HackinggtheHuman

DennisSchlessman,CISSP,CISA
Introduction:
Socialengineeringhaasbeendesccribedasthe
euglystepssisterofhacckingandwaasnotelevated
torespecctabilityuntiilKevinMitn
nickbecamefamousforhisexploits,,andsuccesss,inthesoccial
engineerringdiscipline.Thehacke
erdependso
ontheabilittytoundersttandandcircumventthee
technicallroadblockstogainacce
esstothede
esiredinform
mation.Buttthesocialen
ngineerdepeends
onsometthingmuchdifferent:th
heinherentd
desireofpeoopletobehelpfulandth
heabilitytogain
thevictim
mstrust.
Socialengineersaremotivatedb
bybasicallytthesamethiingsthatmo
otivatehackeers.Theywaant
accessto
oinformationaboutano
organization,informatioonsystemso
ornetwork,o
orcustomer
data,allo
ofwhichcan
nbeusedforfinancialgaain.Asurveyyof853ITPProfessionalssconductedby
Dimensio
onalResearcchandpublisshedinSepttember20111indicates551%ofsocialengineering
attacksareforfinanccialgain,folllowedcloselybyaccesstoproprietaaryinformattionat46%.
Occasion
nally,sociale
engineerswaanttomake apoliticalstatementorrprovetheyycanbreakthe
system;h
however,thesearemorreoftengoallsofhackerggroupssuch
hasAnonym
mousorLulzSSec.

Thefirstfewstepsoffanysociale
engineeringprojectaretoselectattarget,thenperformthee
necessarryresearch.O
Ofcourse,th
hereisnolackoftargetss;theycanb
beindividuals,corporations,
orevenggovernmentagencies.R
Researchme
ethodsincluddedumpsterrdiving,inteernetsearch
hes,
andshou
uldersurfingg.Basedontthetargetan
ndresultsofftheresearcch,thesociaalengineerm
must
thendecideonthem
mostefficien
ntmethodoffattack.Soccialengineerringattacksiincludeseveeral
distinctaapproaches,ofwhichIw
willdiscussth
hree:pretexxtcalls,phish
hing,andimpersonation
n.

Page1

SocialEngineeringAttackvectors:
PretextCalls:
Pretextcallsprovideanonymity,andcanbeperformedfromanylocationintheworld.
Contineodefinespretextcallingas:
Theactofcreatingandusinganinventedscenario(thepretext)topersuadeatargeted
victimtoreleaseinformationorperformanaction,andwhichistypicallydoneoverthe
telephone.
Letslookatacoupleofwellknownattacksusingpretextcalls:Anindividualpretendstobean
employeefromthehelpdesk.Fromresearchalreadyperformed,thesocialengineerdrops
namesandtitlestheemployeeisfamiliarwith,validatingtheiridentityandrelievingany
apprehensiontheemployeemayhave.Thesocialengineerneedstotestsomesystem
changesrecentlyperformedandrequeststheemployeeenterhispasswordtoverifythetest
workedcorrectly.Aftertheemployeeentersthepassword,thesocialengineerfeignsaproblem
andaskstoverifytheinformationenteredbytheemployee,andbecausetheemployeewants
tobehelpful,heprovidesthepassword.Behold,thesocialengineernowhasacurrent
passwordintothesystemandtheemployeeisnomorethewiser.Thesocialengineerendsthe
callsayingtherearesomecorrectionstobemadeandthankstheemployeeforthehelp.Kevin
Mitnickwasanexpertatthistypeofsocialengineeringandhadgreatsuccessusingitagainst
PacificBelltogainaccesstotheirsystems.
Anotherexampleinvolvesfinancialinstitutionsandtheperpetratorpretendingtobea
customer.Withverylittleinformationthesocialengineercangatherpersonalaccount
informationthatcanbeusedlaterforfinancialgain.Irecentlycompletedaseriesofpretext
callsforasocialengineeringtestandwasamazedatmysuccess.Iwasprovidedsomebasic
customerinformation,nothingthatcouldnotbeobtainedbyshouldersurfingorviainternet
searches,forinstanceanaccountnumber,aphonenumber,address,ordateofbirth.Without
socialsecuritynumberormothersmaidenname,orindividualaccountcodesusedforsecurity
purposes,andhavingnoknowledgeofrecentaccountactivity,Iwasabletoacquirecurrent
accountinformationbyprovidingacombinationoftheaccountnumber,theaddressandthe
phonenumber.Thisinformationisconsideredpublicandnotsatisfactoryasameansof
verifyingthecustomersidentityoverthephone.
Onapersonalnote,Irecentlyreceivedaphonecallathomeinwhichthepersonontheother
endrepresentedanorganizationseekinginformationaboutafamilymember.Theystatedthey
hadmyfamilymemberssocialsecuritynumberandaskedmetoverifyit.Ifthishappenstoyou
dontdoit!Chancesareitisapretextcallgatheringinformation,andintodaysenvironment
donttakethebait.

HackingtheHuman

Page2

Phishing:
Weboped
diadefinesp
phishingasttheactofsendinganem
mailtoauseerfalselyclaimingtobean
establish
hedlegitimatteenterprise
einanattem
mpttoscamtheuserinttosurrenderringprivate
informationthatwillbeusedforridentitythe
eft.Theem aildirectsth
heusertovisitaWebsitte
wherehe
eisaskedtoupdatepersonalinform
mation,suchaspasswords,creditcaard,social
security,andbankacccountnumb
bers.Thesurveyperform
medbyDimeensionalRessearch show
ws
phishingemailsarestillthelead
dingsourceo
ofsocialenggineeringthrreats,althou
ughthesucccess
ofphishingattacksappearstobe
edecliningforseveralreeasons.

Oneofth
hemostsucccessfuldefen
nsesagainsttphishingisimprovementtoemailsoftware.Iff
MicrosofftOutlook20
007ornewe
erisbeingussed,emailswithlinksin
nthemwillp
prompta
messagesimilartoth
heonebelow
wtobedisplayed.

hthisisnotaabigredflag,itisabiggpinkflaga ndthereceiivershouldp
payattention.
Although
Alongwitththetechn
nicaladvance
esthatidenttifypotentiaalphishingemails,train
ningiscriticaal;it
canbeasssimpleastellingusers,Dontclickklinksthataareincludedinemails,u
unlessyouknow
forsuretthesiteistru
usted.
Awarene
essofseveralcommoncharacteristiccsofphishinngemailsisalsohelpfulinrecogniziing
socialengineeringatttacks.
1. Lo
ookforbadgrammarorrmisspelledwords.Proffessionalorgganizationsaandcompanies
areverycarefulwhatgettspublishedinemailsreepresentingtheircompaany.Ifyoun
notice
th
hesetypeso
ofmistakes,o
ortheemaildoesnotloookprofessiional,bewarreitcouldbeea
sccam.

HackingtheHuman

P
Page3

2. Bewareoflinksinemailss.Ifyouseelinksinaneemaildontclickonit,m
moveyourm
mouse
overthelinkandconfirm
mthelinkadd
dressisthellocationyou
uwanttovissit.Alsobeaware
th
hatlinkscan
nleadtoexecutablefiless,whichyouneverwantttoclickon.
3. Theemailhaasathreatin
nit.Ifyoudo
ontperform
msomeactio
on,suchascclickingonth
he
link,youraccountwillbedisabled,orraccessrem
moved,oravvisitfromtheeFBI,etc.
4. Spoofingaleggitimatewebsite.Thism
meansthephishersinclu
udeofficiallookinggraphics
andlogostoiinfluenceyo

outosuccum
mbtotheph ishingattackk.

Awarene
essandtrainingemploye
eesaboutso
ocialengineeeringattackssisstillnotaaprioritywitth
mostorgganizations.DimensionaalResearchsshowsonly226%ofsurveeyrespondentshave
ongoingsocialengineeringtrainiingforemployees.

Imperson
nation:
Thestricttestdefinitio
onofthewo
ordimperson
nationwoulddincludetheactofprettextcallingaand
phishing..However,inthiscontexxtIamusinggthewordttomeanmassqueradingaassomeone ina
facetofaacesituation
n,notviaem
mailorthep
phone.Anexxamplewouldbepreten
ndingtobeaa
utilitywo
orkertogain
naccesstoabuildingforrthepurposseofgatheringinformation.
Thereisaabook,laterrmadeintoamovie,wh
hichprovidessanexcellen
ntexampleo
ofthesucceess
onecanh
havebyimp
personatingo
otherpeople
e.Itiscalledd,CatchMeeIfYouCan:TheTrueSttory
ofaRealFake.ItisthestoryoffaconmannamedFran kAbagnalewhothroughouthiscareer
imperson
natedanairllinepilot,ad
doctor,andalawyer.H ewasablettotravelallo
overtheworld
byimperrsonatingthe
eseindividuals.Duringh
hiscareerheefraudulentlyacquiredo
overtwomillion
dollars.H
Hewaseventuallycaugh
htandspentapproximattelysixyearssinjail,som
meinEuropebut
mostinttheUnitedStates.Irecommendread
dingtheboookforsomeverygoodin
nsightintothe
artofimpersonation
n.

HackingtheHuman

P
Page4

Imperson
natingsomeoneelsereq
quiresaloto
ofconfidencce,moxie,an
ndrisk,whichiswhyitissnot
employedoftenbythesocialenggineer.IfIcaanachievetthesamegoaalsoverthephoneorviae
mailwhyytaketherissksinvolvedinafacetofaceencounnter.
Evenifim
mpersonatingisnotused
doften,controlsstillneeedtobeinp
placetomitiigatetheriskks.
Forexam
mple,visitorssigninsheetts,anescorttpolicyforvvendorsandvisitors,and
dtemporaryy
identificaationbadgessallworktoprotectthe organization.
Conclusio
on:
WillieSutton,aprolificbankrobberfromthe
elate1920ssthrough1952,isaccred
ditedwith
answerin
ngthequestion,Whydoyourobbaanks?bysaaying,Becau
usethatisw
wherethemoney
is.Byth
hesametoken,organizaationsaretargetedbysoocialengineeersbecausethatiswherre
theinformationis.Thatbeingsaid,organizations,andinnsomecaseindividuals,arenotgoin
ngto
preventssocialengine
eeringattacks.Howeverr,therearesstepsthatcaanbetakentoreduceth
he
successo
ofsocialengineering.Traainingneedsstobeimpleementedandsupported
dbysenior
managem
ment.Asindicatedinthe
echartabovve,trainingisswoefullylaackingwith7
74%of
companiesnotactive
elytraininge
employees.Athorough trainingpro
ogramwillin
nclude
recognition,reportin
ng,andstepsstakenwhenanattackiisidentifiedandmostim
mportantlyitt
shouldin
ncludetheen
ntireorganizzation,especiallynewe mployees,aasindicatedbythechartt
below.Trainingshou
uldalsoinclu
udeclearverrificationprooceduresuseedtoidentiffycustomerss.

ntiontheco
ostsofsocialengineeringgattacks.Th
heyarenotccheap.Therisks
Finally,Iwanttomen
includeb
businessdisrruption,custtomeroutlayys,revenuelost,labor,aandotherovverhead,allof

HackingtheHuman

P
Page5

whichhaavehardand
dsoftcostsaassociatedw
withthem.

Socialengineeringisnotasglam
morousashacckingandyooudontreadaboutitin
nthenewsvery
often,bu
utitisarealthreatthatshouldnotb
beignored.
DennisScchlessman,C
CISSP,CISA,isanauditorrandconsulltantatConttineo.Hespeecializesin
informattionsecurity,,ITauditing,,vulnerabilittyassessmenntandpeneetrationtestiing,and
remediattionconsultiing.
Formoreeinformation
n,pleasecon
ntactContin
neoat(509)88470100,oorvisitusonthewebat
www.con
ntineotech.ccom.

Referencces:
SocialEngineeringFu
undamentalss,PartI:HacckerTactics:by Sarah Grranger
ww.symante
ec.com/conn
nect/articless/socialengiineeringfun
ndamentalspartihackeer
http://ww
tactics
Microsofft.com
http://ww
ww.microso
oft.com/secu
urity/onlineprivacy/phisshingsympttoms.aspx
TheRiskofSocialEnggineeringon
nInformationSecurity:A
AsurveyofITProfession
nals:
Performe
edbyDimen
nsionalReseaarchsponsoredbyChecckPointSoftwareTechnologies.
http://ww
ww.checkpo
oint.com/pre
ess/downloaads/socialenngineeringssurvey.pdf
CatchM
MeIfYouCan
n:TheTrueSStoryofaRe
ealFakebyFrankAbagnalewithStanRedding:
OriginallyypublishedNewYork:G
GrossetandDunlapc19880
TheArtofDeceptio
onbyKevinMitnikandW
WilliamLSim
mon,WileyPublishingIn
nc.

HackingtheHuman

P
Page6