As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational.
Famous Social Engineers
[Victor Lustig] was one of history’s famous social engineers specializing in scams, and was a self-confessed con man. He is most famous for having sold the Eiffel Tower. After the First World War, money was tight, and France was struggling to pay for the upkeep of Eiffel Tower and it was falling into disrepair. After reading about the tower’s troubles, [Lustig] came up with his scheme: he would trick people into believing that the tower was to be sold off as scrap and that he was the facilitator for any deal. Using forged government stationary, he managed to pull this trick off: twice!
He later went on to scam [Al Capone] out of $5,000 by convincing him to invest $50,000 into a stock market deal. He claimed the deal fell through, although in reality there was no deal. After a few months, he gave Capone his money back, and was rewarded with $5,000 for his “integrity”.
[Charles Ponzi] was so notorious the scheme he used which is alive and well today was named after him. A Ponzi Scheme is a pyramid investment scam using new members money to pay older investors. As long as new recruits keep coming in, the people at the top of the pyramid get paid. When the pool of new suckers dries up, it’s over.
The biggest Ponzi scheme ever was discovered by then-respected high flyer and stock market speculator [Bernard Madoff]. The scheme, valued at around $65 billion, was and still is the biggest in history. Madoff was so prolific he had banks, governments and pension funds invested into his scheme.
[Kevin Mitnick] is probably the most famous computer hacker still alive today, however he was more of a social engineer than you would think. Kevin started young; at thirteen, he convinced a bus driver to tell him where to buy a ticket puncher for a school project, when in fact it would be used with dumpster dived tickets found in the bins of the bus company’s depot.
At sixteen, he hacked Digital Equipment Corporation’s computer systems, copying proprietary software and then going on to hack Pacific Bell’s voice mail computers along with dozens of other systems. He was on the run for a few years and was eventually imprisoned for his crimes. Out of jail, he has turned into a security consultant and does well for himself by staying on the correct side of the law.
[John Draper], AKA Captain Crunch, was a pioneer in the phone phreaking world. He gained his moniker because of free whistles given away in packages of Cap’n Crunch cereal. He realized that these whistles played 2,600 Hz which just happened to be the exact tone that AT&T long distance lines used to indicate that a trunk line was ready and available to route a new call. This inspired [John Draper] to experiment with and successfully build blue boxes. Those days are gone now, as the phone system switched from analog to digital.
Types Of Social Engineering Scams and How To Avoid Them
There are many different type of social engineering attacks — imagine counting up the number of ways that exist to trick people. Still, it’s worth understanding the most popular scams, because you do need to protect yourself.
This type of scam involves telling someone a lie in order to gain access to privileged areas or information. Pretexting is often done in the form of phone scams where a caller will claim to work for some big company and needs to confirm their targets identity. They then go on to gather information like social security numbers, mother’s maiden name, account details and dates of birth. Because the call or the situation is normally initiated by the social engineer, a good way to protect your self from this scam is to call back or confirm who they say they are — using information that you gathered about the company, and not given by them.
Dropping malware-filled USB drives around parking lots, or giant wooden horses near your enemy’s walls, is classic baiting. This is a simple attack with a simple mitigation: remember that if something free and interesting just lying around looks too good to be true, then it probably is.
Phishing is the practice of sending out e-mails, posing as a well-known web service or company, and aiming to get the recipient to open a compromised document, visit a poisoned website, or otherwise break your own security. A few weeks ago, Hackaday’s own [Pedro Umbelino] wrote about how easy it is to exploit even the most security conscious around us (it had me) with an IDN homograph attack.
Most phishing is done at a less sophisticated level — normally a clone of website is made and emails are sent out telling victims to change their password. High value targets may have a fully customized phishing experience, known as “spear phishing”, where the scammer will put more effort into a site clone or email text by including personal information to make it look more authentic. Phishing is normally easy to spot — check the address of any link before clicking on it. And if you’re asked to change a password through an e-mail, close the e-mail and log into the web site through normal means, bypassing the bad links entirely.
A lot of ransomware is delivered by phishing, but since there have been an increasing number of widespread cases, it gets its own topic. However the user is fooled into running the malware on their computer, it encrypts valuable data or locks the user out of their system and demands payment to restore things back to normal. Whether this happens or not, upon payment, is anyone’s guess.
There have been a number of very high profile ransomware attacks lately, including ransomware crippling UK’s NHS and then spreading globally. Will this ever end? The easiest mitigation strategy against ransomware, in addition to no clicking on suspicious links, applications or keeping your system up to date in the first place, is to keep frequent backups of your system so that if you do get ransomed, you won’t have to pay. Keeping backups has other benefits as well, of course.
Quid Pro Quo
The quid pro quo scam is really all “quid” and no “quo”. A service provider calls offering to fix a bug or remove malware (that doesn’t exist) for a fee. A quick search on YouTube will turn up thousands of videos of scammers trying their luck with wise-cracking teenagers. As with many cons, this scam can be avoided by simply not responding to out-of-the-blue offers. On the other hand, this scam seems successful enough that it’s still being run. Knowing about it is the best defense.
One way to get into a restricted area that’s protected by a closed door is to wait for an employee or someone with access and follow them in. These attacks are normally aimed at businesses or apartment buildings, and the solution is to simply not let anyone get in with you.
To impersonate a legitimate contractor, it helps to know the names of the firms involved and even points of contact inside the firm. All of this data and more can be found on receipts in the dumpster behind the firm. Invest in a shredder, and don’t leave anything to chance.
People share an amazing amount of personal information on social media, so it’s no surprise that it’s a new tool for social engineers. Looking through someone’s account is like looking at a snapshot of someones life. Why would you announce your home is going to be empty to for the next two weeks to literally the whole world? Your home is just asking to be burgled. Or think of the ammunition that you’re giving to a would-be spear phisher. Think about the trade-offs of sharing personal information about yourself publicly.
Notable Social engineering Case Studies
Now, let’s see a couple examples of these social engineering tricks in the wild.
News International Phone Hacking Scandal
Here in the UK, there was a huge public storm when News International, owned by media mogul [Rupert Murdoch], was found to be using social engineering to “hack” into the voicemail services of prominent celebrities, politicians, royals, and journalists. The phone hacking list is extremely long. They often hacked into the voicemail by spoofing the caller ID that granted access to the phone’s voicemail inbox. Some voicemails were password protected with four-digit codes that were easily guessed. On other occasions, they simply called the phone provider’s service hotline and said they forgot their pass code — plain-vanilla pretexting.
Celebgate iCloud Nude Pictures “Hack”
[Ryan Collins] used phishing techniques to gain access to the iCloud accounts of Jennifer Lawrence, Kate Upton, and Kim Kardashian. He created fake notifications from Google and Apple and sent them on to his targets’ email addresses. At the time, there was speculation that Apple’s iCloud had hacked into on a massive scale. Instead, Collins admitted in an interview that he used phishing techniques to gain access to his victims personal data.
Where do We Go From Here
If breaking the computer system is too difficult, you can be sure that criminals will try to break the human system. Whether you call this “social engineering”, “cons”, or “scams”, they’re likely to be on the rise. The best way to protect yourself is to teach anyone with access to your data or details about how the attacks work, and how to avoid them.
There are plenty of resources online that you would be useful for helping protect yourself from these attack vectors. Protect yourself from eight social engineering attacks is quite a good starting point, and the US Department of Homeland Security also provides great information on preventing social engineering hacks that you can point people to.
In the end, most of it boils down to recognizing the patterns and being skeptical when you see them. Verify information through other channels, don’t blindly click links, and be wary of what personal details you give out to solicitors.