Social engineering stories from the front lines

It's always amazing how little attention social engineering attacks get when discussing enterprise information security risks. After all, it's usually easier to get an unsuspecting employee to click on a link than it is to find an exploitable vulnerability on a reasonably hardened webserver. Social engineering attacks come from many different angles: from targeted e-mails, phone call pretexting, or acting like a service technician or other innocuous person to obtain access to the IT resources and data they seek.

But how do successful social engineering attacks happen in reality, when conducted either by ethical hacker penetration teams or criminal attackers? To get an answer, we reached out to a number of security professionals and ethical hackers who face, or perform, social engineering attacks as part of their job.

"Social engineering is one of my favorite types of engagements," says Chris Blow, technical consultant at Rook Security, who has conducted many ethical social engineering attacks over the years.

How do social engineering attacks get started?

Often, the attackers first turn to social media sites, Internet searchers, and even jump into a few dumpsters to sort through documents to learn as much as they can about the target company. They'll take the info that they learned and then employ that knowledge in some form of targeted attack, either in email, phone, or in person.

Mike Buratowski, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, knows these tactics. "When we do breach assessments for companies, we often find proprietary information on the Internet. These might include a staff listing featuring personally identifiable employee information, who each person reports to, plus his or her job responsibilities and purchasing authorization. In those cases, companies are giving a social engineering attack legs, making it that much easier for attackers to tell a believable story," says Buratowski.

That "believable" story is core to a successful social engineering attack. "At the end of the day, that's what social engineering is all about -- getting your victim to believe you and take an action, whether that's opening an email or attachment, clicking a link, or even just plugging in a supposedly forgotten USB to find its owner," Buratowski adds.

Blow recalls a penetration test in which the client asked for an email and phone social engineering aspect to the engagement. "During the pen test, I found his SSL VPN gateway. For the social engineering aspect, I revisited the gateway webpage to see if there was anything special about it. There wasn't. So, I copied that page and hosted it with a very believable URL. The email that I wrote coincided with the fact that this area was having one of the worst winters in quite a long time:

"Due to the rise in inclement weather, we're committed to our employee's safety and are in the process of upgrading our remote access gateway so that everybody has the opportunity to work from home. Please click the link below to install the new software. You will be asked to enter your credentials before continuing."

It worked. Within an hour, Blow had more than 60 percent of the employees giving him their logon credentials. "By the time the information security department figured out what was going on (about 90 minutes), I had more than a 75 percent success rate. These users comprised a sampling from every department including marketing, IT, and C-level executives," he says.

Person-to-person cons

While emails and telephone calls are effective, sometimes it's crucial that the attacker gets onsite and social engineers in person. "Over the years, I've posed as an AT&T technician, a UPS delivery man, an angry executive, and a lot of the other typical guises talked about in our industry. One of my favorites was posing as an exterminator," explains Blow.

For that "exterminator" engagement, Blow had numerous physical locations he needed to breach quickly -- before the different branches had time to discuss his activities with each other. "I had several 'work orders' printed and several executives listed in the description, along with the CFO's signature. I'd taken the time to find out as much as I could about the people at these branches, but a lot of them didn't have much of a digital footprint," he explains.

That made it more challenging, but certainly not impossible. In the event he did have trouble getting in, Blow had someone at his company on the ready and prepared to support his front if an inquiry was made. Blow had other tricks up his sleeve, too, if needed, such as spoofing incoming phone calls. "What I wasn't prepared for was to be stopped at the front desk at my first location and almost not make it past. Apparently, the company had been using another pest control company for more than 30 years and immediately said that I wasn't 'Bob.'"

Blow needed to think quickly, and he did. "I told them that they were subcontracting jobs over the next few months due to high demand of exterminators in the area. I was even nice enough to place a phone call to "Bob" (one of the employees at my company) and we made up a believable story," he says.

After a few more minutes of talking with her and with the vice president at that branch, Blow was still denied. He told them that he would be back with more proof. Luckily for Blow, this branch was a pretty large campus, so he just snuck in another door and was able to get everything he needed without being questioned.

Once inside, "the rest of the folks there were really friendly and helped me get into locked rooms and even their server room," he recalls. And, for that engagement, none of the remaining branches caused him such stress.

Think such social engineering engagements are unnecessary and don't correlate to real-world attacks? Think again. Jon Heimerl, Solutionary's senior security strategist, recalls a number of social engineering exercises from recent engagements. Solutionary was hired to test a client's social engineering resiliency following completion of a security awareness training effort. "I called a random number in the company's phone number range and reached a voice mail of an employee who was out of the office on an extended vacation. I was able to call the company's helpdesk (number provided in the out of office voicemail) and pretend to be the employee with a sore throat, under pressure about a critical project (revealed in the out of office voicemail), Heimerl recalls.

What was he able to accomplish with that information? "I was able to get the helpdesk to change the employee's password," he says.

Heimerl then was able to use that new password to log on to the employee's Outlook Web Access email, where the employee stored a wide variety of sensitive information, including usernames and passwords for many critical systems in the company. The entire social engineering engagement took less than three minutes, Heimerl says, but within half an hour Solutionary was able to log on to the company's domain controller -- with valid usernames and passwords. "Nothing we did would have generated any alerts or looked like an attack. I was able to use the information provided in the out of office voicemail to convince the helpdesk I was that employee," Heimerl says.

That's all he needed.

In another engagement, during a breach remediation Heimerl's team was on, the attackers had infiltrated the company for some time using advanced malware. "We were in the process of shutting down the attack vectors when a non-IT employee received a call. The caller identified himself as someone working with the CISO who knew that the CISO was working on a special project -- the breach -- with some outside contractors, and asked if he could get the names of those contractors," he says.

Heimerl believes that the attacker(s) were both trying to confirm whether the company knew it had been breached, and they wanted to know who they were up against (on defense and investigation). "Often, bad guys will go dormant if they think their victim is onto them, waiting for the smoke to clear before starting right back up again. Sometimes this works. Other times, when the investigation is more thorough, it doesn't," he says.

In reaching out to social engineers, we couldn't find any who had been doing such work for more than a few engagements who hadn't been successful in pushing their attack further through social engineering techniques. All too often, it seems, no matter how hardened the IT infrastructure, or the security technologies in place, there's always going to be employees who hand over the keys to the kingdom -- or at least raises the drawbridge when asked nicely, or with authority.

This is why Blow advises more companies to invest some of their security budget to social engineering engagements. "Not only does it help train your employees with a real-world scenario, but it also will help strengthen your company's incident response program," he says. "Hopefully your company has one of those."

Join the CSO newsletter!

Error: Please check your email address.

Tags General Dynamicsinternetsocial engineering

More about General Dynamics

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place