Target and Attack

The basic goals of social engineering are the same as hacking in general:
to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.

Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may damaging to the organization�s reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not.

As for why organizations are targeted through social engineering � well, its often an easier way to gain illicit access than are many forms of technical hacking. Even for technical people, its often much simpler to just pick up the phone and ask someone for his password. And most often, thats just what a hacker will do.

Social engineering attacks take place on two levels: the physical and the psychological. First, we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample information to exploit the network from home later that night. Another technique to gain authentication information is to just stand there and watch an oblivious employee type in his password.

Social Engineering by Phone

The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Heres a classic PBX trick, care of the Computer Security Institute: �Hi, Im your AT&T rep, Im stuck on a pole. I need you to punch a bunch of buttons for me.

And heres an even better one: �Theyll call you in the middle of the night: Have you been calling Egypt for the last six hours? No. And theyll say, well, we have a call thats actually active right now, its on your calling card and its to Egypt and as a matter of fact, youve got about $2,000 worth of charges from somebody using your card. Youre responsible for the $2,000, you have to pay that... Theyll say, Im putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then Ill get rid of the charge for you. People fall for it.

Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.

The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he �dialed up a phone company, got transferred around, and reached the help desk. �Who�s the supervisor on duty tonight? Oh, its Betty. Let me talk to Betty. Hes transferred. Hi Betty, having a bad day? No, why?...Your systems are down. She said, my systems arent down, were running fine. He said, you better sign off. She signed off. He said, now sign on again. She signed on again. He said, we didnt even show a blip, we show no change. He said, sign off again. She did. Betty, Im going to have to sign on as you here to figure out whats happening with your ID. Let me have your user ID and password. So this senior supervisor at the Help Desk tells him her user ID and password. Brilliant.

This is probably the most common Social engineering technique. Makeing someone beleive you are someone who you are not, and then you will be able to get about anything you need. This works great with getting free Pizza =)