According to Donn Parker in Fighting Computer Crime, the weakest link in security is the human. In several presentations and in my writing, I’ve often described the Carbon-Based Problem. With due homage to Star Trek, hackers see the opportunity in having people facilitate the attack. Without conjuring images of Alferd Packer, we call this “hacking the human.”
Honing your social engineering skills means that you have to understand how people in Western societies are acculturated. In kindergarten, we are taught three rules: be kind, be helpful, and share. We feel guilty, to some level, when we don’t help. That’s why we have Good Samaritan laws to protect us when things go wrong while we are helping. I will even admit to giving money to a panhandler on a downtown street corner near where I live. After all, he had a sign that said, “Please contribute to alcohol research.”
So, the most powerful words of a cybercriminal, hacker, or security tester are, “Would you help me please?” These are closely followed by just “please” and “thank you.”
My daughter was the master of this art. As a family, we would often have dinner in a favorite restaurant. We had an arrangement with the wait staff that they would not take our children’s orders without a “please” and no plate would be placed without a “thank you.” My daughter learned the scam quickly and would bat her big brown eyes at the wait person while asking, “May I have some vanilla ice cream p-l-e-e-e-a-a-s-s-e?” Of course, her serving resembled less a scoop and more a bucket.
As you probably know, spam is unsolicited email sent with malicious intent. Part of the job of the spammer is to collect email addresses. Then, when the victim opens the email, the cybercriminal can entice the target to provide personal or banking information, try to sell fake products, offer “hookups”, or entice the recipient to open a malicious attachment in the message.
The email may, for example, appear to be a message from a bank requiring specific actions. Once the victim clicks on a link in the message and is conned into logging into a fake website, the hacker can gather personal information such as login and password or perhaps even a credit card number and PIN. If the victim opens the malicious attachment, the crimeware can then plant remotely controlled Trojan software to either steal the victim’s address book or turn the target into a bot in a botnet to further propagate the spam or launch Denial-of-Service (DoS) attacks. If the attacker can harvest the victim’s address book, then the spammer has more addresses to perpetuate the cycle.
Along with pleading, social engineering can make use of intimidation and coercion. Intimidation and coercion are made easier when the hacker knows more about the victim or has control of the situation.
Although he denies it, security researchers believe that NSA hacker Edward Snowden used other employees’ user names and passwords. As a very talented systems administrator, Snowden put himself in a position of trust. He was then able to exploit the trust to retrieve the NSA documents at the heart of the spying scandal. Others in positions of trust can exploit the same techniques. Often, we’ll see this social engineering attack in conjunction with spam attacks. If the victim receives an email claiming to be from your bank after you’ve completed a significant transaction, or a message from a package carrier after mailing a significant parcel, you (the target) are more likely to read the email and act on the instructions such as opening a malicious attachment.
Whether you’re trying to social engineer someone else or you are the target, never underestimate the power of being nice. Hackers will use sympathetic words or pleasant phrases to gain the friendship of the target. Phrases such as “I really appreciate your help,” “I know you’re going out of the way for me and I appreciate it,” and even “You have the nicest smile!” will help the target bond with the social engineer. Offering to send positive feedback about the person also helps.
In my experience, social engineering by being nice works best just after the target has had an unpleasant experience. Consider the case of traveling by air and there’s just been a major delay or cancellation affecting a plane load of passengers’ flights. If the social engineer follows a passenger who’s been upset with the airport staff, the next person in line may bear the brunt of the frustration. On the other hand, if the next person in line is kind, sympathetic, and soft-spoken, then the airline employee might be willing to be even more helpful. As someone who travels frequently, I can testify to the effectiveness of this technique.
So far, we’ve looked at social engineering from an interpersonal perspective. Other techniques for non-technical hacking can include other “offline” techniques such as shoulder surfing and dumpster diving. Shoulder surfing is the process of literally watching someone’s actions. Whether this means watching someone’s hands on a keyboard to capture their password, observing them or their computer screen from a distance, or eavesdropping on conversations, the social engineer can gather valuable information. It is amazing, for example, how many people don’t realize that you can overhear their part of a cell phone conversation.
Similarly, the “art’ of dumpster diving is pillaging someone’s trash for valuable information. Common advice is to shred (rather than discard) credit card offers sent in the mail. This extends past the card offers to any other information that could be used for financial fraud or identity theft. Dumpster diving also occurs on industrial and business levels. Companies may routinely discard critical business information and the cybercriminal can retrieve them from the trash.
What can you learn? Sometimes, it is really hard to distinguish between someone being nice and a person who is performing social engineering. Perhaps healthy cynicism should ask, “Why is this stranger being nice to me?” On the other hand, the techniques of coercion, persuasion, and intimidation stand out. Our natural inclinations are to resist these tactics. Finally, if an email message appears too good to be true or shows the telltale signs of spam, the wise course is to ignore it.