10 December, 2011

Social Engineering Attacks

Social Engineering Attack
The art of tricking vulnerable and unsuspecting people into revealing confidential information like passwords, credit card numbers, social security numbers, login credentials to payroll systems, customer databases etc with little or no contact with computers.

Social Engineers
-- Sweet talkers with oozing confidence
-- Specialized in dealing with people, not necessarily computers
-- Great actors who can change their communication style and expressions at the drop of a hat
-- Already have access to few confidential details about the victim like Full name, Post code, Gender and others

Social Engineering Attacks
Impersonation
Suppose, I pose as a representative from a bank where you hold your salary account and call you at your office desk. I inform that current netbanking software faced a network outage and finance teams won't be able to credit your salary without your login credentials to the netbanking system. You are worried your salary will arrive late and share your credentials. I now have your bank account details. Whoopsie!

What you could have done?
1. Ask me to identify myself and verify my credentials.
[How do you know I work for the bank?1 It's hard on phone or email ;-). That's why social engineers use these channels more often]
2. Ask me why I called you on your office desk number though I had your mobile number.
[The attacker randomly picked a phone number based on the phone number listed on the company website where you work and modifed the last 3-5 digits to hit your number. Even worse, she asked the receptionist to connect to your extension.]
3. Was the netbanking site really down?
[If netbanking website was down, the bank should have informed you of any planned outages in advance. Even if it was down due to a sudden system failure, the website would have displayed a suitable message indicating the reason and what time the system will be up and running]

Intimidation
I pose as a direct reportee of your boss who works out of the US office. You work out of a tiny office in a small town from southern hemisphere. And of course, you are very fearful that you'll lose your job if you angered your boss. If I call you and say, "Hey Raaamalingaam, Jude asked you to share customer database server credentials with me", wouldn't you give it right away? And you'd expect a good hike in March after this great feat!

What you could have done?
1. Did Jude ever mention about this particular reportee ever?
2. Was there any kind of conversation with Jude prompting to share credentials with the attacker?
3. Customer database server has tons of customer contact details. How could you carelessly share these information with an absolute stranger?

Trespassing
I enter into your corporate campus as a plumber to fix the lavatory near the corporate virus lab. I somehow catch hold of you who swiped the access card to get into the lab and didn't notice me getting in. I get in, load some virus files into the server and get out. Meanwhile, I might have copied tons of data from your server just before I infected your server. Bingo!

What you could have done?
1. Restrict people from tailgating into restricted areas of the campus
2. Take note of suspicious people and report to Information Security team

Fake Prompts
I know of a few websites that you visit regularly first thing in the morning. If you are a teenager, you may first login to facebook or gmail. If you are a middle aged person, you may be interested in www.sharekhan.com. You happen to visit any of these sites and fail to notice the credentials prompt that threw up two consecutive times. One of the times, I stole your login credentials.Wow!  If you noticed, this was a computer assisted social engineering attack.

What you could have done?
1. You could have noticed why the credentials page prompted twice
2. You could have looked at the URL if it took you to another suspicious website or page

Shoulder Surfing
I sit very close to your work area and peeped in as you typed your password to login to your system. I even know the password for your gmail account. I'll send you an email from your email account to you if that helps.

What you could have done?

1. You could have observed if people around are looking for you

Sweet Talking (my own term)
As a friend, I ask you what your pet's name is. You say your pet's name. I type that as your secret answer for your email account and get your password. Now, your account is mine.

Here's a second level of sweetness. I ask you if your password contains 123 in it. You say 'Yes' with glee. I ask if its at the end. You say yes. I use dictionary attack, combine it with your liking for your favourite God and woohoo, I am inside your account. If your email account doesn't have account lockout policy in place, its a festival indeed.

What you could have done?
1. You shouldn't have trusted me
2. You should not have confirmed if specific data is present in your password

Countermeasures
Personal Security
-- Never reveal confidential information to suspicious people whose identity is unknown
-- Avoid revealing information out of trust or fear instilled by few people like your managers, directors, friends, family members etc
-- When someones asks for confidential information, ask them to identify themselves. Verify if the identification is correct or not

Corporate Security
-- Have a secure corporate security policy in place
-- Contact details of employees including email address, mailing addresses, personal phone numbers, official phone numbers and other details should be concealed from external world as much as possible
-- Desk phone numbers should be shielded from external world
-- Employ dummy social engineering attacks by internal security engineers as a periodic check

Here's a simple rule to handle social engineering:
When it comes to security, trust no one!
Regards,
Pari

Addendum on 17th Dec 2011: 
Added Shoulder Surfing and Sweet Talking attacks.