Picture this: it’s a late Thursday afternoon. You just got off work, you’re tired, and you want to relax. You sit down, turn on the tv, and browse your phone for a little bit. Just then, you get an email telling you that there have been some suspicious login attempts on your account and they need you to confirm your information to make sure that your account has not been compromised, and security measures can then be taken. Inside the email is a link that looks sort of suspicious. Just then, you get a notification from your google account saying your two-factor authentication has been activated, and someone has requested a password change. Ok, someone really is trying to get into your google account and the email wasn’t lying. You follow the instructions in the email and click the link. It asks you to verify your identity by signing in, so you do. You get one final notification on your phone, telling you that you have just been logged out of your google account. You try to log back in, only for Google to tell you your password has been changed. You try to use your recovery phone and email, but they too have been removed. This was a form of social engineering called spear phishing. Your google account has been stolen. Of course, most of us say that we would see through such an attack, but the number of successful phishing attempts and social engineering attacks in general is staggering. This article will give a basic introduction to what social engineering is, what attackers look for, and the dangers of this very prevalent hacking technique.
Social engineering is defined as the art of using manipulation and exploitation to get sensitive information out of a target. This can include social media, passwords, billing information, personal information, even your identity. Social engineers are very crafty and can use data in many malicious ways. There are hundreds of different types of attacks that fall under the umbrella of social engineering, and each attack is unique. The most basic form of social engineering, and also the most successful, is phishing, a term that we will discuss in the future.
The social engineer lifecycle
Social engineers come in all shapes and sizes. There is almost no way to spot a successful social engineer. Most social engineers follow a framework for how they plan and execute their attacks. In the framework we will be highlighting, there are 4 steps: investigation, hook, play, and exit. These steps are the beginning to the social engineering framework, a much broader plan of action that social engineers follow.
Starting with step 1, we have the investigation stage. Just like any sort of attack, physical or remote, there is a reconnaissance (information gathering) stage. See, for most hacking attacks, this would require tools to covertly scan whatever the target is. (Nmap, recondog, or various other tools) . for a social engineer, it requires a lot more interactivity than just using tools. A social engineer looks for any attack vectors that are available to them, whether it be through phone number, social media, family, or face to face. A social engineer’s best friend, and a persons most vulnerable data, comes in the form of social media. Facebook, Instagram, any social media site that you may post personal information on. Now since social engineering is such a broad topic, there are hundreds of different things that they could be looking for. From birthdays to vacation days, any information that is publicly available either through social media or another form of communication can be used as a potential weapon. This process is used to find the most effective attack vectors that will be used in the next few steps.
Step 2 is arguably the most important one: the hook. This step is all about building a relationship with the target. The type of relationship entirely depends on the attack. If its data probing the attacker is after, they will likely directly communicate with the target. In this instance, it would be very beneficial for the attacker to befriend the target. The entire goal of step 2 is to convince your target that you are pretty much anything but a social engineer. These people often come off as very charming and charismatic, and are usually a little bit too welcoming. Catching a social engineer during this phase is nearly impossible, since at this point the victim has just met the attacker and in some cases won’t even interact with the attacker for more than a few seconds. For example, if a social engineer were to use impersonation to gain access to a company building. The hook here would be convincing that security guard or secretary that you are here for maintenance work or whatever the alibi is. Being able to befriend that security guard or secretary will get an attacker very far and open up a lot more attack vectors to them. The only thing more important to a social engineer than data is their connections. Connections and friendships will get an attacker places they normally would not be able to go and give them access to a whole plethora of information. Picture a scenario where the attacker and security guard have met before and are at the very least acquaintances. The guard will be a lot more inclined to let this person into an area they are normally not allowed to go because the guard has a false sense of trust. Most hacking attacks are due to human error rather than system failure.
Moving on to step 3, the play, or attack phase. This is the stage where the social engineer will use any attack vectors at their disposal to get the desired information/objects. This is obviously very heavily dependent on the actual attack. For example, in one scenario, the entire goal of infiltrating a building is to place a few infected USBs around the premise. But in another scenario, the attacker could be after your identity. In this case, the attacker most likely won’t need to plant a USB in your home. They would be looking for enough information to convince your bank that they are you, using things such as birthdays, dog names, addresses, phone numbers, social security numbers, the list goes on…
The last and final step is the exit phase. In this phase, the attacker will try to remove any trace/suspicion of any attack. Up and disappearing is usually not an option for a social engineer depending on how deep they are, so they will often have to think of an excuse to remove themselves from the victim or building. If the attacker has infiltrated a corporate building, it can be as simple as telling the people that you have completed the task you were assigned to do. If the attacker went on a more personal level, and befriended the victim, it gets a bit more complicated. The entire goal of this step is to safely exist without raising any suspicion. Saying “hey, I just got an important phone call,” before running off is going to make the attacker a number one suspect if the attack has been discovered. A good social engineer will always have his entrance and exit story prepared and ready to use at a moments notice, but other times, it isn’t that simple. Once the attacker has found a suitable way to cover their tracks, that’s it on their end. Most social engineering attacks take weeks to discover, and ones performed on companies aren’t discovered until years later, long after the social engineer is gone. Of course, if the attacker stole someone else’s identity, they would know a lot faster, but often times, the victim and the police have absolutely no leads.
Ok, so we explained what social engineering is and the framework that attackers use. Why is it important? Social engineering is used everywhere. Marketing, information gathering, basically any time an attacker needs to convince someone to do something or gain information from a human target. Just look at the statistics.(links and sources will be included at the bottom of the article.) according to peerlyst, malicious social engineering is a multi-hundred billion dollar industry as of 2019, and will only continue to grow. Carding (credit card fraud) in 2015 alone cost the public nearly 22 billion dollars. The average data breach for a large scale company is upwards to 140 million dollars, a very hefty number for an attack that is so simple to do. All it takes is a single disgruntled employee or even one that just let their guard down for a few seconds, and before you even know it the company has just lost millions of dollars in damage. Phishing 10 years ago accounted for only about 320 million dollars in damage. Since then, that number has grown exponentially and has nearly doubled. That number will only continue to grow in the future unless we can get people properly educated. Still not convinced that social engineering is a big deal? A study back in Defcon in 2016 showed that 84 percent of hackers used some form of social engineering in their line of work, whether it was whitehat, blackhat, or in between. 50 percent of attackers will change their methods with each attack, making it even harder to prevent. A staggering 69 percent of social engineers have never been caught in the act. This industry is a dangerous one, and everyone needs to be informed on it for these numbers to start to go down.
The goal of this article and the series as a whole is to spread awareness of the dangers of social engineering and help prevent such attacks. The only way to fight against these attackers is to be well informed. Information is as much as a defensive tool as it is an offence. The next part of this series will go over how to spot the potential signs of a social engineering attack, and what to do once you have detected one. In the near future, we will also go over real world social engineering attacks that have had big impacts on the world, such as the attack performed on Hillary
Clinton’s presidential campaign. Till next time,