Many people have asked, why do we call our Cybersecurity series "Hello Friend...". It comes directly from the hit USA series, "Mr. Robot", featuring a hacker that is as talented as he is troubled. As the dialogue in the image above illustrates, he has an imaginary friend in his head (played by you as the viewer) that he refers to as "Friend". The remarkable thing about this series is that besides being brilliantly written, every hack used in the story is an authentic hack, not the traditional Hollywood fakery. This is because the technical advisers are hackers and Cybersecurity experts such as Jeff Moss, an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.
If you have not checked out the series, you really should; although watching it will make you paranoid about your own Cybersecurity! Here is a link to a hacker/fan's video describing just a few of the real hacks in the first five episodes.
Nearly all hackers and automated hacking tools available on the Darkweb utilize several Social Engineering TTPs (Tools, Techniques, and Procedures) to exploit the weakest links in any Cybersecurity scheme; people.
As shown in the video link above, In the show Elliott prefers to hack people rather than security systems. This technique is commonly referred to as Social Engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
It is infinitely easier to hack a person than it is to hack a network. The primary reason being is that network configurations can have varying, unknown, layers of security and logging in place; all of which can typically be bypassed by hacking a single user.
Here are some of the most effective social engineering tactics commonly employed by professional hackers.
- Phishing: A phishing attack occurs when an attacker sends out emails to a person or list of people that appear to come from a legitimate site, such as PayPal, a well-known vendor, or a banking site, asking someone to open a document (pdf, excel, or Word doc) or visit a website to input sensitive information such as a bank account or login credentials. The document or website appears to be the real thing but is instead created by the attacker. The website or document typically contains a FUD (Fully Un-Detectable) payload consisting malware that automatically infects the person's device, granting remote access to the attacker. This attack can be used in a large-scale, automated email campaign where the attacker sends the emails and gets a list of devices that have been compromised and are ready to be further exploited.
- Spear/Whale Phishing: Spear phishing and whale phishing attacks are customized phishing attacks aimed specifically at individuals in the case of spear phishing and top executives are targeted in whale phishing attacks. Attackers will use any information they find on executives and high-profile targets through sites easily accessible on the Internet. For example, a company may have bios of its executive officers on a corporate website. This information may be used by a social engineer to create a targeted spear-phishing attack on the corporate officer. Or they can use information from LinkedIn, Facebook, or other social media sites.
For example, if the bio tells how a chief financial officer graduated from University of Michigan in 1979 and enjoys playing golf (yes, some executives actually put their hobbies in their bios), an attacker may send an email to that corporate officer as if from the university alumni chapter asking him to come to a special alumni golf tournament for graduates. The executive will be likely to believe that it is authentic. The email may go on to ask the person to access a website to enter credit card information to reserve a spot in the tournament.
Because of the vast amount of information about corporate officers and other high-profile targets, whaling is becoming increasingly popular because this information makes it so easy for attackers to target them in a convincing manner.
- Help Desk Call/Tech Support: The typical attacker comes from a highly technical background and will often resort to this experience when they gather information. An example of this is when a social engineer calls up a user within an organization and impersonates a help desk operator. Here is a sample of what that phone call may look like:
Attacker: “Hello. This is Steve from the help desk. Hey listen, we’ve been noticing that some passwords have leaked out, and we are calling around to make sure that people are changing their passwords. We think your password may have been compromised, so if you don’t mind, I’d like to walk you through changing it.”
Attacker: “Great! First, I want you to hold down the Control button, the Alt button, and the Delete button at the same time. That will bring up a new screen that has several buttons. Once this appears, click on the Change Password button. Now it’s important that you type in a secure password that contains a good mixture of uppercase and lowercase letters as well as numbers so that it is difficult for an attacker to hack into your computer. What password are you going to use?”
User: “Hmm…let me think. How about Password123? Is that secure?”
Attacker: “Absolutely. Go ahead and type in the new password and press OK. I really appreciate you taking the time to do this to keep your computer secure.”
The attacker was able to use his or her knowledge of technology to convince a user to give out a password.
- Vishing: The Vishing is an attack that uses the phone to perform the equivalent of a phishing attack.
A common example and one that is highly effective is to have an automated dialer call a list of numbers automatically and play a recorded message. When the phone is answered, the recorded message may say that the call is from the IRS saying there was a tax issue or a person’s bank and that their credit card may be compromised. The “victims” are asked to call a number to resolve the issue.
The user calls the number and hears another automated message that prompts the victim to enter his social security number or her credit card number, PIN, address, and whatever else the attacker may want. Another popular variation of a vishing attack is sending the original message through a text message to a cell phone instead of calling the person directly.
Social Network Engineering: Social networking sites such as Facebook and LinkedIn are an attacker’s paradise. An attacker can easily build a detailed profile about you from these sites. People post information about where they work, what they like to do, what bands they like, and more. An attacker will use the information you post on your social networking page in a number of ways:
Sending an email impersonating a friend listed on the page asking for confidential information.
Viewing pictures of a person to find out popular hang-outs and then showing up at the same spots to social-engineer the person outside of a work environment.
Discovering the person’s age, place of birth, school, and previous companies, which can all be used to target the person with a spear phishing attack.
Adding the person as a friend to build up an online relationship with a person in order to build trust. The social engineer then exploits that trust to get information from the person which could be used to launch another attack.
- NLP (Neuro-Linguistic Programming): Neuro-linguistic programming (NLP) is one psychological tool used by attackers to manipulate people that, when done right, is highly successful. NLP deals with a person’s neurological processes, language, and learned behavioral responses. While NLP was originally designed to be used in therapeutic settings, it has principles social engineers use to manipulate people to do almost anything the social engineer wants.
For example, if attackers using NLP to socially engineer someone will seek ways to use their body language and a careful selection of words to give subconscious messages to the person they are trying to manipulate. They begin by matching their body language with the target’s body language. They also attempt to match their breathing rate, voice level, accent, and vocabulary with the other person. Doing this helps the attacker to build rapport on a subconscious level. They may then give other subconscious messages by changing their body language, smiling and lightly touching the person on their shoulder or arm, and using words that denote positive thoughts, images, and emotions. All of these tactile, visual, and verbal actions (called anchoringand reframing in NLP terms) give subconscious messages that influence the person to have positive feelings and gain a sense of trust and rapport with the attacker. The attacker can then direct the communication to what they are after, such as gathering information about a company’s secrets.
NLP is especially successful if you combine it with an understanding of personality styles and behavior profiling. It takes practice but is extremely successful.
- RSE (Reverse Social Engineering): RSE attacks have three steps: sabotage, advertising, and assisting. In the first step, the attacker finds a way to sabotage a network. This can be as complex as launching a network attack against a target website, to as simple as sending an email from a spoofed email address telling users that they are infected with a virus. No matter what technique is employed, the attacker has either sabotaged the network or given the impression that the network is sabotaged.
Next, the attacker targets advertisements of his or her services as a security consultant. This can be done through many means including sending mailers, dropping business cards, or sending emails that advertise his or her services. At this point, the attacker has created a problem in the network (sabotage) and is placing himself/herself in a position to help (advertising). The corporation sees the advertisement, contacts the attacker under the false pretense that the attacker is a legitimate consultant, and allows the attacker to work on the network. Once in, the social engineer gives the impression of fixing the problem (assisting) but will really do something malicious, such as planting sniffers, RATs (Remote Access Trojans), keyloggers or stealing confidential data.
- Piggybacking: Hacking a person to gain passwords or secret information presents one vector of attack in social engineering. But people can also be hacked to gain physical access to a site which can potentially be even more damaging. In a piggybacking attack, an attacker poses as a legitimate employee and walks into a secure building by following behind someone who has access.
A classic example is an attacker showing up at the front door of a secure facility on a rainy day at 8 am, carrying a heavy box. As an employee walks up, the attacker takes advantage of human kindness by saying, “Would you mind opening the door for me? I can’t reach my badge to open the door while carrying this box.” Because people generally want to help others, the employee will open the secure door and grant access to the attacker.
Another common example of this is for the attacker to show up in the area where employees stand outside to smoke. The attacker stands outside smoking with other employees then, when the employees finish smoking, he or she will simply walk right behind them and into the building, bypassing any physical security control such as card readers.
Once inside, the attacker can gain physical access to the network through nodes such as a printer, switch, router, or PC or hang a device on the network that can allow for automated remote access for control and monitoring.
- Sex: Sex sells... period. Always has and always will. If there is one universal truth, it is that human beings can and will do dumb things when attracted to someone. When I served on fast attack submarines during the 1980s (Height of the Cold War), we were frequently told that if a really attractive female began talking with you, be extremely careful of what you say because "A" you aren't that good looking, and "B" they are either a Soviet spy or a US Naval Intelligence officer trying to get you to reveal some secret information. Using human attraction an attacker gets the user interested in them and gives them the impression that the feelings are reciprocated. This leaves the user vulnerable for the attacker to do everything from gathering insider information to pick-pocketing keys to a building while he or she is not paying attention.
This can also be done using many of the dating sites or apps. Recently there was a large scale fraud perpetrated from Nigerian nationals using fictional military service members profiles on dating services to build a false sense of intimacy with females specifically targeted for the information they shared on the site. The "soldiers" purported to be "serving overseas" and once a suitable romantic feelings and trust was built, they presented an emergency situation, bilking the unwitting victims into wiring cash to accounts in the US which were then sent back to Nigeria.
A social engineer is one who understands psychology and engineers ways to manipulate people to their advantage. Leading someone on to believe there is mutual chemistry is one of the oldest social engineering tricks in the world.
- Inebriation: If an attacker is after information, nothing will get a user talking more than meeting them at a bar. If an attacker wants to learn about insider information, he or she may seek out a user who likes to go to bars. The attacker may follow people home from their work to see which ones go to bars after work, or may look people up on social networking sites to see if there are pictures or any other information that may reveal the names of bars or clubs that they visit. Armed with this information, the social engineer may strike up a conversation with the targeted person at a bar and try to get the person drunk enough to reveal information.
There are several steps an attacker may take to accomplish this. Once the attacker learns what bar the target person visits, the attacker will arrive early to strike up conversation with the bartender telling the bartender that he or she will be in later and give the bartender a large sum of cash in exchange for making sure that there always drinks ready for them. In addition, the attacker will tell the bartender that he or she is n alcoholic and no matter what drink he or she asks for, not to put alcohol in his drink. This way the attacker stays sober and can focus on this objective while the target person gets drunk.
Later that night, the attacker will approach and strike up a conversation with the user, order several rounds of shots and hard liquor on his tab, and attempt to get his target person drunk. Once drunk, the attacker can bring up the topic of work and proceed to get information that the person would otherwise never share such as how to get into a building, passwords, trade secrets, and more.
These are just a few of many techniques used by attackers employing social engineering. Some of these involve technology (e.g., spear phishing) while others use tried and true methods of human manipulation (such as NLP).
The first step in countering social engineering is to evaluate what type of target you are. Do you have too much information about past and present activities or experiences out on the social media sites? Are you scrutinizing contacts with people and any unsolicited documents or links you may receive? Do you avoid using any information posted on your social media or in your history when creating your password schemes?
Once you have covered your issues, you need to look at your organization. If you are concerned about social engineers targeting people in your organization, you can take some steps to help thwart these attacks:
- First, users should be regularly trained in how to look out for suspicious people, e-mails, and phone calls.
- Second, train users to use common sense when responding to requests for information. In other words, some people just need to be taught some street smarts. Some organizations do this by spelling out in a security policy the dangers of using social networking sites and of drinking and discussing work topics with strangers (of course, this is only effective if users actually read the policies which, as we all, is wishful thinking).
- Finally, employ the principle of need-to-know. The need-to-know principle states that users should only be given enough information to function. They should not be given information about other systems or about decisions made at higher levels that do not relate to their environment. This way, should an attacker try to get information out of them, they would have limited information that they could reveal.
The bottom line is that social engineering will always be around and you will only ever be as secure as the most vulnerable link in your organization. As long as you are willing to have a healthy level of paranoia and good common sense, you do not need to fear them.