Years ago during a military training mission, we had two guys guarding an entry point. Around 4am a man walked toward the post. “Halt! Who goes there?” one of the guards asked. The stranger said, “Dude… it’s me!” The two guards were, like, “sure… come on in.” The perpetrator quickly left instructions with the guards that they were now considered “deceased” and were no longer permitted to participate in the exercise. They got the rest of the night off and we all learned a valuable lesson, i.e., sometimes the bad guys don’t look or act like bad guys!
Social engineering attempts are increasing. By some estimates, over 90% of email attacks are social engineering attacks. Only around 10% are malware attacks. With the improvements to anti-virus software, the attackers have found the perfect weak point – the employee!
So what is social engineering? Social engineering is the art of tricking people into giving up information. No amount of software or hardware will protect your network or data if your employees give an attacker information or access to your equipment or data. Sometimes it’s intentional. There are disgruntled employees out there. Most of the time employees are duped into releasing information or access to a skilled social engineer.
In this series we’ll look at some of the ways social engineers do what they do and, more importantly, how you can avoid falling victim to their evil ways. So… how do theses masters of social engineering do it?
Tools of the Trade
Humans are curious and generally want to be helpful. And these are the two factors that social engineers exploit. In many situations you don’t even see the attacker. Many attacks come in the form of an email.
Phishing – An email containing links to fake websites that tries to get the user to click on the link and log in to their account.
That seems innocent enough, but the link actually goes to the attacker’s website where he will, at that point, have your username and password. They’ll pretend to be banks, credit card companies, social media accounts, etc. The hook is they will tell you that there is some sort of problem and you need to log in to check it out or fix it.
You may have heard in 2016 the DNC was hacked. It all started when a high-ranking DNC staffer responded to a phishing email by typing in his username and password into what he thought was his email account. Instantly the attackers had access to all his emails! And they also had access to his account which allowed them to set all sorts of configurations without his knowledge.
The best way to keep from falling prey to this attack is to simply go directly to your account’s website and don’t use the link provided in the email. Another way to check the legitimacy of the email is to hover your mouse over the link. If it’s an email for your account at yourcitybank.com, then you’ll see firstname.lastname@example.org displayed on the bottom left of your screen when you hover over the link. If it’s a different address, it’s probably a phishing attempt.
Even if it’s the same email address, that still doesn’t necessarily mean it’s legit. Generally speaking, no company is going to send you an email requesting you to log in using the links provided. If you have a legitimate concern about your account, simply call the company or go to their website directly and log in without using the links from the email.
Baiting – Leaving a USB drive in a public location with the expectation that a person will pick it up and stick in into their computer just to see what’s on it. You’ve heard the phrase “curiosity killed the cat.” That applies here.
Recently, the Pentagon suffered a huge security breach when agents from a hostile country drove through the parking lot tossing out infected USB drives knowing people going to work would pick them up and try to see what was on them.
When they inserted the USB drives into their computer, key loggers were installed that recorded every key stroke the user made and sent that information to the hacker. Key loggers have a way of hiding from detection so users will most likely not even know they’re infected.
But this type of attack can also install ransomware that encrypts your data so that you can’t access it and holds it for ransom… hence the name “ransomware.” It could also install trojans that steal your information like social security and bank account numbers and open back doors into your system for hackers. And once they’re in your system they have access to every system on your network.
How do you avoid this? If you find a USB drive on the ground, open it using someone else’s computer! NOOOO! Just kidding. If you find a USB drive on the ground, then pick it up and hand it over to lost and found, if you have one, or keep it and see if someone lost theirs. Resist the temptation to pop it in.
In my next installment I’ll discuss some of the ways social engineers interact face-to-face with the user to gain access to equipment and data.