In the context of cyber attacks, social engineering is defined as the art of hacking human psychology in order to gain access to unauthorized information. Social engineering comes in many forms, from poorly crafted mass phishing emails that we see daily to perfectly scripted phone calls impersonating a trusted vendor.
Hackers will even go so far as to apply for positions, attend job interviews, and even work at organizations they are targeting.
In this article, let’s take a look at the components of some of these attacks and what can be done to defend against them.
Social engineering attacks generally start with a Google search. Hackers use specially crafted Google searches called “Google dorks” in order to obtain information about a target that can later be used in an attack. This method of finding information is referred to as “Open Source Intelligence Gathering” (OSINT)1. A prime example of OSINT is when a hacker wants to find images that a target organization typically adds to their emails. In this scenario, they would type this in a Google search bar:
site:domain.com filetype:jpeg
Hackers will use automated tools that leverage Google "dorks" and other techniques to gather massive amounts of data about a target. Specialized tools, such as Maltego, display the information in formats that make it easy to connect the data.
In addition to digital information gathering, hackers have been known to visit their targets, take tours, and find out where employees socialize and join them. They will even “dumpster dive,” which is exactly what it sounds like.
To protect themselves, organizations should minimize the amount of information they post online. The information should be reviewed and “sanitized” by the information security department so that only the bare minimum of information is made public. Furthermore, organizations should limit access to sensitive information by new employees.
Most email attacks fall into two categories:
Phishing emails that attempt to get the victim to volunteer information.Emails that attempt to infect the target with malware directly.
Some attacks employ both of these tactics, the most common of which is the “Nigerian Prince” scam, which uses emails to convince the victim to send the attacker money directly. These types of scams are well known, and most people know to avoid them.
More sophisticated attackers targeting a particular organization don’t stoop to such simple tactics. Using a more targeted approach, they manipulate the target’s email headers so that it appears that the message is coming from inside the organization. They will even fake an ongoing conversation.
The contents of the email are typically links to website pages (Office, Gmail, etc.) but are actually controlled by the attacker. The malicious site(s) pass along any information entered to their legitimate counterpart—but not before logging it first. It could also contain a Word document with code embedded that will infect a system with malware.
A lesser-known attack involves stealing the encrypted user’s password for Windows (called an NTLM hash), by sending an email with an image that doesn’t even require the user to open. This is achieved by taking advantage of the email preview functionality in most email clients. Users can protect themselves by disabling the automatic download of images in their email.
Sometimes attackers can reach an organization through its vendors more easily than through a direct attack.
This is best exemplified in the Target POS (Point of Sale) hack of 2013. The attackers targeted Target (forgive the terrible play on words) but knew that such a large organization would spend a lot of money on information security and would be difficult to penetrate. Using the OSINT they gathered, the attackers found that Target outsourced its HVAC system maintenance to Fazio Mechanical Services. To keep costs low, the Air Conditioning units were monitored remotely, and Fazio was given access to Target’s network (way too much access).
Attackers turned their attention to Fazio and, using even more OSINT, they sent targeted emails to Fazio employees, hijacking the credentials used to access Target’s networks. At this point, the attackers were able to access the Point of Sale systems to copy the credit card information of every card used for purchases.
It is inevitable that humans are going to be the weakest part of any security system; however, that doesn’t mean major breaches in security are unavoidable. The best way companies can guard against social engineering attacks is to educate and train their employees. Adding a Security Awareness Program provides an added layer of defense.
Companies might also consider hiring white hat hackers to send phishing emails to employees or use an automated program to run these types of tests. There are technical safeguards that IT teams can implement, however, it is inevitable that some social engineering attacks will successfully reach employees. A well-trained employee can stop a social engineer in their tracks, forcing them to move on to another target.
1OSINT is a huge topic that could span several articles. This will only scratch the surface.