16 November 2008

Social Engineering and other Non-Violent Threats


Image by parl

Note: This is a long post which includes three videos

As people who care about our personal security and safety and that of our friends and families, it is important to note that threats today are not just physical. More and more often, we see and hear about people getting targeted by scams and fraudsters. This involves loss or compromise of some very personal and sensitive private information, often leading to financial loss.

Social Engineering?

Not many people are aware of what Social Engineering and other types of fraud are and I thought I would share some of my findings on the subject with my readers.

To begin, here is a fun video showing how Social Engineering can be used to gain free entry into clubs by impersonating a DJ. Note, he appears to be a DJ. He has funky cloths, expensive looking head phones, a record bag, cover story and confidence.



For more how to dance videos visit 5min.com


Social Engineering involves manipulating another person to behave a certain way or provide information that the Social Engineer wants. This can be done using a wide variety of pretexts. Pretexts are 'situations' that the Social Engineer invents to persuade their 'mark' (target or victim) to provide the information they want.

What do they take Advantage of?

The Social Engineer relies on human interaction that can target a whole range of human conditions such as:

  • Greed,
  • Helpfulness,
  • Ignorance,
  • Flattery,
  • Lust,
  • Intimidation by an 'Authority' (Boss or supervisor),
  • Friendliness,
  • Time pressure,
  • Trust and
  • Conformity.
Social Engineering can be done in a number of ways:

  • Via telephone,
  • In person,
  • Online and
  • Shoulder surfing (looking over someone's shoulder to obtain passwords, PIN's and credit card numbers).
Here is a short video about Social Engineering


For social engineering to work, it generally involves some type of research and setting up to provide some sort of legitimacy. Often, impersonation is the vehicle Social Engineers use to obtain information.

Social Engineers often impersonate:

  • Co-workers,
  • Police,
  • Bank staff,
  • Tax Authorities,
  • Utility workers,
  • Insurance Investigators,
  • Attractive, interested members of the opposite sex,
  • Supervisors,
  • Clients and
  • IT specialists.
Some Examples

Often, it is just a matter of identifying themselves and asking questions in a manner that authorities would. People often fall for it. To further add to this tactic's effectiveness, the Social Engineer will add an urgency of time. To illustrate this, here are a couple example's from Security Focus:


An AT&T Rep will call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.”
And another one:
The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialled up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.
Physical Expectations

Social Engineering can also harness expected social responses. If someone holds their hand out to shake yours, people return the shake. Its natural and very rude not to return it. Violent people use this very tactic to grab hold of people when they go to return their offer of a hand shake. As they go to shake that strangers hand they are thinking 'I shouldn't be doing this..." but they still do. It is a conditioned response.

Another one which I mentioned in my post Maintain Your Security is when a social engineer will follow others through the security door into an apartment complex or other facility. The legitimate resident or worker will hold the door open to 'help out' the next person.

The same thing can be seen when the social engineer fumbles around at the door appearing to be searching for his key in his pockets or bag and smiles as a legitimate person appears and enters and he follows them in innocently. He can also claim to have lost his key or doesn't want to let his partner know he is home as he has a surprise for her or any number of other excuses. He relies on peoples helpfulness and ignorance to the threat.

There are other situations you can think of I am sure.

Technical Attacks

On top of these direct physical Social Engineering tactics, there are the virtual ones as well. The most common involve phishing, the Trojan Horse and Baiting.


  • Phishing involves sending an email that appears to come from a legitimate business (commonly a bank or credit card company) requesting 'verification' of information urgently and dire consequences if this information is not provided. It usually contains a link to a website that looks exactly the same as the legitimate site does with the same logos and header and layout looking exactly as the real site does. There will typically be a form requesting everything from the 'marks' home address up to credit card number or PIN number or anything else. People fall for it because it looks so legitimate.

  • A Trojan Horse is generally delivered via email where there will be an attachment that piques the curiosity such as a sexy screen saver, anti virus software, celebrity gossip or some other intriguing item. The 'Love Bug' from a few years ago now is one such example. Once the attachment is opened it installs the malicious code onto a users computer.

  • Baiting involves leaving an attractive or interesting item lying around which inevitably gets picked up. This could be a USB card or CD. It could be left in a cafe, hallway or elevator. Once picked up, it is often inserted onto a computer to satisfy the curiosity of the finder as to what it contains. These will often have interesting labels put onto them as well. Once the device is inserted into a computer, the malicious code is installed. This is particularly so with PC's set to 'auto run' inserted media.
A Comprehensive List

There are many other types of Social Engineering tactics, cons, tricks and schemes. Wikipedia has a comprehensive list of these tricks well worth checking out. It helps to be aware of them in order to identify them as they are presented to you.

So what can we do?

This video is aimed at employees but is still relevant in protecting our own information such as credit card numbers and passwords.

Here is a list by a US government website which is aimed at businesses and staff but still has useful information:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an individual claims to be from a legitimate organisation, try to verify his or her identity directly with the company
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Dont send sensitive information over the internet before checking a web sites security
  • Pay particular attention to the URL of a website. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling (citibank vs citybank) or a different domain name (eg .com vs .net)
  • If you are unsure whether an email request is legitimate, try to identify it by contacting the company directly. Do not use the contact information provided on a web site connected to the request; instead, check previous statement for contact information. Information about known phishing attacks is also available from online groups such as the Anti-Phishing Working Group.
  • Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic.
In order to prevent these types of threats, it helps to be able to recognise them. Even reading this post will go a long way in both recognising and stopping these types of virtual attacks.

There are some tell tales of Social Engineering attempts such as:

  • Their refusal to give contact information
  • Rushing
  • Name-dropping
  • Intimidation
  • Small mistakes (misspellings, misnomers and odd questions) and
  • Requesting forbidden information
If something doesn't seem right, trust your instincts. To understand the threat that is Social Engineering, spend a moment to think like one. Don't become another victim.


Bookmark and Share

No comments:

Post a Comment

Related Posts with Thumbnails