It's always amazing how little attention social engineering attacks get when discussing enterprise information security risks. After all, it's usually easier to get an unsuspecting employee to click on a link than it is to find an exploitable vulnerability on a reasonably hardened webserver. Social engineering attacks come from many different angles: from targeted e-mails, phone call pretexting, or acting like a service technician or other innocuous person to obtain access to the IT resources and data they seek.
But how do successful social engineering attacks happen in reality, when conducted either by ethical hacker penetration teams or criminal attackers? To get an answer, we reached out to a number of security professionals and ethical hackers who face, or perform, social engineering attacks as part of their job.
"Social engineering is one of my favorite types of engagements," says Chris Blow, technical consultant at Rook Security, who has conducted many ethical social engineering attacks over the years.
How do social engineering attacks get started?
Often, the attackers first turn to social media sites, Internet searchers, and even jump into a few dumpsters to sort through documents to learn as much as they can about the target company. They'll take the info that they learned and then employ that knowledge in some form of targeted attack, either in email, phone, or in person.
Mike Buratowski, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, knows these tactics. "When we do breach assessments for companies, we often find proprietary information on the Internet. These might include a staff listing featuring personally identifiable employee information, who each person reports to, plus his or her job responsibilities and purchasing authorization. In those cases, companies are giving a social engineering attack legs, making it that much easier for attackers to tell a believable story," says Buratowski.
That "believable" story is core to a successful social engineering attack. "At the end of the day, that's what social engineering is all about -- getting your victim to believe you and take an action, whether that's opening an email or attachment, clicking a link, or even just plugging in a supposedly forgotten USB to find its owner," Buratowski adds.
Blow recalls a penetration test in which the client asked for an email and phone social engineering aspect to the engagement. "During the pen test, I found his SSL VPN gateway. For the social engineering aspect, I revisited the gateway webpage to see if there was anything special about it. There wasn't. So, I copied that page and hosted it with a very believable URL. The email that I wrote coincided with the fact that this area was having one of the worst winters in quite a long time:
"Due to the rise in inclement weather, we're committed to our employee's safety and are in the process of upgrading our remote access gateway so that everybody has the opportunity to work from home. Please click the link below to install the new software. You will be asked to enter your credentials before continuing."
It worked. Within an hour, Blow had more than 60 percent of the employees giving him their logon credentials. "By the time the information security department figured out what was going on (about 90 minutes), I had more than a 75 percent success rate. These users comprised a sampling from every department including marketing, IT, and C-level executives," he says.
While emails and telephone calls are effective, sometimes it's crucial that the attacker gets onsite and social engineers in person. "Over the years, I've posed as an AT&T technician, a UPS delivery man, an angry executive, and a lot of the other typical guises talked about in our industry. One of my favorites was posing as an exterminator," explains Blow.
For that "exterminator" engagement, Blow had numerous physical locations he needed to breach quickly -- before the different branches had time to discuss his activities with each other. "I had several 'work orders' printed and several executives listed in the description, along with the CFO's signature. I'd taken the time to find out as much as I could about the people at these branches, but a lot of them didn't have much of a digital footprint," he explains.
That made it more challenging, but certainly not impossible. In the event he did have trouble getting in, Blow had someone at his company on the ready and prepared to support his front if an inquiry was made. Blow had other tricks up his sleeve, too, if needed, such as spoofing incoming phone calls. "What I wasn't prepared for was to be stopped at the front desk at my first location and almost not make it past. Apparently, the company had been using another pest control company for more than 30 years and immediately said that I wasn't 'Bob.'"
Blow needed to think quickly, and he did. "I told them that they were subcontracting jobs over the next few months due to high demand of exterminators in the area. I was even nice enough to place a phone call to "Bob" (one of the employees at my company) and we made up a believable story," he says.
After a few more minutes of talking with her and with the vice president at that branch, Blow was still denied. He told them that he would be back with more proof. Luckily for Blow, this branch was a pretty large campus, so he just snuck in another door and was able to get everything he needed without being questioned.
Once inside, "the rest of the folks there were really friendly and helped me get into locked rooms and even their server room," he recalls. And, for that engagement, none of the remaining branches caused him such stress.
Think such social engineering engagements are unnecessary and don't correlate to real-world attacks? Think again. Jon Heimerl, Solutionary's senior security strategist, recalls a number of social engineering exercises from recent engagements. Solutionary was hired to test a client's social engineering resiliency following completion of a security awareness training effort. "I called a random number in the company's phone number range and reached a voice mail of an employee who was out of the office on an extended vacation. I was able to call the company's helpdesk (number provided in the out of office voicemail) and pretend to be the employee with a sore throat, under pressure about a critical project (revealed in the out of office voicemail), Heimerl recalls.
What was he able to accomplish with that information? "I was able to get the helpdesk to change the employee's password," he says.
Heimerl then was able to use that new password to log on to the employee's Outlook Web Access email, where the employee stored a wide variety of sensitive information, including usernames and passwords for many critical systems in the company. The entire social engineering engagement took less than three minutes, Heimerl says, but within half an hour Solutionary was able to log on to the company's domain controller -- with valid usernames and passwords. "Nothing we did would have generated any alerts or looked like an attack. I was able to use the information provided in the out of office voicemail to convince the helpdesk I was that employee," Heimerl says.
That's all he needed.
In another engagement, during a breach remediation Heimerl's team was on, the attackers had infiltrated the company for some time using advanced malware. "We were in the process of shutting down the attack vectors when a non-IT employee received a call. The caller identified himself as someone working with the CISO who knew that the CISO was working on a special project -- the breach -- with some outside contractors, and asked if he could get the names of those contractors," he says.
Heimerl believes that the attacker(s) were both trying to confirm whether the company knew it had been breached, and they wanted to know who they were up against (on defense and investigation). "Often, bad guys will go dormant if they think their victim is onto them, waiting for the smoke to clear before starting right back up again. Sometimes this works. Other times, when the investigation is more thorough, it doesn't," he says.
In reaching out to social engineers, we couldn't find any who had been doing such work for more than a few engagements who hadn't been successful in pushing their attack further through social engineering techniques. All too often, it seems, no matter how hardened the IT infrastructure, or the security technologies in place, there's always going to be employees who hand over the keys to the kingdom -- or at least raises the drawbridge when asked nicely, or with authority.
This is why Blow advises more companies to invest some of their security budget to social engineering engagements. "Not only does it help train your employees with a real-world scenario, but it also will help strengthen your company's incident response program," he says. "Hopefully your company has one of those."