What Is Social Engineering? Methods and Defenses
What is Social Engineering?
In the computer world, social engineering can be described as tricking someone into doing something, often detrimental, to themselves or others. Social engineering is one of the most common forms of hacking because it is so often successful. It’s often the most frustrating for the defender because it cannot be prevented using technology alone.
Methods/Techniques of Social Engineering
Social engineering can be accomplished many ways, including over a computer, using a phone call, in‐person, or using traditional postal mail. There are so many ways and varieties of social engineering that any list purporting to catalog all the ways is going to missing some of the methods. When social engineering originates on the computer, it’s usually done using email or over the web (although it has also been done using instant messaging and just about every other computer program type).
A common social engineering target is to capture a user’s login credentials, using what is called phishing. Phishing emails or websites attempt to trick the user into supplying their legitimate login credentials by posing as a legitimate web site or administrator that the end‐user is familiar with. The most common phishing ploy is to send an email purporting to be from a web site administrator claiming that the user’s password must be verified or else their access to the site will be cut off.
Spearphishing is a type of phishing attempt that is particularly targeted against a specific person or group using non‐public information that the targets would be familiar with. An example of spearphishing is a project manager being sent a document in an email supposedly from a project member purporting to be related to a project they are working on, and when they open the document, it executes malicious commands. Spearphishing is often involved in many of the most high‐profile corporate compromises.
Scammers can also call users purporting to be either technical support, a popular vendor, or from a government agency.
One of the most popular scams is when the user is called from someone claiming to be from tech support claiming that a malware program has been detected on the user’s computer.
They then request that the user download an “anti‐malware” program, which proceeds, not unsurprisingly, to detect many, many malware programs. They then get the user to download and execute a remote access program, which the fake tech support person then uses to log on to the victim’s computer to plant more malicious software. The bogus tech support program culminates when the victim buys a fake anti‐malware program using their credit card number.
Over‐the‐phone scammers can also purport to be from tax collection services, law enforcement, or other government agencies, looking to get paid so that the end‐user will avoid stiff penalties or jail.
Some of the most notorious social engineering scams are those that have been accomplished in‐person by the hacker themselves. Physical, social engineers are well known for walking into banks and installing keylogging devices on ATM's and walking into banks and installing keylogging devices on employee terminals while posing as computer repair people. As distrusting as people are by nature of strangers, they are surprisingly disarmed if that stranger happens to be a repair person, especially if that service person says something like, “I hear your computer has been acting slow lately.” Who can refute that statement? The repair person obviously knows about the ongoing problem and is finally here to fix it.
Trojan Horse Execution
Another just as popular social engineering ploy is used to get the unsuspecting end‐user to execute a Trojan Horse program. It can be done via email, either as a file attachment or in an embedded URL. It is done on web sites just as frequently. Often a legitimate web site is compromised, and when a visiting trusting user loads the web page, the user is instructed to execute a file. The file can be a “needed” third‐party add‐on, a fake antivirus detector, or a “needed” patch. The legitimate web site can be directly compromised, or another independently involved element, such as a third‐party banner ad service, is. Either way, the user, who often trusts the legitimate web site after years of visiting without a problem, has no reason to suspect that the trusted web site has been compromised.
Carrot or Stick
The end‐user is often either threatened with a penalty for not doing something or promised a reward for doing something. The ruse begins by putting the victim under duress, as people don’t weigh risk as carefully during stress events. They have to either pay a fine or go to jail. They have to run the program or risk having their computer stay infected and their bank account emptied. They have to send money, or someone they care about will remain in a foreign jail. They have to change the boss’s password or else get in trouble with the boss.
Another prevalent scam is carried out against people buying or selling goods on websites, such as auction sites or Craigslist‐like websites. The innocent victim is either buying or selling something.
In buying scams, the buyer quickly replies, usually offers to pay the full purchase price plus shipping and asks the seller to use their
“trusted” escrow agents. They then send the victim a fake check for more than the agreed upon purchase amount, which the victim deposits into their bank account. (Unfortunately, banks readily accept these fake checks but ultimately make the victim responsible for the lost money.) The buyer asks the victim seller to return the “extra” money to their shipper or escrow agent. The seller victim is usually out at least that amount in the end.
In selling scams, the victim buyer sends the funds but never receives the goods. The average selling scam is at least a thousand dollars. The average buying scam can be tens of thousands of dollars.
Defenses Against Social Engineering
Anti-social engineering training is one of the best, most essential defenses against social engineering. The training must include examples of the most common types of social engineering and how potential victims can spot the signs of illegitimacy.
All computer users need to be taught about social engineering tactics. People buying and selling goods on the Internet need to be educated about purchase scams. They should only use legitimate escrow services and follow all the web site’s recommendations for an untainted transaction.
Be Careful of Installing Software From Third‐Party Websites
Users should be taught never to install any software program directly from a website they are visiting unless it is the website of the legitimate vendor who created the software. If a website says you need to install some piece of third‐party software to continue to view it, and you think it is a legitimate request, leave the website and go to the software vendor’s website to install it. Never install another vendor’s software from someone else’s website. It might actually be legitimate software, but the risk is too great.
EV Digital Certificates
Web surfers should be taught to look for the “extended validation” (EV) digital certificates(https://en.wikipedia.org/wiki/Extended_Validation_Certificate) on many of the most popular websites. EV websites are often highlighted in some way (usually a green address bar or highlighted green name) to confirm to the user that the web site’s URL and identity have been confirmed by a trusted third party.
Get Rid of Passwords
Credential phishing can’t work if the employee can’t give away their login credential. Simple login names with passwords are going away in favor of two‐factor authentication (2FA), digital certificates, login devices, out‐of‐band authentication, and other login methods that cannot be phished.
Anti–Social Engineering Technologies
Most anti‐malware, web filtering software and email anti‐spam solutions try to minimize social engineering done using computers. Anti‐malware software will try to detect execution of malicious files. Web filtering software will try to identify malicious websites as the visitor’s browser tries to load the page. And email anti‐spam solutions often filter out social engineering emails. However, technology will never be completely successful, so end‐user training and other methods must be used in conjunction.
Social engineering is a very successful hacking method. Some computer security experts will tell you that you cannot do enough training to successfully make all employees aware of social engineering tactics. They are wrong. A combination of enough training and the right technologies can significantly diminish the risk of social engineering.