As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational.
Famous Social Engineers
[Victor Lustig] was one of history’s famous social engineers specializing in scams, and was a self-confessed con man. He is most famous for having sold the Eiffel Tower. After the First World War, money was tight, and France was struggling to pay for the upkeep of Eiffel Tower and it was falling into disrepair. After reading about the tower’s troubles, [Lustig] came up with his scheme: he would trick people into believing that the tower was to be sold off as scrap and that he was the facilitator for any deal. Using forged government stationary, he managed to pull this trick off: twice!
He later went on to scam [Al Capone] out of $5,000 by convincing him to invest $50,000 into a stock market deal. He claimed the deal fell through, although in reality there was no deal. After a few months, he gave Capone his money back, and was rewarded with $5,000 for his “integrity”.
[Charles Ponzi] was so notorious the scheme he used which is alive and well today was named after him. A Ponzi Scheme is a pyramid investment scam using new members money to pay older investors. As long as new recruits keep coming in, the people at the top of the pyramid get paid. When the pool of new suckers dries up, it’s over.
The biggest Ponzi scheme ever was discovered by then-respected high flyer and stock market speculator [Bernard Madoff]. The scheme, valued at around $65 billion, was and still is the biggest in history. Madoff was so prolific he had banks, governments and pension funds invested into his scheme.
[Kevin Mitnick] is probably the most famous computer hacker still alive today, however he was more of a social engineer than you would think. Kevin started young; at thirteen, he convinced a bus driver to tell him where to buy a ticket puncher for a school project, when in fact it would be used with dumpster dived tickets found in the bins of the bus company’s depot.
At sixteen, he hacked Digital Equipment Corporation’s computer systems, copying proprietary software and then going on to hack Pacific Bell’s voice mail computers along with dozens of other systems. He was on the run for a few years and was eventually imprisoned for his crimes. Out of jail, he has turned into a security consultant and does well for himself by staying on the correct side of the law.
[John Draper], AKA Captain Crunch, was a pioneer in the phone phreaking world. He gained his moniker because of free whistles given away in packages of Cap’n Crunch cereal. He realized that these whistles played 2,600 Hz which just happened to be the exact tone that AT&T long distance lines used to indicate that a trunk line was ready and available to route a new call. This inspired [John Draper] to experiment with and successfully build blue boxes. Those days are gone now, as the phone system switched from analog to digital.
Types Of Social Engineering Scams and How To Avoid Them
There are many different type of social engineering attacks — imagine counting up the number of ways that exist to trick people. Still, it’s worth understanding the most popular scams, because you do need to protect yourself.
Pretexting
This type of scam involves telling someone a lie in order to gain access to privileged areas or information. Pretexting is often done in the form of phone scams where a caller will claim to work for some big company and needs to confirm their targets identity. They then go on to gather information like social security numbers, mother’s maiden name, account details and dates of birth. Because the call or the situation is normally initiated by the social engineer, a good way to protect your self from this scam is to call back or confirm who they say they are — using information that you gathered about the company, and not given by them.
Baiting
Dropping malware-filled USB drives around parking lots, or giant wooden horses near your enemy’s walls, is classic baiting. This is a simple attack with a simple mitigation: remember that if something free and interesting just lying around looks too good to be true, then it probably is.
Phishing
Phishing is the practice of sending out e-mails, posing as a well-known web service or company, and aiming to get the recipient to open a compromised document, visit a poisoned website, or otherwise break your own security. A few weeks ago, Hackaday’s own [Pedro Umbelino] wrote about how easy it is to exploit even the most security conscious around us (it had me) with an IDN homograph attack.
Most phishing is done at a less sophisticated level — normally a clone of website is made and emails are sent out telling victims to change their password. High value targets may have a fully customized phishing experience, known as “spear phishing”, where the scammer will put more effort into a site clone or email text by including personal information to make it look more authentic. Phishing is normally easy to spot — check the address of any link before clicking on it. And if you’re asked to change a password through an e-mail, close the e-mail and log into the web site through normal means, bypassing the bad links entirely.
Ransomware
A lot of ransomware is delivered by phishing, but since there have been an increasing number of widespread cases, it gets its own topic. However the user is fooled into running the malware on their computer, it encrypts valuable data or locks the user out of their system and demands payment to restore things back to normal. Whether this happens or not, upon payment, is anyone’s guess.
There have been a number of very high profile ransomware attacks lately, including ransomware crippling UK’s NHS and then spreading globally. Will this ever end? The easiest mitigation strategy against ransomware, in addition to no clicking on suspicious links, applications or keeping your system up to date in the first place, is to keep frequent backups of your system so that if you do get ransomed, you won’t have to pay. Keeping backups has other benefits as well, of course.
Quid Pro Quo
The quid pro quo scam is really all “quid” and no “quo”. A service provider calls offering to fix a bug or remove malware (that doesn’t exist) for a fee. A quick search on YouTube will turn up thousands of videos of scammers trying their luck with wise-cracking teenagers. As with many cons, this scam can be avoided by simply not responding to out-of-the-blue offers. On the other hand, this scam seems successful enough that it’s still being run. Knowing about it is the best defense.
Tailgating
One way to get into a restricted area that’s protected by a closed door is to wait for an employee or someone with access and follow them in. These attacks are normally aimed at businesses or apartment buildings, and the solution is to simply not let anyone get in with you.
Dumpster Diving
To impersonate a legitimate contractor, it helps to know the names of the firms involved and even points of contact inside the firm. All of this data and more can be found on receipts in the dumpster behind the firm. Invest in a shredder, and don’t leave anything to chance.
Social Media
People share an amazing amount of personal information on social media, so it’s no surprise that it’s a new tool for social engineers. Looking through someone’s account is like looking at a snapshot of someones life. Why would you announce your home is going to be empty to for the next two weeks to literally the whole world? Your home is just asking to be burgled. Or think of the ammunition that you’re giving to a would-be spear phisher. Think about the trade-offs of sharing personal information about yourself publicly.
Notable Social engineering Case Studies
Now, let’s see a couple examples of these social engineering tricks in the wild.
News International Phone Hacking Scandal
Here in the UK, there was a huge public storm when News International, owned by media mogul [Rupert Murdoch], was found to be using social engineering to “hack” into the voicemail services of prominent celebrities, politicians, royals, and journalists. The phone hacking list is extremely long. They often hacked into the voicemail by spoofing the caller ID that granted access to the phone’s voicemail inbox. Some voicemails were password protected with four-digit codes that were easily guessed. On other occasions, they simply called the phone provider’s service hotline and said they forgot their pass code — plain-vanilla pretexting.
Celebgate iCloud Nude Pictures “Hack”
[Ryan Collins] used phishing techniques to gain access to the iCloud accounts of Jennifer Lawrence, Kate Upton, and Kim Kardashian. He created fake notifications from Google and Apple and sent them on to his targets’ email addresses. At the time, there was speculation that Apple’s iCloud had hacked into on a massive scale. Instead, Collins admitted in an interview that he used phishing techniques to gain access to his victims personal data.
Where do We Go From Here
If breaking the computer system is too difficult, you can be sure that criminals will try to break the human system. Whether you call this “social engineering”, “cons”, or “scams”, they’re likely to be on the rise. The best way to protect yourself is to teach anyone with access to your data or details about how the attacks work, and how to avoid them.
There are plenty of resources online that you would be useful for helping protect yourself from these attack vectors. Protect yourself from eight social engineering attacks is quite a good starting point, and the US Department of Homeland Security also provides great information on preventing social engineering hacks that you can point people to.
In the end, most of it boils down to recognizing the patterns and being skeptical when you see them. Verify information through other channels, don’t blindly click links, and be wary of what personal details you give out to solicitors.
I didn’t think that the News International phone hacking was as technical as that – more that they called the voicemail number from a landline, put in the phone number of the phone they wanted to hack, and then put in the default 1234 password, and they were in?
You are right that was one of the ways they got in, but they also used spoofing called ID’s as they got more brazen.
A kid I knew in high school (way back in ’06) used a 4GB usb drive (a rather expensive thing for a teenager back then) to install a keylogger on a teacher’s computer. autorun.inf exploits were just starting to be fixed in xp, so he put an executable on the drive and changed its icon to look like a folder entitled pics, irresistible bait for a high school teacher. (maybe it has a pic of the student, maybe it has porn!) Teacher double-clicked the folder and the executable installed the keylogger, deleted itself, created an empty folder named pics on the usb drive, then opened the folder in explorer so everything looked normal. Keylogger sent keystrokes to a burner email account, got the teacher’s passwords, logged in from the library and changed his grades. He was caught and expelled of course. Bragging gets you caught. Don’t brag.
The fact that you included irrelevant details, boasting him owning an expensive 4GB flash drive,
and the face that the culprit was caught because of bragging.
it was you wasn’t it…..
it was YOUR 4GB FLASHDRIVE,
why else would you include that information…
bragger
No actually, I included the details for the benefit of the young kids used to 32 gig drives in the discount bin at Walmart. Nowadays people give away larger drives like pens (or in then) at trade shows. I actually got decent grades, my USB drives were used for tor so I could bypass the school’s filters for hackaday and other educational sites. I will brag about the little program I used to crash their screen monitoring. Simple thing to change the screen resolution. If the res was higher than the teacher’s, they’d get a bsod. But that’s not social engineering. I was too shy to attempt anything like that. I have absolutely no poker face to this day.
4 GB is already huge. Not to make this a pissing contest, but the early drives were barely more specious than a floppy disk. A 128 or 256 MB drive was carazay big back then, and massively expensive.
Bernie Madoff didn’t run the world’s largest Ponzi scheme; that honor goes to the US Government under the guise of Social Security.
You are right here for sure, I actually believe in forms of social security but the way it is currently setup the house of cards has to fall one day.
It’s already starting to fall in Japan……
Came here to say that
CCF, WCF, Save the Children, Red Cross, etc, etc…
They need more regulation of these charities as many simple sit on the money for such a long time.
WTH? Many Multi Level Marketing firms are allowed to do business within the USA, clearly they they aren’t illegal in the USA. I never read enough details about Madoff’s business to be able to conclude it was a Ponzi scheme or not. Madoff was sent to prison because of committing fraud, not because he characterized his business to be a huge Ponzi scheme. I figured Madoff used the comparison to associated his operation to the MLMs allowed to exist. A causal glance at Social Security would have many believe it’s a Ponzi, if that was suggested to them first. Social Security isn’t a Ponzi, if it where, it would have collapsed long ago. The biggest threat to Social Security in the financial sect that contains individuals who want unregulated access to labor’s retirement saving to gamble with.
Social Security is a Ponzi in a sense that new, fresh, contributors pay for the old ones (getting sick and so on).
The ones at the top (older people) get “paid” with funds from the new contributions (younger people).
It will collapse because, like in a pyramid, as you go down from the top there are more and more people needing “payment”.
Not sustainable in the current format.
If your complaint with Social Security is that it is workers pay in and the retired cash out, I’m not sure exactly how else you’d like to run a retirement plan.
There is, at present, a mismatch in funding streams as the big opossum of the baby boomers works its way through the demographic python, but social security was taking in more than it was spending while the boomers were in the workforce.
https://en.wikipedia.org/wiki/Social_Security_(United_States)#Demographic_and_revenue_projections
It _is_ true that we’re going to have to float the boomers in their retirement, but they’ve already paid in.
It’s absolutely not a Ponzi scheme, though. The very high income get out a little less than they put in, and the moderate and low income get out more. The point is that you don’t want people to starve to death from poverty, no matter how much they earned while they were working.
These conspiracy theories are a waste of your time, and worse, they poison your mind with false problems in an era when there are enough real ones.
It is not a conspiracy but someones opinion.
The better good so “no one dies of starvation” is highly commendable and everyone will support it.
But we are referring to the collapse of an schema where one group supports the other (much like a Ponzi schema, to pay some, some others have to pay ans so on).
For a Social Security system to be sustainable it has to receive funds from “somewhere else” so, regardless of workers contributions there will be funds for those in need.
People are living longer and paid jobs are diminishing so the pool of those “needing” is growing and the pool of those contributing grows far too slowly.
There is nothing wrong with “extra contributions” via taxes/levies/etc as the common good is far more important that the integrity of a Social Security system designed for different economic conditions.
The system will collapse unless changes are implemented.
But no one likes to pay more tax, so …
I don’t really know how this works for the US but in France, the system should work as it is if every part of the society was paying what is asked from the state. For exemple, if you can prevent companies from performing tax evasion, the total amount would probably bring the state to financial equilibrium ( or at least very close to it). And there are other significant means like forcing every company to give women the same pay than their male counterparts.
You can’t complain about the financial issues of social programs and at the same time close your eyes on the cheaters.
I don’t have a complaint about social security In fact I am an avid fan of it, I just thing the way it works is wrong for instance why not keep the cash paid in to pay the older generations as they retire etc they receive their cash back? Instead of the current model of we spent all the cash lets hope we have enough children to cover for future pensions.
The current model is the government using SS as it’s personal piggy bank.
Exactly! Preach it, brother!
And sometimes it is incredibly useful for counter-surveillance if you are targeted by a persistent adversary.
Sociopaths are by textbook definition unable to learn from their mistakes, and will systematically repeat manipulative behavior even when unnecessary. The charming demeanor vanishes very quickly if you succeed in exposing the lies to victims, as these people are often dangerously violent (not necessarily like Capone, but more like Dr Harold Shipman).
Police officers know this fact… so see these self-assessed geniuses at work, and have several tales of the bizarre extremes these people will go to convince their victims (often the first people in line for law enforcement training). Likewise, when a state sponsored group with a pass on ethical conduct is out of control, they ultimately undermine their own position by compromising themselves.
Game theory will ensure any actions taken will be re-contextualized by the state to serve the state.
Fact: NSA gets pass on ethics to break private systems of former allies, citizens, and businesses
Fact: Identical exploit published by credible source during leak to warn citizens
Fact: Microsoft ignores the issue for 3 months
Fact: 300k workstations get infected by a malware worm based on identical exploit
Fact: linked object formally known to originate from North Korea is discovered by media
Result: Without any proof, a foreigner is now responsible for domestic spying sins
After awhile, you will learn not to care if you value your life, your friends, and your family.
These people are crazy, and will never leave you alone if they think you owe them something.
I dont have any social life, Im safe you guys!
On the rise LOL, You mean people have started figuring out what it is.
Actually, being paranoid in today’s world is a good thing. Recently, a site I was working with wanted to video chat me
to “make sure I was who I said I was.” Now, let’s see how stupid this is, they’ve already got all they need as far as name,
address, tax ID info, yet they were worried about “scammers etc. stealing from their clients” so they wanted to video
verify me to make sure I looked like my picture. Well, as you know, we all age, and we tend to change how we look as
we grow older. Well long story short, the site wouldn’t unlock my work account until I complied. Well, I didn’t and
closed my account. They lost any future income they might have made from me. With all the data breaches and
information leaks etc. the site assured me their database was secure. Their database is secure yet they’re worried
about scammers and hackers? I basically told them, my info is safe….with me. When I get calls from numbers I don’t
recognize, I don’t answer. Emails I don’t recognize, bit bucket. Bottom line, I don’t trust anyone.
An office needs your Social Security number? Older cards used to say “Not to be used as a form of identification.”
Facebook wanted a copy of my ID card to prove who I was. Bye bye Facebook. What all these sites fail to realize is,
without members, they wouldn’t amount to much now would they? “Hello sir, we’re conducting a survey….” sorry, no information at all is given via this phone number. But sir it’s just a survey…..lather, rinse, repeat.
The first though that comes to mind when someone wants information from me is, what do they get out of it?
What advantage does it give them? If a store wants “my zipcode” I tell them to use the stores.
A lot of people will just gladly hand over anything they’re asked for without thinking of the consequences.
Paranoid? Quite possibly. Crazy? Yep. Stupid? Definitely not.
I have a very small list of organizations I trust with my personal information, but unfortunately I can’t do any real business without giving some of it up.
Much of what is mentioned in the article are simply fraudulent practices, so “social engineering” has become a buzz phrase, and I’m required to determine the context of it’s use? F’ I hate that sort of crap. No wonder effective communication has become so difficult. HEAVY SIGH…
I’m with you on the terminology. “Social engineering” is what we used to call con jobs or scams. Unfortunately, you and I are not in charge of the language. :)
Some of those fake “Ransomware” websites are a joke in it self…. It works I’d guess, because they still run.
My brother clicked on a link in a search result and a popup window filled the screen with audio:
“Your Windows Computer Has Been Compromised, All Your Files Have Been Encrypted Follow The Onscreen Instructions And Pay By Bitcoin To Unlock Your Data”
The funny thing about this “Windows Computer” of my brothers… Was… It ran GNU/LINUX!!!
The dumb website caused Firefox to have to be forced closed (kill PID_NUM_OF_FIREFOX) and the browser started offline to clear the crash-recovery state it usually starts with after forced closing.
Had to help a colleague several times since with the same thing (Though he uses windows and no data got encrypted)
I had that same thing happen on my PowerBook G4. I screencapped it because it was so funny to me. It really isn’t that difficult to detect the OS that the browser is running on, so it makes me laugh whenever they do OS specific things like this.
I re-watched Hackers recently and it’s astounding how little has really changed in the way this stuff goes down – if you replaced “public call box” with “public wifi” in the script and re-ran it, it wouldn’t be far from the mark.
Also Mitnick’s bio is well worth a read.
Mitnick Is a really interesting guy for sure, and you are totally right about old scams are the new scams that’s why I went with the subheading history repeats it’s self. there are very little new scams just repackaged ones.
If you would like a demo of social engineering there is a good writeup here