In the past, social engineering schemes traditionally involved a hacker posing as someone from the support department and either trying to assist the user with a problem or getting the user to help run a test. But hackers like to break with tradition, and current social engineering methods are all about defying expectations.
To help you understand the new face of social engineering, here are some of the new ways that hackers are manipulating social engineering to get what they want—access to your data. By reading through these new social engineering schemes, you can better educate yourself and your staff about the techniques being used, which in turn will help everyone in your company avoid falling prey to these security breaches.
Social engineering refers to an act in which a hacker tricks a user into disclosing a password or other sensitive information, rather than relying purely on traditional hacking techniques.
Relationship social engineering
I had the chance to watch firsthand a social engineering stunt using common conversation to obtain password information. This particular job wasn’t an illegal hack, but rather a situation in which a client paid a security company, Relevant Technologies, to see if its employees would fall victim to a social engineering scheme. The company felt it better to identify security holes under controlled conditions than to be exploited by someone who really did have malicious intentions. Unfortunately, the social engineering scheme went off without a hitch, and the company’s owner realized that he needed to place a greater emphasis on employee training.
For this particular scheme, a woman was hired by the security company to call sales representatives at the client's company and pretend to be interested in buying its product. Part of the conversation went something like this:
Social engineer: “My kids will love this product. I have a two-year-old named Fred and an eight-year-old named Beth. Do you have any kids?”
User: “Yes, I have a four-year-old son named Shawn.”
This is seemingly innocent chitchat, but in organizations that don’t enforce a strict password policy, employees often use their kids’ names as passwords. In this particular case, the employee had one son named Shawn, which was the employee’s password. Of course, that was a lucky guess, but the security company’s social engineer was able to worm other personal information out of the employee as well.
For this particular test, the woman never asked for a password—or anything else related to the computer system. What she did do was build a relationship with the victim. Even if nothing on the password list had matched, she had developed enough trust that, on a future call, she may have been able to get more damaging information out of him.
People have more passwords to remember than they used to. As a result, it's common for people to use the same password for access to multiple locations, including using the same password for system access at work and at home.
In some cases, hacker groups set up Web sites advertising a bogus sweepstakes. They then require anyone registering for the sweepstakes to supply a username and password for future access to the site. Soon a database of thousands of usernames and passwords is compiled. A "robot" then systematically attempts to log on to many popular Web sites using the supplied usernames and passwords. The hacker group can then use details from these sites to gain more information. For example, if a hacker is able to get into a person's Hotmail account, he or she might be able to figure out where the person works and then be able to try to break into that company's computers using the person's logon name and password.
New twist to an old scheme
I'm starting to see more subtle uses of social engineering that rely on traditional hacking techniques and the popularity of the Web. In a recent case, a bank fell victim to one such social engineering scheme. The hacker registered an Internet domain name that was very similar to the bank’s domain name. Next, the hacker created an official-looking form and telephoned bank employees to tell them there was going to be a change to their benefits package and that they needed to go to this particular Web site and fill out the new benefits form. The hacker then told them that the Web site required authentication and to simply enter their normal logon name and password.
Of course, the Web site was not actually performing authentication. Instead, the supposed authentication mechanism was nothing more than a Web form that collected usernames and passwords and entered them into a database. All the hacker then had to do was examine the database's contents to retrieve usernames, passwords, and other personal information.
Windows XP remote assistance scheme
Yet another new social engineering stunt involves exploiting Windows XP’s remote assistance. It involves someone claiming to be from the IT department asking an employee if he or she can connect to the computer via remote assistance to load a security patch. After the connection is made, a spyware module is loaded onto the machine. The spyware module then collects username and password information and e-mails them to the hacker. The beauty of this technique is that the hacker never has to ask for a password. Instead, the user actually lets the hacker work on his or her machine by remote control. Since the user never actually sees the hacker’s face, the hacker’s identity is protected, especially if specific path routing is used.
Path routing technique
Specific path routing is a technique by which a hacker can direct the path of a TCP/IP connection from the hacker to a victim. This technique is often used to obscure the hacker’s true IP address or geographic location.
Social engineering exploits that have traditionally been conducted by phone are now starting to show up in instant messaging and in IRC-based chats. According to Internet security Web site CERT, this exploit commonly involves tricking the user into downloading either a spyware module or a module that can be used by the hacker in a distributed denial of service attack.
One particular message that's sometimes used to trick people into downloading these malicious programs is, "You are infected with a virus that lets hackers get into your machine and read your files, etc. I suggest downloading [malicious filename] and cleaning your machine. Otherwise, you will be banned from the IRC network.”
To prevent situations like this, I recommend installing ViRobot from Hauri onto everyone's machines. If ViRobot is running, users can rest assured that they don't have a virus. Also, ViRobot is designed to spot various hacker tools that could have been installed through this or similar exploits.
What you can do
Many companies are becoming aware of the risks of new social engineering techniques and have begun to develop policies designed to combat social engineering schemes. One of the most widely publicized examples of such a policy is the way AOL tells its customers that no customer support representative will ever ask them for their password.
Unfortunately, there are countless other social engineering techniques available to the hacker. The only real defense against them is to use strong passwords and to educate your users about the different types of schemes, warning them especially about the hidden dangers of innocent conversation.