Before venturing out to attend the 2016 Nextech EDGE conference last week, I decided to write a bit of a teaser blog article on a topic I was covering at my session on cybersecurity—Social Engineering. (Side note: I would like to extend a most sincere thank you to everyone at EDGE who attended my sessions).
In order to avoid publishing any spoilers, however, I chose not to go into too much detail and promised to elaborate further once I returned from the conference.
Well… I have returned, so it is time for me to make good on that promise.
Since we already explained what social engineering is in the previous article, I don’t think it’s necessary to rehash all the basics. Instead, let’s start by taking a look at some examples of social engineering tactics that are commonly employed by hackers and cybercriminals.
Social Engineering Tactics
Baiting – this tactic commonly employs the promise/temptation of obtaining a “free” item, and can be done in any number of ways. For example, a popup ad promising a free movie download might instead download malware when clicked. However, baiting can also be done physically. For example, leaving a malware-loaded USB drive (or several of them) in the parking lot of the target building and just waiting for someone to pick one up, take it inside, and insert it into a computer.
Phone Phishing – these are scams that, as the name suggests, are carried out over the phone and often used in conjunction with some form of pretexting (see below). For example, calling a new employee at a target company and claiming to be from HR in order to get that person to divulge information.
Spear-phishing – for the sake of brevity, I refer you to my past blog article on spear-phishing emails.
Pretexting – this tactic is often used in conjunction with any of the abovementioned tactics and involves the infiltrators creating a “pretext,” or fabricated scenario, in which it seems normal or appropriate for you to share sensitive information with them. For example, they call random phone extensions at a target company, claiming to be with tech support, until they find someone who is actually having computer problems. Then, the attackers claim they need that person’s login credentials to fix the problem.
Quid Pro Quo – this tactic involves offering a gift in exchange for information. To be honest, I find this tactic the most frightening. Why? Because you wouldn’t think it would be that effective… but it is. In 2003, for example, an IT security group conducted an experiment at Waterloo Station in London. They randomly went up to commuting workers and offered each person a free (and very cheap) pen in exchange for his/her office password. Guess what? NINETY PERCENT of these people gave up their passwords. Just knowing that this experiment exists is enough to scare the life out of any IT security officer.
Tailgating – also known as “piggybacking,” this rather bold tactic employs infiltrating a target building directly. For example, one member of the cyber group gains entry by pretending to be a delivery driver, phone company employee, etc. Or there’s the more simple tactic of waiting by the front door of a secure area and, when someone comes along, pretending/claiming to be a new employee who either does not yet have or has lost his/her keys. Once inside, the attacker just needs to find one unattended computer in which to insert a thumb drive that’s been preloaded with a Remote Access Trojan (RAT).
Dealing with a Social Engineering Attack
I know it sounds a bit harsh, but your first and best line of defense against social engineering is to be generally suspicious and skeptical of anyone you do not know… especially if that person is asking you to divulge propriety, personal, financial, or otherwise sensitive information. However, there are also some more specific things you can do, whether over the phone or via email, to counter (or, if you want to have a bit of fun, annoy the heck out of) someone who is trying to use social engineering tactics on you.
Say “No” and hang up – simply put, if anyone (whether over the phone or in an email) asks you for any form of sensitive information… DO NOT give it to them. If you receive a phone call from anyone (I don’t care who they say they are) asking you for information about yourself, simply say “No” and hang up the phone.
Never give out sensitive information – plain and simple. I don’t care if it is over the phone, via email, or just in casual conversation, you should not be sharing sensitive information with people you do not know (login credentials, date of birth, social security number, banking/financial info, mother’s maiden name, etc.).
Be smart when sharing on social media – a lot of people do not realize that social media posts can be found using a search engine (such as google), even by people who are not on your list of “friends.” This means that you should assume anything you share on social media is publicly searchable. So think before you post information related to your job or to other private areas of your life.
Lock your computer/devices – a social engineer who has physically infiltrated an office building just needs to find one unattended and unlocked computer in order to load a RAT via the USB port. The same goes for phones and mobile devices, except in these cases they just load an app. Therefore, you should always make sure your computers and devices are locked any time you leave them unattended.
Never violate security protocols – no matter what sort of “exceptional” situation someone comes to you with, always stick to your office’s security protocols. Remember, creating such situations is how “pretexting” works.
Answer their questions with more questions – So, let’s say you have someone on the phone who is asking you a lot of questions and/or making requests for private information. One pretty fun (or, at least, I have found it to be entertaining) way to mess around with them is to never give them any direct answers. Instead, keep replying to every single thing they say with a question. Take, for example, the following hypothetical dialogue:
Social Engineer (SE): “May I please have your login credentials?”
You: “Sure. Hey did you catch that game last night?”
SE: “Which game?”
You: “Which game did you watch?”
SE: “Ma’am I will need your login information to access your computer.”
You: “Are you sure?”
You: “Okay… what was your name again?”
You: “Jim what? What’s your last name?”
You: “Any chance you’re related to Richard Simmons?”
You: “Hey, do you remember ‘Sweatin’ to the Oldies’?”
And you more or less just keep doing this until the would-be social engineer either gives up, has an aneurysm, and/or goes completely insane. Once you get bored or run out of questions to ask, just hang up on them mid-sentence (they hate when people do that) and report the call to IT or your office manager.
Remember, in any cybersecurity situation, your best tools are being smart, skeptical, and properly educated. By employing these simple techniques, your office staff can avoid falling victim to the kinds of social engineering scams that have resulted in an unprecedentedly high number of data breaches over the last three years.