DHS NCCIC Report on the Art of Social Engineering

Social engineering, an age old threat, continues to play a significant role in successful attacks against people, enterprises, and agencies. The advent of the Internet, its diverse and increased use, and the reliance on it by almost every element of society, amplifies social engineering opportunities. Cybercriminals enjoy an expansive attack surface, novel attack vectors, and an increasing number of vulnerable points of entry. Threat actors, both cyber and physical, continue to leverage social engineering due in part to its high rate of success. Security experts believe complex social engineering threats will continue across all vectors and attack levels will continue to intensify.

An observed trend in social engineering attacks is the complex and compelling nature of the engineered lure specifically targeted and sculpted for the victims using gleaned sensitive information. Recent successful exploits resulting in large data breaches of sensitive information have contributed to a premium of available, exploitable information. Sensitive information is also readily available on corporate websites, and social media platforms such as Facebook, Twitter, LinkedIn, and others. This availability of information dramatically increases the occurrence, sophistication, and success of follow-on social engineering attacks. Clever and convincing lures tailored to the targeted individual or organization can be created by even the most unsophisticated criminal actor.

Another observed change in social engineering tactics is its inclusion in crime-as-a-service. An example of this is the tool created by China’s underground cyber-crime economy, called “Social Engineering Master”. The tool provides access to leaked or stolen information in order to create a persuasive social engineering attack against a specific victim or group of victims. According to Eweek, Chinese cybercriminals developed this tool and it is being sold for approximately $50 on the underground market. Christopher Budd, a manager with Trend Micro, suggests that Chinese cybercriminals are becoming more sophisticated by offering services such as “Social Engineering Master”.

McAfee released a 2015 study, “Hacking the Human Operating System, The Role of Social Engineering within Cybersecurity” which discusses the role of social engineering within cybersecurity, the lifecycle of a social engineering attack, and the psychological lures which realize the most success for attackers. This paper will discuss the McAfee and other security reports on social engineering, examples of successful social engineering attacks, and countermeasures to defend against it.

…

Social Engineering Phases: Criminals gain access to victims’ accounts using a variety of customizable social engineering methods. McAfee outlines this process into four phases:

1. Research is used to garner information that may assist in identifying and compelling the target to observe an unsafe practice. The Internet allows cybercriminals to remotely conduct open source research using websites, social network profiles, public documents, and other available resources. Some of the information sought includes phone numbers, Internet Service Providers (ISPs), addresses, and other publicly available information. In addition to online research, attackers may socialize or physically interact with the target. In opportunistic attacks, the actor may conduct little to no research.

2. Hook is when cybercriminals attempt to compromise targeted individuals or groups. Robert Cialdini discusses in “The Psychology of Persuasion” six possible “levers” that can be used to hook the targeted individual or group. The influencing levers are reciprocation, commitment and consistency, social validation, like-ability, authority, and scarcity. This is the phase where the attacker involves the target, creates the spoof, builds trust, and compromises the target.

3. Play is the extraction of information and maintaining control of the situation. This phase is where the user clicks on the malicious link, provides personal or financial information, or pays money. Sometimes the hook and play phases occur simultaneously.

4. Exit is closing the link with the targeted victim and completing the scam without arousing suspicion.

…

Social Engineering Channels of Attacks include an array of malicious diversions. Common methods include:

Phishing – Probably the most common form of social engineering attack; is used to collect personal information from victims, such as names, addresses and social security numbers;

Spearphishing – A form of phishing which uses tailored techniques to lure the targeted victim; Whaling – Spearphishing of high profile individuals or members of certain groups of interest to the criminals;

Pretexting- Is when an individual lies to obtain privileged data by concocting scenarios or creating a pretense in order to steal the victim’s personal data or to gain access to victim’s system. These attacks typically are when the actor pretends to have or need certain pieces of information. A high level example of pretexting includes the multi-step scam in which an actor stole the Twitter handle from Naoki Hiroshima’s @N. The attacker called the helpdesk of GoDaddy; using information collected prior to the call to convince the helpdesk employee to redirect Naoki’s email to the attacker. The attacker did not have all the information needed to identify himself as Naoki, but managed to dupe the employee into giving up the account password;

Baiting – A form of social engineering used by hackers that entice victims with the promise of an item or good. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain website. Baiting attacks are not confined to online schemes. Attackers can also focus on exploiting human curiosity through use of physical media such as an attack using strategically placed, infected USBs;

Quid Pro Quo – A form of social engineering that promises a benefit in exchange for information. These benefits are typically in the form of a service. The most common use of this technique involves miscreants who pose as information technology (IT) service personnel and spam call as many individuals and companies as possible with promises to provide free IT support in exchange for the victim’s commitment to purchase anti-virus software;

Tailgating or “Piggybacking” – A form of social engineering involving someone who lacks the proper authentication and authorization who follows another person into a restricted area. An example of a tailgating attack is when a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens the door, the attacker asks that the employee hold the door, thereby gaining unauthorized access to the building.