47%, most common form of social engineering for businesses
- In a test, within 24 hours, 10% of emailed users responded and supplied usernames and passwords to the fake website
- 419 scams: (The number "419" refers to the article of the Nigerian Criminal Code dealing with fraud.) A relative of a recently deposed ruler asks for money in order to pay fees and bribes to reach a huge bank account and flee the country, usually millions of dollars. Of course, the victim would be compensated beyond their wildest dreams.
- In 2008, a woman from Oregon shelled out $400,000 through a 419 scam claiming she had inherited millions from a deceased relative in Nigeria.
- Shoulder Surfing
- Simply looking over someone’s shoulder, writing down or memorizing logins or passwords
- Stolen PINs from ATMs
- "Do you wish to make another transaction?" message stays up on ATMs for up to 17 seconds. Most people don't bother clicking "no"
- Access Tailgating
- Physically following someone into a limited access area
- “Can you just hold the door? My hands are full/I forgot my ID card/etc...”
The Trust Factor
- Alternative Communication Channels
- Victims are more likely to give out information via mediums they are unfamiliar with.
- Ex: A voicemail asking victims to contact their bank because of fraudulent activity on their account, providing them a number. Once the victim calls the number they are prompted to provide sensitive information by automated voice commands or even a person claiming to be a bank representative.
- Relevant Messaging
- Customized and personalized emails catch peoples' attention. using names, locations and other personal information makes people think its more legitimate.
- Ex: fake local news stories prompt reader with a "read more" button that leads to malicious malware
- Spoofed Messages
- Social engineers disguise scams as well known or trusted sources.
- Ex: UPS message claiming a package has failed to be delivered, asking the victim to print out an invoice to take to the ups center for pickup, when actually it's a malicious PDF file.
- Social Compliance
- Criminals know its human nature to follow what others are doing making you more inclined to trust their LIES.
- Ex: Facebook likejacking, users were fooled into 'liking' sites that claimed to have celebrity news. instead it was a malicious site that hijacked the mouse into liking the page so it showed up on the user's Facebook, giving it false legitimacy
- Reliance on Security Measures
- Criminals know we take our security measures for granted and feed off that dependency.
- Ex: Downloading the “latest version of flash” to view a video; there is no way of knowing if it’s actually flash
Who is likely to be targeted?
The people with the most information and least security training possible. This usually falls under the category of the CEO, probably the most susceptible to social engineering attacks. Attackers know to stay away from the people who may be better informed of their schemes, even if that means going in a more roundabout way, i.e., learning about the target and appealing to emotion.
- 48% of enterprises have been victims of social engineering attacks, 25 in the past 2 years costing about $19,580 each time.
- 86% of IT and security professionals are aware of the risks of social engineering
- 75% success rate with social engineering phone calls to businesses