Social climbing: How social engineering became a dangerous cyber threat
Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.
Humans and software really aren’t that different when it comes to being exploited. Vulnerabilities in both software and people can be taken advantage of by attackers to get what they want. However, while buggy source code is generally to blame for exploitable flaws in software, it’s human nature that makes people ripe for psychological manipulation.
Social engineering is a widespread threat that even the most experienced and seasoned IT professionals can fall victim to, which is why criminals use this low-tech method in their attacks. Hackers can use social engineering to trick employees into handing over credentials, confidential data, or even large sums of money, often without using any malware, though malware does frequently go hand-in-hand with social engineering.
The spotlight was put firmly on social engineering last year when classic social engineering techniques were used to hack into the Gmail account of Hillary Clinton’s presidential election campaign chair John Podesta. Malicious hackers sent Podesta a phishing email that pretended to be from Google asking him to change his password. He followed the link in the email, revealing his password to the attackers and giving them access to the contents of his email account. This trove of emails was subsequently publicly leaked, to the detriment of the presidential campaign of Clinton, many believe.
Hacking humans
However, while it has hit the spotlight lately, in many ways social engineering is far from a recent phenomenon. History shows us that for as long as humans have been socializing with one another they have been trying to manipulate others for their own gain. This is evident in countless stories, such as when Eve falls for the social engineering skills of a crafty snake and is tricked into eating the forbidden fruit in the Garden of Eden, or when the people of Troy fell for the legendary Trojan horse con — a con that is still widely used in somewhat different forms today.
Just in case you were in any doubt about how successful, and in some cases profitable, social engineering can be, let’s take a quick look at some notable social engineers and their heists.
Victor Lustig
Confidence tricksters such as Victor Lustig pulled off scams in the early 20th century that would seem farfetched by today’s standards. Lustig, known as “the man who sold the Eiffel Tower twice”, managed to sell the famous Paris landmark to scrap metal dealers who believed it was to be dismantled. Another one of Lustig’s scams involved a money-printing machine on which he demonstrated printing out a $100 bill. The money, he told prospective buyers, took six hours to print. People paid Lustig $30,000 for the machine, which did indeed produce a total of two $100 bills before it then began printing blank paper. Lustig is also credited as coming up with the 10 Commandments for Con Men, which includes advice like waiting for your mark to express a political or religious view and then agreeing with them to create a rapport.
George Parker
George Parker was another infamous trickster who specialized in selling public landmarks to unwitting victims. Parker managed to sell the original Madison Square Garden, the Metropolitan Museum of Art, the Statue of Liberty and, most famously, the Brooklyn Bridge. Parker sold the bridge multiple times to victims who believed they could make a fortune by setting up toll booths. Parker has been remembered in popular culture for coining the phrase “and if you believe that, I have a bridge to sell you,” a phrase used to call out someone as being gullible.
Charles Ponzi and Bernie Madoff
Charles Ponzi and Bernie Madoff are both known for swindling people out of large sums of money through what’s known as Ponzi schemes. While Charles Ponzi was conning people out of money in the 1920s, he was not the first to carry out the scam, in which earlier investors in the scheme are paid with money taken from later investors. However, Ponzi was so competent and well known for this particular con that it now bears his name. Ponzi’s modern-day counterpart, Bernie Madoff, took things to the next level when, in 2009, he pleaded guilty to conducting a large-scale Ponzi scheme in which it has been reported investors were swindled out of as much as $65 billion.
Stanley Mark Rifkin
In 1978, computer technician Stanley Mark Rifkin used his position as a contractor at a bank in California to socially engineer his way into the bank’s wire transfer room. Once inside he memorized the numerical code that employees used to authorize wire transfers from bank to bank. Rifkin then phoned the bank posing as an employee from the bank’s international division and got them to transfer more than $10 million to an offshore account. At the time, the Rifkin heist was the largest bank robbery in U.S. history.
Kevin David Mitnick
Kevin David Mitnick is perhaps the best known modern-day social engineer. At one point, Mitnick was known as the world’s most wanted hacker and is the person that helped popularize social engineering as a term in information security. Mitnick is now a white hat hacker and security consultant, but back in the 1990s he served five years in prison for several hacking-related crimes, including compromising Pacific Bell’s voicemail computers and copying proprietary software from several cellphone and computer companies, all of which he claimed he did using passwords and codes gained through social engineering.
Today, it’s usually nameless and faceless social engineers that carry out attacks over the internet, and the stakes are often much higher than in the past, as can be seen in the Podesta hack, and some other recent high-profile examples.
BEC scams
A good social engineer often doesn’t even get their hands dirty and will get their target to do their bidding. A modern example of this the business email compromise (BEC) scam, where fraudsters target staff in medium and large organizations, pretending to be the CEO or other C-level employee. In an email, or in some cases a phone call, the scammer tricks the target into carrying out an urgent wire transfer. These scams can net the attackers large sums of money, as was the case in 2015 when Ubiquiti Networks lost $39 million in a BEC scam.
RSA breach
A breach at security firm RSA in 2011 saw information relating to the company’s SecurID two-factor authentication tokens stolen. The attackers got into RSA’s systems using phishing emails with malicious attachments posing as a “2011 Recruitment Plan” Excel document. This theft was significant as it not only affected RSA but also the security of other organizations that used the SecurID tokens.
Bit9 breach
In 2012, another security firm was breached using a form of social engineering known as a watering hole attack. Bit9 had its trusted file-signing infrastructure compromised in the attack. The attackers then used the compromised file-signing infrastructure to sign several malware files for use in other attacks. This attack was noteworthy because the attackers, dubbed Hidden Lynx, went on to use the signed malware in attacks against high-value targets, such as those in the defense, aerospace, and energy sectors.
AP Twitter hijack
Another notable attack to mention is the Associated Press (AP) Twitter hijack. This attack began with a spear-phishing email that led to an employee inadvertently handing over access to the news agency’s Twitter account. Attackers used the compromised account to tweet that there had been explosions at the White House. The attack had a major impact on the stock market, causing the Dow Jones to drop 150 points, and highlighted not only the power of social media but the importance of keeping account credentials secure.
Now that it’s clear how effective and dangerous social engineering can be, let’s take a look at how it works and how criminals use it to their advantage.
Bugs in human hardware
As mentioned, social engineering is the psychological manipulation of people, or “marks”. A good social engineer knows how to take advantage of the way people think and make decisions, and to do this they rely on cognitive biases. Cognitive biases are sometimes called “bugs in human hardware” and describe the errors people can make when processing information.
There are too many of these biases to list here, but some have stronger connections to social engineering than others. For example, the cognitive bias known as anchoring is what BEC scammers rely on. Anchoring is the human tendency to rely too much on a single piece of information, usually the first piece offered. BEC scammers claim that they need a chunk of money transferred quickly because an important deal is happening “right now”. The mark focuses on the urgency of the request and bases the rest of their decisions around this information. Authority bias is another one that helps make BEC and other similar scams successful. It describes our tendency to give more weight to the opinion of an authority figure and be more influenced by that opinion than one from our peers.
Social engineering scammers use these cognitive biases to create various attack techniques and, in recent years, cyber attackers have been employing various social engineering techniques to great effect.
Techniques of online attackers
· Pretexting: This is one of the most important techniques in a fraudster’s arsenal and involves the use of an invented scenario, or pretext, that will engage the mark and begin a series of events that lead them to handing over information or carrying out the attacker’s wishes. Examples include BEC and tech support scams.
· Phishing: Probably the most common and successful form of social engineering. Attackers mimicking a company’s brand create convincing emails or websites that trick users into handing over credentials or other sensitive information. Mass-mailing phishing campaigns have decreased in recent years but figures from Symantec show that attackers are now more focused on more profitable targeted spear-phishing campaigns like those employed in BEC scams.
· Familiar attacker: An attacker gains access to an email account and then spams everyone in the account’s contacts list. This tactic relies on people trusting emails that appear to come from someone they know.
· Baiting: Everyone likes free stuff and this technique relies on that fact. For this trick, an attacker leaves a malicious USB device or CD lying around, hoping a mark will pick it up and insert it into a computer, at which time the malware is executed.
· Something for something: Did I mention that people like free stuff? This one involves offers of promotional freebies, prizes, or other items in exchange for sensitive information.
· Watering hole: This tactic involves compromising a website that the mark visits regularly and placing malware on it. Once the mark is infected, the attacker can use the malware to steal information.
Stay one step ahead
Keeping your software and security products up to date can protect you from malware but when it comes to social engineering it’s a case of PEBCAK (Problem Exists Between Chair and Keyboard).
Security awareness training can help educate employees and reduce the risk for businesses and organizations. As well as training there are steps that can be followed by everyone to help stay protected from social engineering attacks, such as the following advice offered by US-CERT.
· Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
· Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
· Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
· Don’t send sensitive information over the internet before checking a website’s security.
· Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
· If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
· Install and maintain antivirus software, firewalls, and email filters to reduce some of this traffic.
· Take advantage of any anti-phishing features offered by your email client and web browser.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
