Print Page      Email Page
Back to Article List

Social Engineering Can Thwart the Best Laid Security Plans
By Brien Posey
December 3, 2001

It's been my experience that a lot of IT professionals don't like to talk about social engineering. Perhaps they don't view it as a credible threat, or maybe they have a hard time accepting the idea that all of their hard work and countless hours spent securing the network could be so easily undone by the act of an end user answering an "innocent" question. Whatever the reason, social engineering is a very real threat that needs to be addressed.

There are a lot of different social engineering techniques, but they all have the same basic idea. The trick behind social engineering is to get the user to give up valuable information without the user suspecting anything.

Usually, hackers use the telephone for social engineering purposes since E-mail would tend to be suspicious and can easily be traced. To pull off social engineering successfully, the hacker usually needs a little inside information. This could come in the form of a buddy who works for the company providing them with a corporate phone directory or the name of a particularly na´ve user. Although such information is helpful, it isn't necessary.

If a hacker can't get their hands on the name of a particularly vulnerable user or a corporate directory, they will often look up the company's phone number on the Internet or in the phone book. Since many companies have voice mail that gives an employee directory, all that the hacker has to do is to listen for someone with an upper management title. Upper management staff tend to have relatively few rights on the network, but also tend to be extremely unknowledgeable of computers (unless it's an IT company). I've seen countless examples of this over the years. The president of a major insurance company that I used to work for only knew how to use his computer for E-mail and golf games. The president of a transmission parts company might not even know how to turn his computer on. My point is that a hacker can be reasonably sure that if they select a high level executive from the company's phone directory, that although the person may have some computer knowledge, it probably won't be enough for the person to catch on to their antics.

Once the hacker has an unsuspecting employee on the phone, it's time for the act to begin. The hacker will usually pose as an employee. If it's a big company with a lot of offices, they might pose as support personnel from another office. If it's a smaller company, they may pretend to be a new helpdesk employee, a consultant, or a representative from the phone company. What ever the role, a social engineer's first job is to convince the employee of their bogus identity.

Once the employee has fallen for the act, it's time to begin gathering information. The hacker will usually mix several innocent questions with some serious questions. This is done to get the user to let their guard down. For example, a social engineer's conversation might start out something like this:

Hello I'm John Doe, with XYZ corporation. Bob Smith (the network manager's name) has hired me as a consultant to help him with the next phase of the network upgrade. Before we start the upgrade though, we're trying to find out if any of the users have been having any problems, so that we can make sure to address those problems with the new software.

More times than not, the user will think of some sort of problem to tell the hacker about. The hacker's job is to listen to the problem, and then begin the "troubleshooting process." For example, the hacker might ask the user to look up several pieces of information for him. Some of this information will be harmless (to throw the user off), while some will be valuable. For instance, during the phone call, the hacker may ask for the following:
  • How much memory the system has
  • How much free hard disk space
  • The system's IP address
  • The phone number of a modem that's connected to the machine
  • Any remote access software that may be running
During the call, a good social engineer will walk the employee through the steps of looking this information up. The steps can be easily disguised as a part of the troubleshooting process, and having the user read the information directly off of the screen insures that the hacker gets accurate information.

What happens next really depends on how the conversation moves forward. If the user tells the hacker that they use PC Anywhere for remote support, the hacker may immediately tell the user to let them dial in and "fix" the problem. The hacker may actually fix the user's problem so that the user won't be suspicious, but more than anything, this technique provides the hacker with the remote access password and an opportunity to test it.

If the user isn't having a problem or doesn't have any remote access software, the hacker will have to get their hands on a password, whether the local password or the domain password (these are often one in the same). Getting the user's password is tricky, because most of the time, users have been warned not to give out their passwords. Therefore, most good hackers won't simply ask for a password unless they find the user especially friendly. Instead, they must trick the user into giving the password up.

One of the most effective techniques for this is for the hacker to tell the user that they are uploading a new security patch right this moment, but something must have gone wrong because it isn't letting them complete the operation. The hacker would then tell the user something like "I must be spelling your user name wrong, spell it for me." The user will usually then provide the hacker with the exact spelling of their user name (one of the two "keys to the kingdom"). The hacker will then wait a few minutes, and possibly bang on a keyboard just to make it all sound real, before telling the user that it still isn't working. Next the hacker will ask the user to confirm the spelling of their password. Hopefully, by now, the hacker has gotten the user to relax and let their guard down enough that the user will spell the password without even thinking about security.

If the user refuses to give up the password, the hacker may briefly try to coax it out of the user, but will quickly move on to someone else, so as not to be discovered. They will usually conclude the phone call by saying something like, "That's OK, I'll just use the master password" or "I wish that everyone was as security conscious as you." This will help to put the user at ease again so that they don't report the incident.

Now, suppose that the hacker did trick the user into giving up the password. The hacker must still maintain an image of legitimacy so that the user doesn't get suspicious. This is usually done by not rushing to get off the phone. The hacker may walk the user through the steps to fix some minor problem, or might probe the user for more information. What ever technique is used, the hacker must always appear to be very pleasant and helpful.

Once a hacker has gathered all of the information that they need, their final objective is to get off the phone, and be sure that the conversation goes unreported. Naturally, the hacker can't just say, "Don't tell anyone about this call." Instead, they will usually say something like "I'll call you in a few days to follow up on your problem" or "you can reach me at ." The call back method is preferred though, because the hacker can rest assured that the user won't call some bogus number and be alerted to their phony identity. Remember that a hacker's job is to not be discovered. This doesn't just apply to the short term, a hacker wants to remain undetected forever. Therefore, a hacker will usually tell the user that they will call them back in a few days. This not only puts the user at ease, but it also gives the hacker a few days to see how good the information that they were given actually is before they call the user back. The callback gives the hacker a chance to get more information if it's needed.

Many times a user will ask the hacker for a phone number, but a skilled hacker knows to use the bogus phone number trick as a last resort. It's better for the hacker to leave their doors open by making up a bogus story about being on vacation for the next few days or something, and promising to call the user immediately upon returning to the office. Of course if the hacker has everything that they need, they won't ever call back, but one of the biggest signs of a social engineering scam is a reluctance to provide a phone number, and a promise to call back.

DHTML Menu By Milonic JavaScript