Social engineering: the hack that requires no knowledge of code. Despite its relative simplicity the risks associated with social engineering are just as serious as the numerous hacks that have populated recent headlines. For everyday citizens awareness of social engineering scams and the methods they use that prey on weaknesses in human behavior should be at an all time high. Everyone is a target and you should be vigilantly aware of anyone asking for personal or private information.
What exactly is Social Engineering?
Social engineers are smooth talking con-men who would get you to reveal your most secure passwords before you can say “4 please” in the elevator.
Why spend thousands of dollars on sophisticated hacking software when you could just trick someone into telling you the password?
Human Hacking: Cautionary Tales
A powerful CEO was brought to ruin through a charity scam.Social engineers found out he had a family member who was battling cancer and other information through his Facebook page. Using that emotional attachment, they tugged at his heartstrings and he was asked to donate money to a cancer research fund. The PDF that was sent, however, was malware that took control of his computer
A seemingly harmless family enters a theme parkonly to discover that they have left their print out coupon behind at home. Appealing to the human nature of the ticket booth, they ask the workers if they may bring up the email file and print out the coupon, or even just to show that they indeed have a coupon. Unfortunately, that harmless family is a group of actors looking to get in the park's system by bringing up a harmful file on their computers.
Luckily, these were all just tests run by Chris Hadnagy, author of Social Engineering: The Art of Human Hacking. He is hired by companies to show how criminals can get information. Both of these stories are perfect examples of social engineering; hacking people rather than software.
January 5th 2011- “How strong is your Shmooze” DefCon Security Conference campaign to increase awareness of social engineering. Contestants tried to extract as much potentially harmful information as possible from target businesses through social engineering. Google, Microsoft, Apple, Cisco, BP, Shell, Ford, PG&E, Coke, and Pepsi "failed" the test and of the 50 employees that were targeted, only 3 did not reveal any information and terminated the call.
In Security - How social engineers trick us into divulging sensitive security information via media
How social engineers trick us into divulging sensitive security information via media (Social engineering in ads and emails)
"Someone has a secret crush on you! Download this application to find out who it is!"
On Facebook, these malicious codes infected more than 3 million users with spyware
Created by an Australia and U.S.-based firm called Mobile Messenger
Four percent of Facebook users have downloaded the application
"Did you see this video/picture of you? Check out this link!"
Fake Facebook email notification leading to malware
Instead of including the friend’s name that tagged the photo or video, the email just says "your friend"
@facebook.com vs. @faceboook.com
"This is Chris from tech services. I've been notified of an infection on your computer
Usually in phone call form, claiming to represent Microsoft or another trusted source
Offshore -can reroute number for disguising purposes
Malware installed from a scam can:
Log typing and keystrokes to save passwords
Track purchases, email and browsing history
Control computer remotely
Access all documents and files on computer
In order to "fix" your computer, scammers require hundreds of dollars in fines and expenses
The act of posing as a trusted entity in order to extract sensitive information through email
In 2009, 100 people were jailed in the "largest international phishing case" resulting in a $1.5 million haul
Phishing happens several thousands of times a day across the world
Phishing emails 47%, most common form of social engineering for businesses
In a test, within 24 hours, 10% of emailed users responded and supplied usernames and passwords to the fake website
419 scams: (The number "419" refers to the article of the Nigerian Criminal Code dealing with fraud.) A relative of a recently deposed ruler asks for money in order to pay fees and bribes to reach a huge bank account and flee the country, usually millions of dollars. Of course, the victim would be compensated beyond their wildest dreams.
In 2008, a woman from Oregon shelled out $400,000 through a 419 scam claiming she had inherited millions from a deceased relative in Nigeria.
Simply looking over someone’s shoulder, writing down or memorizing logins or passwords
Stolen PINs from ATMs
"Do you wish to make another transaction?" message stays up on ATMs for up to 17 seconds. Most people don't bother clicking "no"
Physically following someone into a limited access area
“Can you just hold the door? My hands are full/I forgot my ID card/etc...”
The Trust Factor
Alternative Communication Channels
Victims are more likely to give out information via mediums they are unfamiliar with.
Ex: A voicemail asking victims to contact their bank because of fraudulent activity on their account, providing them a number. Once the victim calls the number they are prompted to provide sensitive information by automated voice commands or even a person claiming to be a bank representative.
Customized and personalized emails catch peoples' attention. using names, locations and other personal information makes people think its more legitimate.
Ex: fake local news stories prompt reader with a "read more" button that leads to malicious malware
Social engineers disguise scams as well known or trusted sources.
Ex: UPS message claiming a package has failed to be delivered, asking the victim to print out an invoice to take to the ups center for pickup, when actually it's a malicious PDF file.
Criminals know its human nature to follow what others are doing making you more inclined to trust their LIES.
Ex: Facebook likejacking, users were fooled into 'liking' sites that claimed to have celebrity news. instead it was a malicious site that hijacked the mouse into liking the page so it showed up on the user's Facebook, giving it false legitimacy
Reliance on Security Measures
Criminals know we take our security measures for granted and feed off that dependency.
Ex: Downloading the “latest version of flash” to view a video; there is no way of knowing if it’s actually flash
Who is likely to be targeted?
The people with the most information and least security training possible. This usually falls under the category of the CEO, probably the most susceptible to social engineering attacks. Attackers know to stay away from the people who may be better informed of their schemes, even if that means going in a more roundabout way, i.e., learning about the target and appealing to emotion.
48% of enterprises have been victims of social engineering attacks, 25 in the past 2 years costing about $19,580 each time.
86% of IT and security professionals are aware of the risks of social engineering
75% success rate with social engineering phone calls to businesses
Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He currently focuses on Developer Awareness through strategic content creation. In his spare time you'll find him doting over his lovely wife and daughter. He is a Co-Owner of CrossFit Amoskeag in Bedford NH, his favorite topic is artificial intelligence, and his favorite food is pepperoni pizza.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.