Originally published by CSO
Human beings are essentially social creatures. We like to help one another. We generally defer to people higher up in the hierarchy than we are. We tend to trust that other people are honest, mean what they say, and are who they say they are, because questioning any of those things without good reason is rude.
Unfortunately, these social niceties can turn us into the weakest link in information security. Too often hacks result not from technical flaws but from what’s known as social engineering: human beings allowing themselves to be convinced to let down their guard. Many of the techniques are as old as con artistry itself, but have been updated for the digital age.
Consider the social engineering attack examples below cautionary tales.
Kevin Mitnick’s wild run
Kevin Mitnick was one of the most notorious hackers of the ’80s and ’90s computer age. His exploits were driven by curiosity, not profit, and social engineering was his superpower. Here’s a classic Mitnick trick: in 1979, at the ripe old age of 16, he made friends with some hackers who had found the number for a dialup modem for the system that Digital Equipment Corporation (DEC) used for OS development, but they told him that it was useless because they didn’t have an account name or password. Mitnick simply called the system manager at DEC, claimed to be Anton Chernoff, one of the company’s lead developers, and said he was having trouble logging in; he was immediately given a login that provided high-level access to the system. (Mitnick, now reformed, is in the security consulting business.)
Brothers in crime
The most notorious hackers in the Middle East in the 1990s were Muzher, Shadde, and Ramy Badir, three Israeli Arab brothers who had been blind since birth. The Badirs’ favorite targets were telephone companies — at one point they were running their own bootleg telecom and charging an Israeli army radio station for all the bandwidth — and many of their scams were achieved via social engineering techniques, like calling into phone company HQs claiming to be engineers in the field, or chatting up secretaries for details about their boss that would help them guess passwords. But the Badirs had skills that were absolutely unique: they could wreak havoc by perfectly imitating voices (of the fraud investigator on their tail, for instance) and could tell a phone’s PIN just by hearing someone type it from across the room.
Tarnishing HP’s reputation
In 2005 and 2006, Hewlett-Packard (HP) was roiled by corporate infighting, and management was convinced that a board member was leaking insider information to the media. HP hired private investigators to investigate their own board’s communication, which they did via pretexting, a term for a form of social engineering the ensuing scandal brought to national attention. Armed only with board members’ names and the last four digits of their social security numbers, the PI’s were able to call up AT&T and convince them to provide access to detailed call records for the victims. Though HP’s leadership claimed they hadn’t authorized these techniques, the fallout resulted in multiple resignations; while pretexting in order to obtain financial records had previously been illegal, the scandal also resulted in a stronger federal law against the practice.
Someday my prince will come
Emails from “Nigerian princes” asking for help getting vast sums of money out of the country are a staple of internet jokes — but they’re also social engineering traps that have lured the unwary, even those who should know better. In 2007 the treasurer of a sparsely populated Michigan county stole up to $1.2 million in public money as a part of a Nigerian advance fee fraud, telling friends he was going to retire comfortably soon and would be flying to London to collect the money he thought he had “earned.” He returned to the U.S. empty handed and was soon arrested.[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]
Tabloid turmoil
From 2009 to 2011, the UK media landscape was roiled by revelations that British tabloids had for years paid investigators to hack into various targets’ cell phone voicemail in pursuit of stories; victims ranged from movie stars to royal courtiers. Particularly shocking was the revelation that investigators may have erased voicemails left for a murdered girl, giving parents false hope she was alive.
While the techniques deployed varied, one of the core methods was pretexting, referred to in British slang as “blagging”; for instance, one investigator convinced Vodafone staff to reset actress Sienna Miller’s voicemail PIN by claiming to be “John from credit control.” (In other cases, investigators were able to simply guess the PIN, which many users never change from the default.)
Small phish open big holes
Phishing, while somewhat impersonal, definitely is a type of social engineering, as it focuses on trying to coax the victim into opening a file or running an app they shouldn’t via some kind of tempting bait. In 2011, in an extremely embarrassing breach for infosec powerhouse RSA, at least two low-level employees opened a file called “2011 Recruitment plan.xls” from an unknown sender (the prospect of a job offer is common phishing bait). The spreadsheet contained a macro that installed a backdoor on their computers, a compromise that reduced the effectiveness of RSA’s flagship SecurID product and cost the company $66 million.
Prey drinking at the watering hole
Social engineering works in part by understanding your victims’ behaviors, like where they like to spend their time — and that can include their online time as well. Watering hole attacks are considered a social engineering attack in the sense that hackers compromise websites where they know their targets linger. In 2013, hackers managed to insert malicious JavaScript into the U.S. Department of Labor’s Site Exposure Matrices (SEM) page, which contains data on toxic substances present at Department of Energy facilities. Obviously, the page was frequently visited by Energy Department employees — and the attackers were able to infect some of their computers with Poison Ivy, a remote access Trojan.
Meet the new “boss”
In 2015, Ubiquiti Networks, a manufacturer of network gear, fell victim to what’s known as a “business email compromise” — or, more commonly, a “CEO scam.” The attackers emailed employees in the finance department in Ubiquiti’s Hong Kong subsidiary, claiming to be a top executive, and requested wire transfers to “third parties” — accounts under the control of the criminals. Ubiquiti was tight-lipped on how exactly the finance folks were fooled; since the company said there was “no evidence that our systems were penetrated,” it’s likely the hackers used a technique like a lookalike URL to do the trick.
Insecure intelligence
In 2015 and 2016, UK teen Kane Camble managed to get access to home and work internet accounts for major figures in US intelligence using social engineering as his points of entry. For instance, he called Verizon and convinced them to grant access to CIA Director John Brennan’s email account despite not being able to answer Brennan’s security question (his first pet); he called an FBI help desk claiming to be Deputy Director Mark Giuliano and sweet-talked them into granting access to Giuliano’s account even though the agency was aware a hack was in progress. Once ensconced in his target’s computers, he leaked classified information and wreaked other havoc; for instance, he forwarded Director of National Intelligence Dan Coats’s phone calls to the Free Palestine Movement.
The spear phish that shifted an election
Spear phishing is a specialized phishing variant in which attackers try to trick a high-value target into revealing sensitive information, and for Russian-sponsored hackers in 2016, there was no higher value target than Hillary Clinton campaign manager John Podesta. Podesta received a fake “account reset” email that appeared to be from Google, asking him to log in and change his password; the actual domain of the provided link, hidden behind a bit.ly link shortener, was myaccount.google.com-securitysettingpage.ml.
Podesta was suspicious, but one of the aides he consulted made possibly history’s most consequential typo in an email, saying “this is a legitimate email” when he meant to type “illegitimate.” Podesta entered his account info, and the Russian hackers were able to access and leak his emails, which helped sink the Clinton campaign.
The “it’s my first day” excuse
In 2016, an anonymous hacker broke into an internal U.S. Department of Justice network and released online thousands of personnel records for FBI and DHS agents. The attack began when the hacker somehow got control of a DoJ email address, but he was able to make the most crucial move via social engineering, as he gloated to Motherboard. When he was unable to log into the DoJ’s web portal for employees, “I called up, told them I was new and I didn’t understand how to get past [it],” he said. “They asked if I had a token code, I said no, they said that’s fine — just use our one.” He immediately had access to the DoJ intranet.
Dialog box blindness
At this point, we’re all used to dialog boxes popping up on our computer asking us to confirm some potentially risky course of action — and these can be tailored to manipulate us in the course of a social engineering attack. In 2017 a wave of phishing emails hit Ukrainian targets that included an attached Microsoft Word document with malicious macro code. If the macros were disabled, users were presented with a specially crafted dialog box, designed to look specifically like one from Microsoft, to coax them into allowing the macro code to run. (If executed, the code installed a backdoor into the computer that allowed the attackers to listen through the user’s microphone.) The lesson, as with all of these incidents: Always look twice before you click or say yes.
