I'm writing some articles for my local user's group. Let me know what you guy's think.

What do you want to know today?
Social Engineering Part I – Introduction to the methods of the Blackhat
First of a four part series
By 576869746568617

It’s 3:37PM, and the telephone rings. The receptionist answers, and as requested, the call is transferred to the Comptrollers office. The caller doesn’t have to wait long, as the Comptroller is at her desk as usual, pounding away at the ten key.

“This is Mrs. Ashfellow, how may I help you?”

The caller quickly responds: “Hello, Mrs. Ashfellow. This is Bob Jacobson with the IT department at Corporate. We’re having some problems with some of the user accounts at several locations related to a recent virus outbreak and I was wondering if any of your users have noticed anything unusual.”

She ponders the question for a moment ant then responds, “Well, now that you mention it, I’ve been having problems when I try to access Great Plains on the server.”

Salivating, the caller says, “Have we upgraded your PC to Windows XP yet? I’m looking through the tracking software but don’t see an entry.”

She quickly responds: “No, I’m still running 2000.”

His heart quickens, as he realizes this is the moment. Now for the kill. “Mrs. Ashfellow, what is your logon name and password? Perhaps it’s a problem with the account.” The caller receives her answer, and after thanking and assuring her that he’ll fix the issue, quickly goes back to work. Packets fly from the cable modem like mosquitoes searching for a blood meal.

Mrs. Ashfellow and her company have just been the victims of social engineering.

Social Engineering is “the art and science of getting people to comply to your wishes”. More specifically, it is a tactic used by hackers to exploit the weakest link in you IT security: the end-user. As IT security professionals, it is imperative that we understand this type of threat and the tactics used in order to create countermeasures to defend against it.

The hacker, depending on the hacker’s level of skill, research, and persistence, can employ many different social engineering tactics. Most successful hackers treat the social engineering as a separate hack that is a cornerstone of their main focused effort. As with any attack, social engineering starts off at the basics – footprinting, or casing the establishment. This is usually the longest and most labor-intensive part of the attack. Information is gathered by means that usually do not reveal the hacker or the hacker’s intentions, such as whois queries, public records, etc.

After footprinting, the hacker then decides on which course of action might best achieve information that may lead to a system compromise. If the attacker has some kind of contact, he/she may attempt to gain information from an interpersonal relationship. If not, the hacker usually resorts to the use of technology to trick someone into divulging information.

There are several methods for accomplishing this, and some are more effective than others. For example, there is the direct approach of simply calling the telephone number of the target and asking whomever answers for their user name and password. This is the least likely to succeed with a security conscious user. A more popular method is for the hacker to impersonate a technical support employee, as was illustrated in the opening paragraphs of this article. Other methods include impersonating a senior management employee, such as a project manager or V.P., or a helpless user who calls IT for help. A new trend is the use of reverse social engineering. This is similar to reverse psychology, where the hacker calls and entices the target user into voluntarily divulge information by forcing the target user to be the one who asks the majority of the questions. For example, a hacker calling the IT department claiming to be a sales rep for Checkpoint Software or support operator for Microsoft. This works well is the system is first DoSed or infected with a Trojan or virus that causes problems on the network.

Another form of reverse social engineering is what I call the Website Roshambo. This is where the hacker emails a potential target with an enticing offer that links to a website that the hacker has set up. These sites usually offer a gimmick of some kind and require users to create a “free” account. This is very successful, as most users like to keep it simple, and will use the same user name and password on the site as they do to login to the network. The hackers know this and use it to kick your systems in the crotch!

That’s it for Part I. In Part II, I’ll go over some countermeasures and how to test them.

EDIT: Here's a good thread by striek that goes a little more in detail about types of social engineering attacks. It's a realy good read.