This chapter is from the book
This chapter is from the book
This chapter is from the book
5.2 Social Engineering
Social Engineering Methods, by Section
|
Physical Theft |
5.2.1 |
|
Emotional Pressure |
5.2.2 |
|
Haste |
5.2.3 |
|
Reliance on Inadequate Protection |
5.2.4 |
|
Instilling Undeserved Trust |
5.2.5 |
|
Breaking Prior Trust |
5.2.6 |
|
Trusted Resource Attack |
5.2.7 |
Malicious actions performed against people, including deception or the physical theft of sensitive information such as credentials, represent highly effective avenues of attack against computers. In these cases, the errors or failures are human, and for this reason approaches that utilize human failings are known as social engineering attacks.
"I became absorbed in everything about telephones—not only the electronics, switches, and computers, but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most Telco employees into almost anything, whether I was speaking with them in person or by telephone." —Kevin Mitnick
Deception perpetrated for the purpose of theft or subversion, known as fraud, usually involves misplaced confidence in the perpetrator, and for this reason fraud schemes are often referred to as confidence schemes, or "con games." More direct attacks against humans involving the theft of information through surveillance or the actual theft of information or assets of value are also common, such as the theft of volumes of customer information.
Social engineering attacks are as old as civilization. What is new is their application to obtain computer access. Most social engineering computer attacks utilize one or more of the techniques discussed next. For those who are interested, comparable "con schemes" used by non-computer crooks are listed in the sidebars.
5.2.1 Physical Theft
Physical theft of computer assets or documents that contain computer-related information can be used to compromise a system. An example is the theft of a computer or storage media containing information of value. Another example is the theft (or reclamation) of discarded assets from which computer-related information can be retrieved—so-called "dumpster-diving" (see "Exploit of Residual Artifacts").
5.2.2 Emotional Pressure
Most social engineering techniques utilize some form of emotional pressure in order to induce the target to accept something that is unvalidated or to make a decision based on unvalidated information. This is usually done in conjunction with a technique to instill trust in the perpetrator. The emotional pressure usually takes one of these forms:
Emotional investment: Example: Claim to need help with something, but then in the middle of the effort, request help with something else that would require authorization—and explain that it would be very helpful to bypass procedure in order to expedite things.
Intimidation: Example: Telling an administrator that if they do not expedite a request by circumventing a security procedure, the company’s profit might be at risk, and hence their job.
Pride: Example: Challenging an administrator to do something that requires broad-ranging privileges.
Inconvenience (for example, inconvenience of checking something out): Example: Presenting proof of validity that is unusual and appears legitimate but that would take time and effort to verify.
Enticement (perhaps sufficient to induce you to avoid safeguards): Example: Promising an insider that they will participate in a lucrative fraud scheme, when in fact the only objective is to get them to perform an act of subversion, such as allowing use of their computer account.
Crisis: Create a crisis that needs a solution and offer the solution (target accepts inadequate validation from the responder). Example: Send advertisement for a service professing to identify hackers and then slightly hack the target’s computer; if contacted, induce the target to provide full and direct access to their system.
Traditional Examples of Enticement Schemes
|
Scheme Name |
Method |
|
Nigerian Letter |
Letter recipient is enticed into participating in a lucrative scheme—for a fee that is later revealed. |
|
Pigeon Drop |
Target is enticed into sharing in a valuable treasure find, provided the target puts up "good faith money." The treasure is either worthless or taken away. |
|
Pump-and-Dump |
False rumors are generated to cause a stock price to inflate. This is an enticement scheme because the rumors are not substantiated. |
|
Spanish Prisoner |
Purported ex-prisoner entices target into sharing a stolen fortune, as long as target provides funds to get to it. |
|
Rocks-in-the-Box |
Target is enticed into buying purportedly valuable but shady merchandise for cash, only to find that the merchandise is worthless. |
|
Country Boy |
Target is enticed into defrauding an apparently naïve person, provided that the target provides "good faith money." |
|
Contest Winner |
Target is enticed into sending money to claim a supposedly large prize. |
|
3-Card Monte |
Target is enticed into playing a rigged card game based on a controlled demonstration that it is easy to win. |
|
Truck load scam |
Target is enticed into buying shady merchandise and pays up front only to find the truck has left. |
|
Bankruptcy fraud |
Naïve creditors are enticed into accepting an early unconditional settlement of a debt when told that a bankruptcy is imminent for the debtor, but the bankruptcy application is then rescinded. |
5.2.3 Haste
Most schemes to deceive involve a sense of haste or urgency. The perpetrator requires haste in order to prevent detection, because given time, credentials can be validated, and a story double-checked. Also, given time, intrusion detection processes and notification processes complete.
The most common way to induce haste in a victim is to create a form of pressure that is time-based; the time aspect may be real (verifiable) or artificial (would fail verification, but the time pressure makes verification inconvenient or seemingly risky). For example, the perpetrator might ask that things be done quickly in order to make some form of deadline.
Traditional Examples of Crisis-Based Pressure
|
Scheme Name |
Method |
|
Bail bond scheme |
Target is contacted and urged to provide bail money for a relative who is known to be presently inaccessible. The target is under pressure to provide the money immediately without confirming that their relative is indeed in jail. |
|
Phony COD delivery |
Target is approached at home by a legitimate-looking delivery person asking for a COD fee. In the pressure of the moment, the target pays the fee. |
5.2.4 Reliance on Inadequate Protection
Software applications protect assets of value: information and transactions. If the protection mechanisms have loopholes or are inadequate, an attacker merely needs to discover those sources of inadequacy.
Inadequate protection can result from merely not having enough resources to respond to an emergency of large magnitude or to multiple emergencies concurrently. Many of the attacks in this category rely on overwhelming a response system. The techniques include:
Diversion: Cause an unexpected crisis that overwhelms response resources. Example: Attack a system that is not of interest but that is easy to attack so that security administrators are focusing their attention there; then attack the actual target. Another example is to cause a different kind of crisis, such as a fire.
Decoys: Overwhelm response resources, by creating a storm of false events that prevent the responders from identifying the real events.6 An example of the use of decoys would be a storm of packets from many compromised "decoy" systems preventing security administrators from tracking the true source of the attack.
Distraction: Create innocent confusion that disrupts thought processes or safeguards. Example: Ask an administrator for help that requires that he access sensitive information in your presence and have someone else interrupt him several times.
Reliance on naiveté: Identify a new and inexperienced administrator.
Reliance on ineffectiveness: Rely on incompetence, lack of diligence, or an inability to contain or identify an attacker. Example: Falsifying fulfillment transactions that are less well protected. All technical security weaknesses also fall into this category because they represent an ineffective system.
Attack the responders (or compromise them): Example: Implant a trojan horse in a recovery image.
Traditional Examples of Reliance on Ineffectiveness
|
Scheme Name |
Method |
|
False Claims |
Reliance on the inability of a claim processing system to validate claims of expenses. |
|
Kiting |
Reliance on the inability of a clearing operation to reconcile related transactions in real time. |
|
Shorting |
Delivering less than promised and relying on the inability of the recipient to verify the amount or quality. |
Distraction and diversion are classic human behavior techniques that rely on the limited ability of people to deal with multiple situations at the same time as well as the inability of people to think through unusual situations in a timely manner. For example, if an intrusion detection system is repeatedly triggered in some manner that is identified as a "false alarm," the response staff might temporarily disable it until it can be examined. This opens a window of vulnerability.
Distraction can be caused by any abnormal situation that diverts the attention of staff. Diversion involves deliberately triggering an alarm so that response staff will then not notice other alarms because they are responding to the first.
Attacking emergency responders is a very powerful technique because when they are not "on-guard" they are usually poorly protected compared with the assets that they protect.
5.2.5 Instilling Undeserved Trust
In order to convince someone to perform an action that you request, you must get them to trust you. Therefore, most social engineering schemes include a method of instilling trust and then exploiting that trust such as inducing the target to perform an unprotected action (especially when you are desperate and your guard is down).
The common methods of instilling undeserved trust are:
Stolen credentials (or any validation information): Example: "Shoulder surfing" to obtain someone’s logon, and then using it. Another example: Enrollment through fraudulent representation. Another example: Using the customer service pathway; for example, calling to change your address and then having sensitive information mailed to you.
Counterfeit credentials: By presenting counterfeit credentials or evidence of legitimacy. Example: Posing as a system administrator and demonstrating knowledge to buttress the claim, and asking a user to provide sensitive information. This is a variation of the so-called "bank examiner" fraud in which a perpetrator poses as a bank official and tells a customer to turn over funds from their account under false pretenses. Another example: Similar domain names. Another example: Imitation PayPal link schemes, or clicking on any legitimate-looking link in an email from an unvalidated source.
Juxtaposition with something legitimate: By association or juxtaposition with something legitimate. Example: Links to the Web page of legitimate services.
Successful interactions: Through legitimate or seemingly legitimate interactions. Example: Free services that build trust and eventually solicit sensitive information.
Peer collusion: Through interactions with a third party that is secretly collusive. Example: Relationships with other seemingly legitimate companies, that are actually "fronts."
Interactions with trustworthy entities: Through interactions with an entity trusted by the target. Example: Evidence that services were obtained from a trusted security company.
Traditional Examples of Instilling Undeserved Trust Through Successful Interactions
|
Scheme Name |
Method |
|
Ponzi scheme |
Targets invest more and more, based on what they perceive to be good experiences. Their money is eventually taken. |
|
Big store |
Target witnesses lots of apparently successful transactions, and uses that as a basis for trust. |
|
Salting the gold mine |
Target trusts an investment based on the initial discovery of valuable resources or gains that were actually planted. |
|
Sweetheart swindle |
Trust is developed through courtship. |
5.2.6 Breaking Prior Trust
Rather than instill trust, it is often possible for a perpetrator to persuade a party that is already trusted to act in collusion with them. This is usually achieved through some form of incentive, such as bribery or mutual gain. The forms of collusion include:
Collusion with an insider: Often a result of a conflict of interest, or when roles are not sufficiently separated. Examples: An administrator altering a transaction log; a back door inserted by a trusted programmer; causing a financially favorable error in the account of an employee who has high authority to see if they report the error; transactions recorded as discounted when they are not.
-
Collusion with outsiders: Example: A collusive security monitoring service.
Indeed the members of the notorious DrinkorDie Web piracy group often relied on moles in large corporations and cracked security codes for Norton Antivirus, Microsoft’s Word and Excel products, pirated games and design programs, and posted the entire Windows 95 operating system on the Internet two weeks before it was released. [25]
Traditional Examples of Insider Collusion
|
Scheme Name |
Method |
|
Embezzlement, or "Cooking the Books" |
An employee modifies accounting records in order to conceal unauthorized transactions. |
|
Kickback |
An insider grants a contract based on the expectation that the contractor will secretly provide a gift. |
|
Salami |
An unnoticeable portion ("slice") of proceeds is taken on an ongoing basis. |
|
Under-Ring |
A transaction is entered for less than the actual amount charged, and the difference is pocketed. |
|
Employee Account Fraud |
The insider has both a work relationship and a business relationship with the organization, and uses employee access to business records to modify the account. |
|
Fictitious Refunds, Fictitious Sales, Negative Invoicing |
False refunds, sales, and invoices are submitted by an outsider and facilitated by the insider. |
|
"Ghost" employees |
A managerial employee budgets for staff who do not exist, and pockets their payroll checks. |
|
"Salting Cash" |
Insiders who would be willing to compromise their organization are identified by causing errors in their favor and observing if they report the error. |
5.2.7 Trusted Resource Attack
This form of attack has already been discussed in the context of technical attacks. It is included here because it can be used to attack non-computing assets, and also because of its tremendous power and importance.
Example: Compromise the tools used by emergency response personnel.