Social engineering (security)

Last updated

OPSEC alert OPSEC alert -- What is social engineering....jpg
OPSEC alert

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. [1] It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests." [2]

Contents

Research done in 2020 has indicated that social engineering will be one of the most prominent challenges of the upcoming decade. Having proficiency in social engineering will be increasingly important for organizations and countries, due to the impact on geopolitics as well. Social engineering raises the question of whether our decisions will be accurately informed if our primary information is engineered and biased. [3]

Social engineering attacks have been increasing in intensity and number, cementing the need for novel detection techniques and cyber security educational programs. [4]

Techniques and terms

All social engineering techniques are based on attributes of human decision-making known as cognitive biases. [5] [6]

One example of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information. Another example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Gradually the hacker gains the trust of the target and then uses that trust to get access to sensitive information like password or bank account details. [7]

In 2018, Equifax fell victim to a notable social engineering attack, resulting in a data breach that exposed personal information, including social security numbers, driver's license details, and mobile phone numbers. This breach affected 145.5 million Americans. As a credit reporting firm, the company became a target for hackers who cleverly posed as representatives from financial institutions like Bank of America to illicitly access individuals' personal data.[ citation needed ]

Other concepts

Pretexting

Pretexting (adj. pretextual) is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. [8] An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth, Social Security number, last bill amount) to establish legitimacy in the mind of the target. [9]

Water holing

Water holing is a targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe to do things they would not do in a different situation. A wary person might, for example, purposefully avoid clicking a link in an unsolicited email, but the same person would not hesitate to follow a link on a website they often visit. So, the attacker prepares a trap for the unwary prey at a favored watering hole. This strategy has been successfully used to gain access to some (supposedly) very secure systems. [10]

Baiting

Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim. [11] In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims.

Unless computer controls block infections, insertion compromises PCs "auto-running" media. Hostile devices can also be used. [12] For instance, a "lucky winner" is sent a free digital audio player compromising any computer it is plugged to. A "road apple" (the colloquial term for horse manure, suggesting the device's undesirable nature) is any removable media with malicious software left in opportunistic or conspicuous places. It may be a CD, DVD, or USB flash drive, among other media. Curious people take it and plug it into a computer, infecting the host and any attached networks. Again, hackers may give them enticing labels, such as "Employee Salaries" or "Confidential". [13]

One study published in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages owned by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called home". [14]

Examples of social engineers

Susan Headley

Susan Headley became involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles, but later framed them for erasing the system files at US Leasing after a falling out, leading to Mitnick's first conviction. She retired to professional poker. [15]

Mike Ridpath

Mike Ridpath Security consultant, published author, and speaker. Previous member of w00w00. Emphasizes techniques and tactics for social engineering cold calling. Became notable after his talks where he would play recorded calls and explain his thought process on what he was doing to get passwords through the phone and his live demonstrations. [16] [17] [18] [19] [20] As a child Ridpath was connected with Badir Brothers and was widely known within the phreaking and hacking community for his articles with popular underground ezines, such as, Phrack, B4B0 and 9x on modifying Oki 900s, blueboxing, satellite hacking and RCMAC. [21] [22]

Badir Brothers

Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers. [23] [24]

Christopher J. Hadnagy

Christopher J. Hadnagy is an American social engineer and information technology security consultant. He is best known as an author of 4 books on social engineering and cyber security [25] [26] [27] [28] and founder of Innocent Lives Foundation, an organization that helps tracking and identifying child trafficking by seeking the assistance of information security specialists, using data from open-source intelligence (OSINT) and collaborating with law enforcement. [29] [30]

Law

In common law, pretexting is an invasion of privacy tort of appropriation. [31]

Pretexting of telephone records

In December 2006, United States Congress approved a Senate sponsored bill making the pretexting of telephone records a federal felony with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed by President George W. Bush on 12 January 2007. [32]

Federal legislation

The 1999 Gramm-Leach-Bliley Act (GLBA) is a U.S. Federal law that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."

The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of their bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses.

While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the United States Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them. [33]

1st Source Information Specialists

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during a House Energy & Commerce Committee hearing on "Phone Records For Sale:Why Aren't Phone Records Safe From Pretexting?" Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc. A spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suits respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists. U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Voice over Internet Protocol (VoIP) subscribers.

Hewlett Packard

Patricia Dunn, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation company to delve into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members. [34] Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed. [35]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Kevin Mitnick</span> American hacker (1963–2023)

Kevin David Mitnick was an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. Mitnick's pursuit, arrest, trial, and sentence along with the associated journalism, books, and films were all controversial. After his release from prison, he ran his own security firm, Mitnick Security Consulting, LLC, and was also involved with other computer security businesses.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Wardialing is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers—malicious hackers who specialize in breaching computer security—for guessing user accounts, or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Crimeware is a class of malware designed specifically to automate cybercrime.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext. In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations. A specific example of pretexting is reverse social engineering, in which the attacker tricks the victim into contacting the attacker first.

Susan Headley is a former phreaker and early computer hacker during the late 1970s and early 1980s. A member of the so-called Cyberpunks, Headley specialized in social engineering, a type of hacking which uses pretexting and misrepresentation of oneself in contact with targeted organizations in order to elicit information vital to hacking those organizations.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

<span class="mw-page-title-main">Hewlett-Packard spying scandal</span> Corporate information leak investigation

On September 5, 2006, Newsweek revealed that the general counsel of Hewlett-Packard, at the behest of HP chairwoman Patricia Dunn, had contracted a team of independent security experts to investigate board members and several journalists in order to identify the source of an information leak. In turn, those security experts recruited private investigators who used a spying technique known as pretexting. The pretexting involved investigators impersonating HP board members and nine journalists in order to obtain their phone records. The information leaked related to HP's long-term strategy and was published as part of a CNET article in January 2006. HP hired public relations firm Sitrick and Company to manage their media relations during the crisis.

Psychological subversion (PsychSub) is the name given by Susan Headley to a method of verbally manipulating people for information. It is similar in practice to so-called social engineering and pretexting, but has a more military focus to it. It was developed by Headley as an extension of knowledge she gained during hacking sessions with notorious early computer network hackers like Kevin Mitnick and Lewis de Payne.

Phone hacking is the practice of exploring a mobile device, often using computer exploits to analyze everything from the lowest memory and cpu levels up to the highest file system and process levels. Modern open source tooling has become fairly sophisticated as to be able to "hook" into individual functions within any running app on an unlocked device and allow deep inspection and modification of its functions.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

<span class="mw-page-title-main">Christopher J. Hadnagy</span> American author and computer scientist

Christopher James Hadnagy is an American author and information technology security consultant.

References

  1. Anderson, Ross J. (2008). Security engineering: a guide to building dependable distributed systems (2 ed.). Indianapolis, IN: Wiley. p. 1040. ISBN   978-0-470-06852-6. Chapter 2, page 17
  2. "Social Engineering Defined". Security Through Education. Retrieved 3 October 2021.
  3. Guitton, Matthieu J. (1 June 2020). "Cybersecurity, social engineering, artificial intelligence, technological addictions: Societal challenges for the coming decade". Computers in Human Behavior. 107: 106307. doi:10.1016/j.chb.2020.106307. ISSN   0747-5632. S2CID   214111644.
  4. Salahdine, Fatima (2019). "Social Engineering Attacks: A Survey". School of Electrical Engineering and Computer Science, University of North Dakota. 11 (4): 89.
  5. Jaco, K: "CSEPS Course Workbook" (2004), unit 3, Jaco Security Publishing.
  6. Kirdemir, Baris (2019). "HOSTILE INFLUENCE AND EMERGING COGNITIVE THREATS IN CYBERSPACE". Centre for Economics and Foreign Policy Studies.
  7. Hatfield, Joseph M (June 2019). "Virtuous human hacking: The ethics of social engineering in penetration-testing". Computers & Security. 83: 354–366. doi:10.1016/j.cose.2019.02.012. S2CID   86565713.
  8. The story of HP pretexting scandal with discussion is available at Davani, Faraz (14 August 2011). "HP Pretexting Scandal by Faraz Davani" . Retrieved 15 August 2011 via Scribd.
  9. "Pretexting: Your Personal Information Revealed", Federal Trade Commission
  10. "Chinese Espionage Campaign Compromises Forbes.com to Target US Defense, Financial Services Companies in Watering Hole Style Attack". invincea.com. 10 February 2015. Retrieved 23 February 2017.
  11. "Social Engineering, the USB Way". Light Reading Inc. 7 June 2006. Archived from the original on 13 July 2006. Retrieved 23 April 2014.
  12. "Archived copy" (PDF). Archived from the original (PDF) on 11 October 2007. Retrieved 2 March 2012.{{cite web}}: CS1 maint: archived copy as title (link)
  13. Conklin, Wm. Arthur; White, Greg; Cothren, Chuck; Davis, Roger; Williams, Dwayne (2015). Principles of Computer Security, Fourth Edition (Official Comptia Guide). New York: McGraw-Hill Education. pp. 193–194. ISBN   978-0071835978.
  14. Raywood, Dan (4 August 2016). "#BHUSA Dropped USB Experiment Detailed". info security. Retrieved 28 July 2017.
  15. Hafner, Katie (August 1995). "Kevin Mitnick, unplugged". Esquire. 124 (2): 80(9).
  16. Social Engineering: Manipulating the human. Scorpio Net Security Services. 16 May 2013. ISBN   9789351261827 . Retrieved 11 April 2012.
  17. Niekerk, Brett van. "Mobile Devices and the Military: useful Tool or Significant Threat". Proceedings of the 4th Workshop on Ict Uses in Warfare and the Safeguarding of Peace 2012 (Iwsp 2012) and Journal of Information Warfare. academia.edu. Retrieved 11 May 2013.
  18. "Social Engineering: Manipulating the human". YouTube. Retrieved 11 April 2012.
  19. "BsidesPDX Track 1 10/07/11 02:52PM, BsidesPDX Track 1 10/07/11 02:52PM BsidesPDX on USTREAM. Conference". Ustream.tv. 7 October 2011. Archived from the original on 4 August 2012. Retrieved 11 April 2012.
  20. "Automated Social Engineering". BrightTALK. 29 September 2011. Retrieved 11 April 2012.
  21. "Social Engineering a General Approach" (PDF). Informatica Economica journal. Retrieved 11 January 2015.
  22. "Cyber Crime". Hays. 7 November 2018. ISBN   9781839473036 . Retrieved 11 January 2020.
  23. "Wired 12.02: Three Blind Phreaks". Wired. 14 June 1999. Retrieved 11 April 2012.
  24. "Social Engineering A Young Hacker's Tale" (PDF). 15 February 2013. Retrieved 13 January 2020.{{cite journal}}: Cite journal requires |journal= (help)
  25. "43 Best Social Engineering Books of All Time". BookAuthority. Retrieved 22 January 2020.
  26. "Bens Book of the Month Review of Social Engineering The Science of Human Hacking". RSA Conference. 31 August 2018. Retrieved 22 January 2020.
  27. "Book Review: Social Engineering: The Science of Human Hacking". The Ethical Hacker Network. 26 July 2018. Retrieved 22 January 2020.
  28. Hadnagy, Christopher; Fincher, Michele (22 January 2020). "Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails". ISACA. Retrieved 22 January 2020.
  29. "WTVR:"Protect Your Kids from Online Threats"
  30. Larson, Selena (14 August 2017). "Hacker creates organization to unmask child predators". CNN. Retrieved 14 November 2019.
  31. Restatement 2d of Torts § 652C.
  32. "Congress outlaws pretexting". 109th Congress (2005–2006) H.R.4709 – Telephone Records and Privacy Protection Act of 2006. 2007.
  33. Mitnick, K (2002): "The Art of Deception", p. 103 Wiley Publishing Ltd: Indianapolis, Indiana; United States of America. ISBN   0-471-23712-4
  34. HP chairman: Use of pretexting 'embarrassing' Stephen Shankland, 8 September 2006 1:08 PM PDT CNET News.com
  35. "Calif. court drops charges against Dunn". CNET. 14 March 2007. Retrieved 11 April 2012.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.