Social engineering is possibly the most effective hacking exploit we may face today – and possibly the easiest to perpetrate. Why?
Because it is human nature to want to help. This is an extract from a recent publication that I found illuminating, and essential for anyone concerned about such threats. Education, education, education.
So, what is Social Engineering?
Social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.
Famous hacker Kevin Mitnick helped popularize the term “social engineering” in the ‘90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages.
What Social Engineers Want:
The goal for many social engineers is to obtain personal information that can either directly lead them to financial or identity theft or prepare them for a more targeted attack. They also look for ways to install malware that gives them better access to personal data, computer systems or accounts, themselves. In other cases, social engineers are looking for information that leads to competitive advantage.
Items that scammers find valuable include the following:
- Account numbers
- Any personal information
- Access cards and identity badges
- Phone lists
- Details of your computer system
- The name of someone with access privileges
- Information about servers, networks, non-public URLs, intranet
How Social Engineers Work:
There are an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that gives him access to your corporate network.
Typical ploys include the following:
Stealing passwords: In this common manoeuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system.
For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.
Impersonation/social network squatting: In this case, the hacker tweets you, friends you or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him a spreadsheet or giving him data from “the office”. “Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker,” says Desautels.
Posing as an insider: In many cases, the scammer poses as an IT help desk worker or contractor to extract information such as a passwords from an unknowing employee.
“Roughly 90% of the people we’ve successfully exploited during [vulnerability assessments for clients] trusted us because they thought we worked for the same company as them,” Desautels says. In one case, a Netragard worker posed as a contractor, befriended a group of the client’s workers and set up a successful phishing scheme through which he gleaned employee credentials, eventually gaining entry to the entire corporate infrastructure.
State of the State:
Social engineering attacks are widespread, frequent and cost organizations thousands of dollars annually, according to research from security firm Check Point Software Technologies. Its survey of 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand found almost half (48%) had been victims of social engineering and had experienced 25 or more attacks in the past two years. Social engineering attacks cost victims an average of $25,000 – $100,000 per security incident, the report states.
“Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information,” according to a statement from Check Point on the survey. “Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization.”
Among those surveyed, 86% recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The most common attack vectors for social engineering attacks were phishing emails, which accounted for 47% of incidents, followed by social networking sites at 39%. New employees are the most susceptible to social engineering, according to the report, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). However, almost one-third of organizations said they do not have a social engineering prevention and awareness program in place. Among those polled, 34% do not have any employee training or security policies in place to prevent social engineering techniques, although 19% h have plans to implement one, according to Check Point.
For the full guide to social engineering click here: Social Engineering-Ultimate Guide