You get a call from a software company — a Microsoft partner perhaps — who tells you your computer is infected with a virus. But don't worry. The helpful technician on the other end of the line can help walk you through the removal process. Or maybe you're an executive for a major security company who receives an email that states: ’Forward this file to yourself for review. Please open and view it.’ Or perhaps you find a USB stick lying around and plug it into your workplace PC to figure out what's on it.
Next thing you know, your credit card has been charged; or your company's two-factor authentication system has been compromised; or your nuclear power plant's network is in the grip of a worm.
The common factor in all three: People — or perhaps more precisely, social engineering. Chris Hadnagy (@humanhacker on Twitter), a trainer for Offensive Security and the author of Social Engineering: The Art of Human Hacking, describes social engineering as "the act of influencing a person to take an action that may or may not be in their best interest.”
Hadnagy gives an example of how he could use social engineering to infiltrate a tech company: "I might first start by calling the accounts receivable department and acting like a potential new vendor. I might find out how they sign people up, find out lingo they use and codes they have, take down the name of the person I was with and tell them I will call back later," he says.
"Call back later but this time as present vendor, let's say the waste management company. As I call in I say something like, 'I got a call from Jenny, she said there was a report of a damaged dumpster at your location. I am going to send our Paul tomorrow to take a look. Can you let security know?'"
The next day Hadnagy could come dressed as their waste management person and be allowed on site for an 'authorised' dumpster dive, offering access to improperly disposed of documents. "I could say something like, 'Hey, while I was on the lot, I found this USB key...doesn't look like it was disposed of properly. I am turning it into you. Okay?'" Hadnagy says.
Most people would probably insert the USB drive to see what's on it, potentially infecting a computer — which is almost certainly attached to the company's network — with malware. If this vector doesn't work, there are many others that can be facilitated from one of the previous steps, Hadnagy says.
Social engineering is the most common method used in attempt to breach organisations' security, according to Hadnagy. High-profile hacker group Lulzsec, as one example, stated that it “used SE in every attack they launched last year,” Hadnagy says.
"Social engineering is used in many major and minor attacks on companies. Sometimes not even by hackers, but you hear reports such as the 17-year-old that impersonated a doctor and a cop, or the guy who impersonated a pilot flying a plane for over five years. All these are social engineer attacks in one form or another."
Too often, Hadnagy says, there is a tendency to deal with security as a purely 'technical' problem. He says that during sales calls, one of the hardest security services is a social engineering audit. "Why?” Hadnagy asks, “I am not 100 per cent sure, except we hear things like, 'it is cheating' or 'my people won't fall for that'. Of course those companies are usually the ones who fall for it and end up being hurt by it."
Social engineering preys on human weakness more than technical flaws and the threats to businesses can generally fall into one of three categories, according to Hadnagy.
• Web and email attacks: This includes things such as phishing and malicious websites.
• Phone-based attacks: Eliciting information over the phone, usually in order to facilitate "a further, more brutal and personal attack."
• Physical attacks: For example, dumpster diving (or trashing) to obtain information or encouraging someone to use a malware-infected USB key.