Social Engineering: 8 Common Tactics

By Joan Goodchild , CSO , 11/06/2008

Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages. And experts say hackers today continue to steal password, install malware or grab profits by employing a mix of old and new tactics.

Here's a refresher course on some of the most prevalent social engineering tricks used by phone, e-mail and Web.

1. 10 degrees of separation

The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either 1) a fellow employee or 2) a trusted outside authority (such as law enforcement or an auditor). But if his ultimate goal is to gain information from or about employee X, his first calls or e-mails might go to a different person.

The old game of six degrees of separation has a few more layers when it comes to crime. According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, there might be ten steps between a criminal's target and the person he or she can start with in the organization.

"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff. The secretary or receptionist criminals start with might be ten moves away from the person they want to get to."

Lifrieri says criminals use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.

"The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."

2. Learning your corporate language

Every industry has a short hand, according to Lifrieri. A social engineering criminal will study that language and be able to rattle it off with the best of them.

"It's all about surrounding cues," he said. "If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."

3. Borrowing your 'hold' music

Successful scammers need, time, persistence and patience, said Lifrieri. Attacks are often done slowly and methodically. The build-up not only includes collecting personal tidbits about people, but also collecting other "social cues" to build trust and even fool other into thinking they are an employee when they are not.

Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.

"The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."

4. Phone-number spoofing

Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.

"The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company," said Lifrieri.

Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.

5. Using the news against you

"Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams," said Dave Marcus, director of security research and communications for McAfee Avert Labs.

Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.

"There have been a bunch of phishing attacks related to banks being bought by others," said Marcus. "The e-mail will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.' It's an attempt to get you to release your information so they can log into your account to either steal your money or sell your information to someone else."

6. Abusing faith in social networking sites

Facebook, Myspace and Linked In are hugely popular social networking sites. And people have a lot of faith in them, according to Marcus. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many. Marcus said, increasingly, social networking devotees are being fooled by e-mails that claim to be from sites like Facebook, but are really from scammers.

"They will get an email that says: 'The site is doing maintenance, click here to update your information.' Of course, when you click on the link, you go to the bad guys' site." Marcus recommends advising employees to type Web addresses in manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update. (For more tips see How to Use Social Networking Sites Safely.)

7. Typo Squatting

On the Web, bad guys also bank on the common mistakes people make when they type, according to Marcus. When you type in a URL that's just one letter off, suddenly you can end up with unintended consequences.

"Bad guys prepare for typing mistakes and the site they prepare is going to look a lot like the site you thought you were going to, like Google."

Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.

8. Using FUD to affect the stock market

The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market, according to new research from Avert. Researchers studied the impact of events such as Microsoft's Patch Tuesday on the company's stock and found a noticeable swing each month after vulnerability information was released.

"Publicly-released information has an effect on stock prices," said Marcus. "Another recent example is the fake information that was circulated a few weeks ago about Steve Jobs' health. Apple stock took a dive on that. That is a clear example of someone inserting FUD and a resulting effect on a stock." Presumably the culprits held a 'short' position which allowed them to profit from this trick.

The converse approach is to use e-mail to execute the ancient 'pump-and-dump' tactic. A scammer can buy a large volume of a penny stock, the blast out e-mails under the guise of an investment advisor touting that stock's great potential (that's the 'pump'). If enough recipients of this spam e-mail rush to buy the stock, the price will spike upward. The scammer then quickly 'dumps' his shares at a great profit.

All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com