Photo Credit: LockerDome

Social engineering is the use of deception to manipulate individuals into disclosing sensitive information that may be used to compromise a network, infiltrate an organization, gain access to trade secrets, as part of a cyberstalking campaign, or in furtherance of an espionage operation.

Bleeping Computer regularly reports on social engineering attacks such as one that was discovered last month and involved a fake adult website. Earlier this month a social engineering attack involving Microsoft Edge was also exposed.

Another social engineering case that received a lot of attention between 2015 and 2017 revolved around Crackas With Attitude (CWA). One of the crew, Justin Liverman, received five years in prison, despite the fact that he hadn't actually hacked any accounts himself. He had also agreed to a plea deal. Sentenced by Judge Gerald Bruce Lee in the Federal Court of the Eastern District of Virginia, the judge admonished the group for the chaos unleashed: "Your intent was clear, and that was to wreak havoc.”

According to an affidavit filed, the group didn't gain access into the restricted accounts by way of hacking. Instead, they used social engineering and impersonated their targets and various IT support personnel, purporting to help the victims. Ars Technica reported that, "on October 11, 2015, one of the suspects allegedly accessed the account belonging to Brennan by posing as a technician from Verizon. The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account."

Tactics

Matt Wixey, one of the presenters this year at Black Hat USA, leads technical research for the PwC Cyber Security practice in the UK. He works closely with the Ethical Hacking team and is a PhD candidate at University College London. Prior to joining PwC, Wixey led a technical R&D team for a law enforcement agency in the UK.

The preamble to Wixey's presentation states:

“Traditional phishing and social engineering attack techniques are typically well-documented and understood. While such attacks often still succeed, a combination of psychology, awareness campaigns, and technical or physical controls has made significant progress in limiting their effectiveness.

In response, attackers are turning to increasingly sophisticated and longer-term efforts involving self-referencing synthetic networks, multiple credible false personae, and highly targeted and detailed reconnaissance. This approach, which I call ROSE (Remote Online Social Engineering), is a variant of catfishing, and is performed with the specific aim of compromising an organisation's network. By building rapport with targeted victims, attackers are able to elicit sensitive information, gather material for extortion, and persuade users to take actions leading to compromises.”

In Wixey's presentation, titled "Every ROSE has its thorn: The dark art of Remote Online Social Engineering", he likens social engineering tactics to fictional novels:

  • The social engineering identities are long-term and highly customized
  • They are also highly interactive
  • One or more of the identities are detailed false personas
  • The focus is on business related platforms and targets
  • The objective is to compromise security
  • Believable characters with backstories are crafted into the schemes
  • Realistic dialogue, reactions and a compelling plot are created

It's important to note that ROSE can be crafted, specifically, to bypass your filters. So, the attackers may make use of some of the following:

  • Specific attributes
  • Likes/dislikes, interests and hobbies
  • Affiliations
  • Education/employment
  • Relationships and family
  • Location data
  • Information on platforms and profiles
  • Purchases, holidays
  • Technical info
  • Reactions, style, motivations
  • Similar interests, styles, etc

Countering social engineering

Jean de La Fontaine, Fables, II.15 - Matt Wixey, Black Hat USA 2018

Social engineering attacks can be circumvented by utilizing the following techniques:

  • Drip-feed them false information
  • Elicit information for use in attribution. This can be done openly or surreptitiously, depending on the situation.
  • Have you ever met the attacker in person? Has anyone you know ever met them in person?
  • Does their knowledge check out?
  • Conduct background verification checks
  • Consider how you were contacted. Was it via social media, your company's website, company email or telephone? Did anything stand out, in the first contact made, as a red flag?
  • Determine what it is that the person wants, and why? Specifically, why from you?
  • Any interest expressed in the technical aspects of the business? A lot?
  • Are they evasive when asked to meet in person? What about a phone call or video call?
  • Check for linguistic deception markers
  • Also check for similarities to other profiles (behavioral/linguistic/nonverbal). Attackers often do not alter their attack behavior or modus operandi.
  • Is conditioning behavior being used?
  • Note any marked interest in your job, industry or research
  • Age of the profile. What’s the earliest trace?
  • Observe any inconsistencies in background, activity, or reactions
  • Report suspicious behavior to the authorities

The United States Computer Emergency Readiness Team (US-CERT) also has advice on how to avoid becoming a victim of social engineering:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information.)
  • Take advantage of any anti-phishing features offered by your email client and web browser.

Black Hat conference regular, Kevin Mitnick, suggests training employees to stop, look and think. All organizations are potential victims of social engineering attacks that may appear to come from a supplier, vendor, client or internal employee. “Educate and train your people to recognize them by using the same sources and methods the adversaries use,” says Mitnick. “The goal is to train users to make smarter security decisions, and to stop, look and think before clicking a link or opening an attachment or giving out sensitive information.”