The human hack: Social Engineering

Social engineering attacks are effective, can be devastating and take advantage of the weakest link in an organisation’s security: People.

So, what is social engineering?

Social engineering is the psychological manipulation of people into performing actions or disclosing sensitive information. It can be referred to as ‘human hacking’ as a skilled social engineer will be able to coerce people to do things they ordinarily wouldn’t do, by employing complex pretexts with a high degree of confidence. 

In general, the common goals of social engineering are the same as hacking. This is to:

  • Commit fraud
  • Conduct industrial espionage
  • Commit identity theft
  • Disrupt networks and systems
  • Gain unauthorised access to systems or information

What attack vectors and tools can be used in a social engineering attack?

Social engineering has a number of vectors that can be exploited, these include the use of phishing emails, vishing telephone calls, dumpster diving, open source intelligence gathering, and of course, physical infiltration.

Phishing emails can be sent out to multiple people or target specific users in the case of ‘spear phishing’. Often, the goal of these types of attacks is to persuade a user to open a malicious attachment or visit a website that may host malicious software or look similar to a legitimate corporate website, attempting to trick the user into entering their credentials which can be collected by the social engineer for use in later attacks. Spear phishing attacks more commonly target high privilege users, for example those able to authorise electronic payments that attempt to get fictitious invoices paid and have the money transferred into an account accessible by the attacker.

Vishing (voice phishing) can take a little more skill as an attacker will have to think quickly and have a well-defined pre-text in mind to use when speaking with someone over the telephone. Attacks generally involve expressing some urgency to the victim about a problem or incident, causing confusion or panic which often leads to the victim doing things they ordinarily would not, such as providing their password over the phone or disclosing other business sensitive information that the attacker may use in a separate attack. Fortunately, or rather unfortunately in this case, it is human nature (for most people) to want to be helpful, likeable and accepted. This often leads to people offering more information than required and becoming less guarded when asked questions, especially in a situation where the attacker is pretending to be in need of assistance.

Dumpster diving is one of the less glamourous aspects of social engineering. This is where the attacker will visit premises and attempt to access your refuse. Taking away bags of rubbish from often unlocked and unguarded bins can contain a vast amount of useful information to an attacker. Treasures gathered can include corporate branded documents, with customer or business sensitive data on them, organisational charts, financial information, security passes from visitors or staff who no longer work there and more. The more assets an attacker can get hold of will significantly increase their chances of successfully performing either phishing, vishing or physical attacks against the target as they will likely use information they have gathered that can be used to provide some level of authenticity when dealing with targets.

Open Source Intelligence (OSINT for short) is the gathering of information about a target using publicly available sources such as Google, Shodan, the target’s website and many open source scripts that can automate information gathering extremely quickly. This gathered information can allow an attacker to establish a list of target email addresses, staff names, account names from document metadata and sometimes even passwords which have been leaked. OSINT is a very important part of any hacker activity as it allows the attacker the opportunity to contact the target and perhaps name drop legitimate names and departments, which most people assume that an attacker would only know this information if they worked within the organisation or had legitimate dealings with them.

Physical infiltration is where the attacker will attempt to enter the targets premise, often with the aim of either exfiltrating sensitive data, causing damage and disruption or even leaving a rogue device attached to the network which will allow them to log into the target network from the comfort of their own home without the risk of getting physically apprehended. Physical access can be achieved by simply following a legitimate staff member through the door before it closes and because many people would not feel comfortable challenging someone they do not know, they ignore the fact that someone has followed them into the building. The assumption, once inside the building and past any physical security controls, is that the attacker is meant to be there, because they’ve already passed one or more security controls allowing them into the building. Many companies do not report these type of security breaches due to embarrassment but the repercussions of this type of attack can be devastating – often leading to the loss of sensitive data and causing reputational damage.

Conclusion

Social engineering often provides a far quicker and less resource intensive way to compromise the security controls of an organisation by suing the weakest link, human behaviour. Human’s are far more easily compromised than machines that always obey the rules. Once a social engineering attack has been successful in compromising the external security controls then exploiting the weak internal controls its child’s play for a determined and well-resourced attacker.

Many attacks can be stopped by ensuring that employees have a good level of security awareness in terms of email and telephone attacks. Instilling a firm but polite ‘challenge culture’ combined with a process on how to deal with unauthorised ‘visitors’ can also go a long way to protecting organisations against physical social engineering attacks.

Finally, use expert third parties to conduct social engineering exercises to test the behaviour of your staff and understand how successful your training was.

If you have any doubts in your organisation’s ability to stay protected against a social engineering attack, get in touch and see how Commissum can create a culture of security across your company and then test your defences. Remember, prevention is better than cure!

Get in touch to see how Commissum can enable your organisation through increased security awareness.