Explore several non-traditional methods crackers are using to socially engineer security vulnerabilities
In the past, social engineering schemes have traditionally revolved around a hacker posing as someone from the support department and either trying to assist the user with a problem or getting the user to help the hacker run a test.
But hackers like to break with tradition, and current social engineering methods are all about defying expectations. To help you understand the new face of social engineering, here are some of the new ways that hackers are manipulating social engineering to get what they want—access to your data. By reading through these new social engineering schemes, you can better educate yourself and your staff about the techniques being used, which in turn will help everyone in your company avoid falling prey to these security breaches.
In case you are unfamiliar with the term, social engineering refers to an act in which a hacker tricks a user into disclosing a password or other sensitive information, rather than relying purely on traditional hacking techniques.
Relationship social engineering
I had the chance to watch first-hand a social engineering stunt using common conversation to obtain password information. This particular job wasn’t an illegal hack, but rather a situation in which a client paid a security company, Relevant Technologies, to see if its employees would fall victim to a social engineering scheme. The company felt it better to find out its security holes under controlled conditions than to be exploited by someone who really did have malicious intentions. Unfortunately, the social engineering scheme went off without a hitch, and the company’s owner realized that he needed to place a greater emphasis on employee training.
For this particular scheme, the security company hired a woman with a sexy voice to call sales representatives at the company and pretend to be interested in buying the company’s product. Part of the conversation went something like this:
Social Engineer: “My kids will love this product. I have a two-year-old named Fred and an eight-year-old named Beth. Do you have any kids?”
User: “Yes, I have a four-year-old son named Shawn.”
This is seemingly innocent chitchat, but in organizations that don’t enforce strict password policies, employees often use their kids’ names as passwords. In this particular case, the employee had one son named Shawn. As it turns out, Shawn was the employee’s password. Of course, that was a lucky guess, but the security company’s social engineer was able to worm other personal information out of the employee as well.
For this particular job, the woman never asked for a password—or anything else related to the computer system. What she did do was to build a relationship with the victim. Even if nothing on the password list had matched, she had built the guy’s trust enough that on a future call she would be able to get something more useful out of him.
People have a lot more passwords to remember than they used to. With so many passwords to keep track of, it isn't uncommon for people to use the same password in more than one location to keep from having to remember several different passwords. For example, the person might use the same password at work as to log on to the Internet at home.
There are cases in which hacker groups have set up Web sites advertising a bogus sweepstakes. They then require anyone registering for the sweepstakes to supply a username and password for future access to the site. Soon a database of thousands of usernames and passwords is compiled. A "robot" then systematically attempts to log on to many popular Web sites using the supplied usernames and passwords. The hacker group can then use information from these sites to gain further information. For example, if a hacker is able to get into a person's Hotmail account, he might be able to figure out where the person works and then be able to try to break into that company's computers using the logon name and password that he has in his possession.
New twist to an old scheme
I am also starting to see more subtle uses of social engineering that rely on traditional hacking techniques and the popularity of the Web. For example, a bank was a recent victim to one such social engineering scheme. The hacker registered an Internet domain name that was very similar to the bank’s real domain name. Next, the hacker created an official looking form and telephoned bank employees to tell them there was going to be a change to their benefits package and that they needed to go to this particular Web site and fill out the new benefits form. The hacker then told them that the Web site required authentication and to simply enter their normal logon name and password.
Of course, the Web site was not actually performing authentication. Instead, the supposed authentication mechanism was nothing more than a Web form that collected usernames and passwords and entered them into a database. All the hacker then had to do was to examine the databases contents to retrieve usernames, passwords, and other personal information.
Windows XP remote assistance scheme
Yet another new social engineering stunt involves exploiting Windows XP’s remote assistance. It involves someone claiming to be from the IT department asking an employee if he can connect to the computer via remote assistance for the purpose of loading a security patch. After the connection is made, a spyware module is loaded onto the machine. The spyware module then collects username and password information and e-mails and transmits them to the hacker. The beauty of this technique is that the hacker never has to ask for a password. Instead, the user actually lets the hacker work on his machine by remote control. Since the user never actually sees the hacker’s face, the hacker’s identity is protected, especially if specific path routing is used.
Specific path routing is a technique by which a hacker can direct the path of a TCP/IP connection from the hacker to a victim. This technique is often used to obscure the hacker’s true IP address or geographic location.
Social engineering exploits that have traditionally been done over the phone are now starting to show up in instant messaging and in IRC-based chats. According to Internet security Web site CERT, this exploit commonly involves tricking the user into downloading either a spyware module or a module that can be used by the hacker in a distributed denial of service attack.
One particular message that is sometimes used to trick people into downloading these malicious programs is, "You are infected with a virus that lets hackers get into your machine and read your files, etc. I suggest downloading [malicious filename] and cleaning your machine. Otherwise, you will be banned from the IRC network.”
To prevent situations like this, I recommend installing ViRobot from Hauri onto everyone's machines. If ViRobot is running, users can rest assured that they don't have a virus, plus ViRobot is designed to spot various hacker tools that could have been installed through this or other similar exploits.
What you can do
Many companies are becoming aware of the risks of new social engineering techniques and have begun to develop policies designed to combat social engineering schemes. One of the most widely publicized examples of such a policy is the way AOL tells its customers that no customer support representative will ever ask them for their password.
Unfortunately, there are countless other social engineering techniques available to the hacker. The only real defense against them is to use strong passwords and to educate your users about the different types of schemes, warning them especially about the hidden dangers of innocent conversation.