December 15th, 2003, 10:32 AM
Classic Social Engineering Attacks
This is a paper I was required to write for an Information Security class. I think it actually turned out quite well, so I thought I'd post it here for everyone's benifit.
Classic Social Engineering Attacks
The art of social engineering is the method by which human weaknesses in an information security system are exploited. Although not usually effective at gaining complete access to a system, it can be the easiest way to gain initial entry, a point from where privevges can be escalated and further information can be obtained.
The main strength of this this form of attack is that it can be used to gain entry into any system, anywhere, and at any time, regardless of the operating system or secondary software running on that system, and regardless of the capability of your IT security staff.
Humans are, by far, the weakest link in any information security system. This paper will attempt to examine classic social engineering attacks form the viewpoint of an attacker attempting to extract information from a both commercial organizations and consumers alike. A skilled attacker is aware not only of the weaknesses inherent in both your harware and software, but also the weakest link in the human security of that system. He/she will attaempt to explot the weakest link in your human security systems, targeting inexperinced users, new hires, help desks, and longtime executives alike. No target is safe from this form of attack. It is unpredictable at best and a major flaw at worst. No information security regimen is complete without a thorough understanding of the risks that social engineering pose to an orgainization's information security assets.
I will list five types of information in this paper. These will be username / password, credi, name and address, procedural information, and finally, methods used to discover PIN (Personal Identification Number) codes used with bank cards. I will attempt to provide several techniques which may be used to obtain each of theses types of information. Problems and resistance will be presented to each attack method, as will possible solutions. This list is by no means complete. Because social engineering attacks rely primarily on human weaknesses in an information system, this paper will focus primarily on human attacks and shy away from attacks which are electronically based.
Username / Password Information
Several techniques could be used to gain password and username information. This information could be invaluable during the initial penetration into an orgainization's information systems. This information must be treated as highly classified. In no case shoud anyone, anywhere, for any reason, at any time give out their password. Following is a list of several classic techniques used to gain this type of information.
With this technique, the attacker would call an employee of a large corporation on the phone, impersonating a system administrator, and explain that there is a problem with their account. The attacker asks the employee to log out their workstation and log in again. The employee emphasizes the fact that there does not seem to be any problem with his/her account. After several attempts like this, the attacker begins to sound frustrated and asks the employee for their password to check the problem for themselves. Some random keys are pressed, and the attacker a few minutes later informs the employee that the problem has been solved.
The most common problem encountered in this attack is that of education. Responsible organizations train their employees in this type of attack, teaching them to never hand out passwords or usernames.
When encountering this problem, the attackers in most cases would simply admit that they are wrong, and try again with another employee.
Another solution would be to plead ignorance and nievity and beg for an exception in this one case. The attacker attempts to have the victim sympathize with the attacker by greatly exaggerating the severity of the problem and the time required to work around this company policy.
The attacker may launch a secondary attack, claiming that a person of high importance in the organization has authorized this release of information. This may be combined with the threat of disciplinary action in the case that these directions are not followed, or with the offer of some kind of reward for a job well done in aiding the administrator.
Other problems would include that encountered when the attacker makes the mistake or has the unfortunate luck of actually contacting a member of high ranking in this organization. This would render further impersonation attacks impossible
This could be solved by assuming the identity of some distant, overseas, or obscure department head who is unaware of these policies.
This could also be solved by claiming a wrong number has been called (oops... sorry... I pressed the wrong speed dial button)
Another back out strategy would be to impersonate a security auditor and compliment the individual on their “impeccable information security procedures.”
In this attack, the attacker would enter the premises of a workplace under the assumed identity of a service worker, contract worker, or consultant. This type of attack is most successful in mid-sized businesses, as larger corporation tend to have policies in place to prevent this type of attack. The attacker might wear a uniform to add to his/her authenticity. After gaining access to the building, the attacker roams freely, trying to look like he/she is doing something important so as not to look suspicious. A clipboard is a great help in this matter as it gives the appearance of evaluating something, thus justifying the intense study of the building required to gain this information. Default usernames and passwords might be obtained if they are left in plain view. Generally, accounts used by several employees are easily learned with this technique. For example, a group administrator account common to all IT staff might be left in plain sight in the IT department, or procedures for resetting a password might be posted on a bulletin board.
The most obvious opposition to this attack would be that of a failed identity verification.
This problem might easily be solved by the production of false identification, which would look similar to that which a valid guest would produce.
Additionally, the attacker could place the person challenging him/her in the position of facing a possible reprimand for denying entry onto the premises, claiming that this visit is extremely important to the organization.
The attacker could also attempt to gain empathy from the challenger, claiming that an abnormally long drive was required to arrive at this location.
Failing the above, the attacker can usually just leave under the false pretense of going back to get the proper identification, a ploy commonly used by minors attempting to but alcohol.
Another possible problem would be encountered when the information or security desk is aware of all scheduled appointments. Obviously an attack does not classify as a scheduled appointment
Not much can be done in this case except to claim that the wrong address was given to the attacker, or that he/she is supposed to be at another office building owned by the same company.
In rare instances, calling the security/information desk employee incompetent might work. Not wishing to appear foolish for not recording a scheduled appointment, the guard or receptionist might allow the attacker in to avoid embarrassment.
This attack relies heavily on the tenet that users use passwords that are easily remembered by them, and that therefore they must have some personal meaning to them. An attacker might rummage through the garbage of company employees to find out information which may be used to form a password, or he/she may search the garbage of a business to find passwords which have been written down and discarded. Default or backdoor passwords might be contained in product documentation discarded when updates are installed, however these default passwords rarely change.
Guards and local police pose the most significant threat here. However, they are in most cases easily dealt with.
Upon encountering a guard or police officer, the attacker simply claims to be rummaging for free stuff in the garbage. This is not too uncommon. Assuming the identity of a street beggar or vagrant would greatly aid in the believability of this excuse.
A sentry could be established to watch for the above threats and alert the attacker to them. The attacker could then leave the scene without being discovered.
Other problems would include individuals who would regularly visit the dumpster, such as janitors and city garbage collectors.
They can easily be dealt with using the same methods described above.
Finally, one more problem would include the garbage truck. This could easily kill the attacker during the execution of this attack.
This is easily solved be being aware of the garbage collection schedule, and attacking at a time not normally used by city garbage collection.
This attack relies on the fact that in a corporate environment, employees are generally not aggressive in the manner which which they question the intentions of other employees. It is seldom questioned when a user is within eyesight of another employee entering a username / password combination. The attacked employee does not wish to create a dispute, and therefore assumes that the attacker's intentions are benign. This type of attack may also rely in the In Person attack described above.
One potential problem, and certainly the most obvious one, would be the victim noticing the attack and challenging the attacker. This could lead to the discovery of the attacker if the attack were to be reported.
Solutions include simply claiming not to be memorizing the password, or not even looking in that direction.
The attacker may in turn challenge the victim, claiming both ignorance of the attack and insult at the accusation. This can be reinforced by explaining the company penalties for false accusation of fellow employees.
The attacker may also state that he/she always watches users enter passwords, and that this is a bad habit. The attacker then apologizes profusely for the intrusion and leaves with one more memorized password.
This is an electronically based attack. In this attack, the attacker presents the victim with a form with which he/she is to enter a username and password combination. Several techniques may be used to accomplish this. The victim may be led to a web page which appears to be that of his/her ISP, email provider, financial institution, or some other service requiring a username and password. A malformed URL is placed in the address bar to make the victim believe that he/she is actually visiting the site which this appears to be. Recent vulnerabilities discovered in Microsoft's Internet Explorer make this attack even more dangerous. Another technique would be to flood the victim with useless data, rendering them unable to send or receive additional traffic (more commonly known as a denial-of-service attack). A dialog is then presented informing the victim that their Internet connection has been dropped and requiring a username and password to log in again. Once a username and password is entered, the denial of service attack is terminated, giving the victim the impression that this was merely a temporary problem.
One minor problem which may be encountered would be finding this method ineffective. As ever more users become Internet wise, many are also becoming wise to the more common attacks floating around the web.
In this case, a more effective and believable web page would be required to convince the victim of its authenticity. The page might be copied directly from the page the attacker is attempting to mimic.
The major problem with this attack would be that of being reported and caught by authorities.
This threat can be mitigated through the use of anonymous proxy servers to hide both the true source of the attack and the eventual destination of the information. The information might even be stegonographically encoded and posted to public forums for the attacker to download, creating a much larger pool of suspects to investigate.
However, once this attack's source is discovered, you're S.O.L., buddy, so be careful not to be discovered. Make the attack quick, decisive, and specific in its search for information and stop it before it is discovered and traced.
This information is not only useful in the theft of products orderd with stoled credit card numbers. It is the gateway to an individual's credit history, which in today's world, basically defines an individual as far as banks are concerned. This information should also be treated as highly confidential, and only givem to credit companies and banks, and then only when necessary. The diffuclty lies in determinig who is a valid recipient of this information and who is not. I will attempt to explain some more common methods used to extract this information from unenlightened victims.
In this attack, the attacker calls the victim on the telephone, impersonating his or her credit card provider. The attacker explains that several items have recently been charged to the victim's credit card which are outside their normal spending habits and a flag has been set off in their computer system. When the victim explains that he/she did not make these purchases, the attacker informs this person that the card can be placed on hold as soon as some personal information is verified, asking for their credit card number and expiration date. The information gained from an attack such as this is not simply limited to credit information. In the process of pretending to validate the victim's identity, information such as the victim's mother's maiden name, their social security number, date of birth, and address can be obtained, to name a few. An attack like this could be a precursor to a full fledged identity theft.
The victim might easily recognize this as an attack and refuse to give the desired information.
This problem could be avoided in advance if the attacker was armed with personal knowledge of the victim at a level of which only a credit company would be aware. This information could be used to convince the victim that the attacker is indeed an employee of the credit company.
Another solution would be to create a false contract, claiming the victim had previously signed it, and should he/she fail to aid the credit company in their investigation or solution to this problem, any and all further charged will be the victim's responsibility under the terms of their contract. Faced with a possible charge of several thousand, or even tens of thousands of dollars, the victim may concede, believing that not giving this information is a greater risk.
In a worst case scenario, the victim may report this attack to authorities.
There is no defense against this, save for recognizing the victim as a potential threat to the attacker and not requesting this information to begin with. This could be accomplished by an initial conversation with the victim, in which the attacker “feels out” the victim's susceptibility to attack.
The only other known defense against this would be to route telephone calls through numerous switches and looped lines in an attempt to hide the source of the attack.
This is a very simple attack. The victim places his/her garbage on the side of the road for curbside collection. When the attacker, who has been watching from some distance away, sees the victim leave for work that day, he/she quickly takes the garbage to another location to look through it. If credit card bills have been discarded insecurely, this information will be easy to find. In fact, any information the victim throws out could be obtained by the attacker, including bank account numbers, name, address, and date of birth information, and even more sensitive information such as driving and criminal records and social security numbers could be obtained if the attacker gets lucky.
This attack may be discovered if it is carried out too frequently
The solution to this is to carefully select the target of this attack after previous investigation. City officials and local police forces may recognize this attack and arrest the attacker before completion. This attack should not be a general intelligence gathering exercise, but rather a specific, directed attack against a particular individual.
Other than that mentioned above, this is a relatively safe attack when planned properly, as it carries with it a low risk and a high potential return.
This attack is very similar to the website attack described above. The attacker presents the web page which looks identical to the web page of the attacker's financial institution. This could be done via an email, or if the victim's computer has been previously compromised, bookmarks could be replaced as well. What the victim believes to be the login page of his/her financial institution is actually an information spider belonging to the attacker. Once the attacker has the information he/she is looking for, the request is forwarded back to the financial institution, a process which may be invisible to the victim.
The number one problem with this type of attack is the risk of prosecution if discovered.
This attack could also be directed at a specific individual, thus greatly reducing the number of reports in the case it is discovered.
Other solutions to this problem are common to all attacks of this type, whatever the information target may be. The source of the website should be hidden through the use of multiple proxy services, and possible through the use of public Internet access such as a library or local college as well.
One other major problem with this attack is the fact that many Internet users are aware of its possibility in advance and will recognize this as an attack and not a legitimate website.
Recent vulnerabilities discovered in Microsoft's Internet Explorer make this attack much more easily done than before. The URL in the address bar can be completely altered through the use of the proper code placed as a Java applet inside a web page or email. This would greatly enhance the believability of this attack.
The only other solutions known at this time are a better constructed imitation web page which would be more believable and generate more results.
Name & Address Information
While not specifically sensitive information (it is, in most cases, listed in public telephone directories), this attack may be a precursor to another attack which is described here. The attacker may only have an unlisted telephone number, or may only know the victim from an on line persona. This information may well be required to carry out further attacks against an individual. However, most name & address attacks are fishing expeditions, designed to seek out and find vulnerable targets.
Several types of people and/or organizations might be impersonated to gain this information. For example, the attacker might call the victim pretending to be conducting an anonymous research survey over the telephone. In some cases, address information is required in order to hold surveyors accountable and prove that the information is not random or fabricated.
The victim may be annoyed with the attacker's telephone call and simply refuse to participate in the survey.
In this case, some reward, such as a timeshare in Florida or 10 dollars off a meal for two at a local restaurant, may provide the necessary incentive to convince the victim to participate in the survey.
There is very little risk involved in this attack if proper precautions are taken. Do not initiate this call from a personal telephone. If this must be done, hide the source number through the use of call privacy features available from many telephone companies. Although the call may still be traced, it will appear normal to the victim (many survey companies hide their number with this feature) and not arouse suspicion. In the case that the victim simply refuses to give out the desired information, simply hang up and try another one of the many techniques discussed in this paper.
In this attack, the attacker assumes the role of an individual conducting a survey. Classic examples include surveys conducted in shopping malls or on sidewalks where it is nearly impossible to verify the identity of the surveyor. In a single day, sensitive information could be gathered on hundreds of potential victims through the use of carefully crafted surveys such as marketing research. The attacker may even offer a free gift or some small monetary incentive to appear authentic.
This attack is very similar to the previously mentioned attack, and carries with it similar problems and potential solutions. Its main difference is that this attack is conducted in person, while the previous attack is conducted over the telephone. The most common problem is that of the victim refusing to participate.
As in the previous attack, this may be solved by an incentive such as entry into a contest, a timeshare in a tropical location, or a monetary reward for participation.
Should the victim refuse to participate, no blackout strategy is required. Simply wait for another opportunity to acquire this information elsewhere.
This attack carries more risk than the previous attack, as security guards may question the validity and/or authenticity of this survey.
One solution is simply to not remain in the same place for too long, and therefore not stay long enough to be noticed.
Another solution would be to obtain permission to conduct the survey in advance under a false pretense. This would also add believability to the attack if the victim were to question the authorization for this survey.
Should the attacker be questioned by security, a good solution would be to claim ignorance, apologize for the breach of policy, and leave. In most cases this will be believable.
Although often ignored, this type of strategic information is primarily useful as initial intelligence for a larger operation. It may be research into disaster recovery procedures to determine when a company is most vulnerable after a disaster, the attacker may be looking for a method to create a new account on company computer systems, or he/she may be seeking a method with which to change passwords of already valid users
Dumpster Diving can be an invaluable source of information in regards to company policies and procedures. When new policies are published, old ones are discarded. While the information obtained may be several months out of date, policies ans procedures to not tend to change very much from one document to the next. Calendars can be obtained showing times and locations of past and future meeting, and vacation schedules can be found, which in turn may be used to help orchestrate further attacks. I myself have recovered operations manuals such as terrorist procedures for public train lines and logical diagrams of telephone networks.
This attack method has been discussed previously, so there is no need to repeat the same problems and solutions. I will simply summarize them here. The main problems with this attack are being discovered by passerby's during the execution.
This is in most cases easily solved by playing dumb. The attacker simply claims to be looking for something else. In most cases, this problem is simply too small for local police to bother dealing with once they have moved the offender away from this location.
In this attack, the attacker assumes the identity of a new employee, unaware of company policies and procedures. He/she is taking advantage of a senior employee's willingness to help and their misplaced trust that this attacker is in fact a new employee. Computer password change policies can be obtained, organizational structure, new hire handbooks, and sometimes even false identification can be obtained using this technique.
While this attack method has been discussed before, the solutions here are quite different, since the information sought is of an entirely different nature. The potential problems remain largely the same. For example, company policies may prevent this information from being given over telephones.
This might be solved by feigning worry about your job performance as a new hire. This could generate empathy from the victim and increase their willingness to help.
In general, any problems encountered can easily be averted by claiming ignorance. In every case, when a problem is encountered, more information can be obtained, if only to learn more about the target company's information security policies.
It may be the case that all employees are given orientation seminars to familiarize them with the company, and this information is not given out personally, over the phone or otherwise.
It may be beneficial in this case to complain that you are unable to attend this orientation meeting, and that the information given there is of vital importance to you. Better result still can be obtained be feigning worry about your performance as a new employee.
This also provides an exit strategy if desired at this point. The attacker can simply agree that he/she will wait for this meeting for this information.
Third Party Authorization
In this case, the attacker assumes the identity either of a person of authority in an organization, or that of someone acting on that authority. The attacker then attempts some kind of attack, knowing full well that what he/she is proposing will violate some company policy somewhere. When informed of this mistake, the attacker asks for more information on this policy. In this attack, the attacker is not even directly requesting information, and at the same time is providing an ego boost to those correcting him/her, which acts as another incentive with which to obtain this information. This attack is most successful when the third party the attacker is impersonating or whose authority they will be acting on is on vacation and unable to verify this authorization.
The victim may know the person the attacker is attempting to impersonate and recognize this attack as an impersonation, challenging the identity of the attacker.
This can be solved by threatening disciplinary action to the victim. The attacker assumes the role of being embarrassed by this mistake without directly admitting it. This will provide the victim with the opportunity to earn “brownie points” with those in command by helping them to cover up their mistakes.
Conversely, this might also be solved by offering a reward for the timely help of the victim. The victim may easily be swayed by the opinion of those above them and easily convinced to help them.
A back-out strategy would be to end the conversation with the victim, informing them that you will be discussing the matter personally in a fer minutes and will be there shortly.
In the case where the attacker is only assuming the authority of a high ranking individual, the victim may have received conflicting instructions from another person.
Again, the threat of disciplinary action may work in this case.
Also, claiming that the attacker's requests are more urgent may convince the victim to service the wishes of the attacker before those of the other party.
If all else fails, the attacker can claim to ask another individual in the company for further authorization, and that he/she will call back shortly.
This type of attack is primarily lucrative to petty thieves, as it offers an instant return on the risk assumed by the attacker. Its limited information gathering capacity renders it unsuitable for more advanced attack methodologies.
There is no great explanation needed here. The attacker simply watches the victim enter their PIN code at an automated teller machine, public telephone, or point of sale. All that is required is some method of obtaining a card with which that PIN code is effective. This can be accomplished through three primary methods – 1) The attacker works with a partner at a point of sale who secretly scans and saves the PIN card information for later reproduction. 2) The attacker calls the financial institution of the victim and requests a new card. He/she then waits for it to arrive in the mail and steals it from the victim's mailbox. 3) The attacker knocks the victim unconscious with a large trout and takes the card by force.
The victim may realize their actions are being monitored and refuse to enter their PIN code until the attacker leaves.
Not much can be done in this case. However, there is very little risk involved unless the victim notifies authorities of this attack. Therefore, this attack should be carried out in remote locations outside of normal business hours to minimize the chance of being discovered.
Another solution to finding PIN codes would be to wipe the number pad on the ATM clean before waiting for the victim to arrive. The attacker can then determine which buttons were pressed, and now only needs to determine in which order.
In a worst case scenario, this attack may be witnessed by local police or bank security.
In this case, the attacker could easily claim innocence and remind the police and/or security the dangers a false accusation carries. It may also be helpful to assume the role of a victim and attempt to gain some level of empathy from these authorities.
This is not generally a method that can be applied to other information types. In this attack, the attacker does not assume any identity. He/she is simple a friendly stranger willing to help. It does, however, require the aid of an accomplice. The accomplice in this attack would secretly disable the point of sale equipment before the purchase is made. This of course would cause problems when the victim attempts to pay for the merchandise. After several failed attempts, the attacker offers to help the victim, however requires the PIN code of the victim. The accomplice has now had several opportunities to scan the card for later reproduction, and the attacker now knows the PIN code. This attack stands out from other forms of social engineering attacks as it does not require the assumption of a false identity. It is extremely effective in attacking the elderly, the young, or other technologically challenged individuals. I felt the need to include this attack as I have personally been privy to the PIN codes and bank cards of strangers in an attempt to help them. It surprised me greatly that anyone would willingly give out this information.
There are two possible problems in this attack. The first is that of the victim refusing to give confidential information.
This might be solved by the accomplice, who might illicit a greater level of trust from the victim, offering the same services.
Failing the above, not much can be done in this case. However, there is very little risk at this point, so a back-out strategy is not necessary yet.
The second problem is that of discovery from authorities.
To avoid this problem, victims must be chosen very carefully before they are exploited. Choosing too knowledgeable a victim may easily lead to your discovery.
This can usually be determined by a simple conversation with the victim and through the use of profiling. Elderly persons are more likely to fall victim to this attack, as are the young and inexperienced. Generally, backing out before asking the victim for this information will provide the best method of avoiding detection.
This attack is very similar to those seeking to gain credit information, however it differs in one aspect; most financial institutions keep their customers' PIN codes and their on line banking passwords separate. This attack therefore requires very careful selection of one's victims in order to be successful. It may rely on attacks previously discussed in this paper whose sole purpose was to fish for vulnerable targets who willingly and easily reveal information without the presence of proper credentials. The victim is presented with some type of web page which informs them that the bank is having a problem with their access card. The page then requires the victim to “log in” to the access card system to verify their identity and rectify the problem. This information is then relayed to the attacker.
As stated, most banks keep PIN information and on line banking passwords separate. A form coming from the bank asking for this information would appear suspicious to many people.
This might be solved by careful obfuscation of the URL, making it appear to be one of the victim's financial institution.
This would also be made more believable if it were a follow-up to an initial email, with the source address forged to be that of the victim's financial institution. This would provide a controlled environment in which to execute the attack while at the same time providing a more believable illusion of authenticity.
As with all scams of this type, there is always the risk of getting caught by authorities.
To mitigate this risk, the website should not be posted from a computer which the attacker owns. Multiple proxy servers should be used to forward traffic through numerous servers in order to better hide the true source of the information.
The ultimate destination of this information can be hidden by stegonagraphically hiding it and posting it to public forums, newsgroups, and websites. At this time there is no reliable means of detecting stegonagraphically encoded information, and this will at the same time greatly increase the number of suspects to investigate.
Other problems, and their solutions, are quite similar to those explained in previous website attacks. Only those unique to gathering PIN information have been enumerated here.
In conclusion, we can see that the methods used to attack the human weaknesses in your information security system, whether that system be your personal methods or your company's coporate methods of protecting that information, are as numerous and diverse as the technological methods used to attack your hardware and software.
Nobody is safe from this attack, regardless of whether or not the use a computer, and regardless of whether they are responsible for information security in your organization. Remember that any method used to attack an individual can be used to attack an individual at work.
What can be seen from a brief discussion of this topic is a weakness that will always exist. This weakness cannot be patched with software downloads. It cannot be solved with firewalls, encryption, VPN's, or armed guards watching your fileservers. Whether online or not, all of your information assets are at risk because of this threat.
As long as your corporate and personal knowledge exists within the realm of human memory, you are at risk.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError