Sunday, April 8, 2012

Social Engineering - Exploiting the Human Element of Security


"Hi, this is Rick from [Internet Service Provider]. We're seeing some unusual traffic from your location. It's most likely nothing to worry about, but we have a field tech on his way to diagnose the problem. Can you make sure he has access to the network to run some quick tests?"

At most, this phone call may take 3-5 minutes, and already the risk for the target being compromised is very high, especially if the individual on the other end of the line agrees to help the "field tech" (very likely the same person who called). This technique is one very specific example of "Social Engineering," and throughout this post, we will see how these techniques are often leveraged by attackers to exploit the human element of security for malicious gain.

What is Social Engineering? describes social engineering as "the act of manipulating a person to accomplish goals that may or may not be in the “target’s” best interest," however the actual scope of social engineering is usually more general, applying to the leveraging of any physical or social vulnerability that results in the disclosure of confidential information or produces the desired outcome. Using this broader definition, social engineering can be thought of as an assessment of non-technical vulnerabilities. This includes things such as:
  • Testing the Human Element of Security
  • Dumpster Diving
  • Physical Security Assessments
  • etc.
Social engineering can be very effective. For example, it accounted for 7% of the security breaches in 2012 included in Verizon's 2012 Data Breach Investigation Report. While this number may seem low, these attacks resulted in 37% of the total records compromised, and very likely took less time to execute than the other methods of attack.

Many people may wonder why social engineering works as well as it does. This is largely due to the inherent trusting nature of people. Individuals either don't want to believe that someone is trying to manipulate them, don't think they have anything worth stealing, which, as we will see, is a common yet dangerous error in judgment.

Some Key Terms

Since social engineering encapsulates many different areas of study (including those such as psychology and physical security), there are some key terms that will help when understanding the anatomy of a social engineering attack:
  • Active Information Gathering - Means of obtaining information through techniques that involve contacting the target directly
  • Dumpster Diving - The process of searching one's garbage in an effort to reveal sensitive information, or information that will further help develop a pretext.
  • Passive Information Gathering - Means of obtaining information without directly contacting the target.
  • Phishing - The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information
  • Preloading -  influencing subjects before the event
  • Pretexting -  the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
  • Rapport - A close and harmonious relationship in which the people or groups concerned understand each other's feelings or ideas and communicate well. In terms of social engineering, this could be considered the measure of comfort and trust an individual has in the social engineer.
  • Spear Phishing - The practice of sending specially crafted phishing e-mails to specific, targeted individuals (usually of a high-profile nature) in order to increase the chances of obtaining personal information from the individual. 

Anatomy of a Social Engineering Attack

A social engineering attack generally follows the same process as any penetration test, in that the attacker first performs reconnaissance to enumerate possible attack vectors. Then, the attacker performs the social engineering, and will then use the gained information (if successful) to perform further attacks. The primary difference between a standard penetration test and a social engineering attack is that the social engineer usually knows what information or action by the target he/she needs ahead of time, and obtains bits of information to lead up to the acquiring of the targeted information or action by utilizing the most beneficial attack vectors.

This leads us to one of the chief philosophies of social engineers:

All Information is Good Information

Social Engineers thrive on information, and the ability to elicit information without raising alarm in the target is an absolute necessity. There are many techniques that can be used to gather information including passive information gathering and active information gathering. There are many sources of information that can be used for passive information gathering including (but certainly not limited to) the target's website, WHOIS documentation, general surveying of the target's physical location (or even Google Maps viewing of the location), general server information (such as running services and versions, operating systems in use, IP addresses, make, model, etc.), and social media (see "Social Engineering in Social Networks"). There are even some automated tools such as Maltego which can automate this information gathering process.
In addition to using technical resources to gather information about a target, an attacker can also leverage vulnerabilities in the way the company disposes of sensitive information. This is commonly known as dumpster diving. If a company does not take measures to effectively shred sensitive documents (such as customer information, equipment listings, third-party contracts, etc.), then an attacker can find all of these sitting in a dumpster outside of the building. This passive technique is commonly employed by attackers because it proves to be very, very effective. For example, if a social engineer needs a good pretext, he/she can sift through the target's trash to find a bill for services provided by, say, an Internet Service Provider. Then, he/she can pose as this ISP (see example at the beginning of the post) to get closer towards achieving his/her end goal.

After the social engineer has obtained information via passive means, he/she will use that information to generate possible pretexts and attack vectors to be used in active information gathering. Let's take a look at a couple of examples:
  • Company A provides a service to customers through a third party web application created and maintained by Company B. The attacker, by viewing Company A's "robots.txt" file, finds an administrative control panel to this application that requires a username and password. Then, by viewing the WHOIS documentation for the domain finds the name and e-mail address of Company A's system/network administrator. The attacker could then contact Company B with the pretext of being Company A's administrator, with a request for a password reset in order to gain administrative access.
  • By sitting in a vehicle in Company A's parking lot, the social engineer sees that access to the inside of the building requires a unique badge with an embedded RFID chip. However, he/she also notices that around 11 AM, some employees gather outside of the building to smoke and carry a conversation. Seeing the opportunity, the attacker joins them for the daily smoke break posing as a fellow employee, politely carrying on conversation. Then, when everyone begins heading back inside, the attacker simply tailgates behind one of the employees, holding the door for the rest. The attacker now has gained unauthorized access to the building.
  • By viewing the "Letter from the CEO" portion of Company A's website, the attacker is able to find the CEO's e-mail address. By searching for this e-mail address in Google, the attacker is able to find a business executive's forum where the CEO has asked questions in the past. The attacker is then able to send a specially crafted e-mail which contains a malicious link (that appears to come from this forum) to the CEO, which will very likely be opened and successfully compromise the CEO's workstation.
In these examples, the attacker would create a believable pretext which would allow him/her to pose as someone in order to achieve the desired results. These pretexts could range from a fellow employee, to support personnel (as seen in the beginning example), to the targets themselves. The key for a social engineer is to pick a pretext that is believable and effective. A good example of a social engineer using the pretext of a Fire Inspector can be found here.

It is very common, however, that an attacker might have to make multiple active contacts with the targets to elicit information one piece at a time - perhaps using a multitude of pretexts. For example, if the goal of the attacker was to gain access to a critical server that housed intellectual property, he/she might first contact the company as an employee in the field who needs technical support in order to find out the internal extensions to the administrators. Then, they might try to use phone information eliciting techniques to find out the standard procedure employees must follow to change their passwords. After all of the necessary information has been gathered (along with discerning any internal "lingo" that might help make the attacker seem more credible), the attacker would make the final call to the administrator as an employee and attempt to manipulate him/her to create an account or change the password on an existing one. This would allow the attacker to effectively bypass any technical controls in place and steal the intellectual property.

It is important to remember that the goal of both passive and active information gathering techniques is to increase the effectiveness and credibility of the attack. A social engineer wants to achieve the desired result the first time - and usually does.


Phishing, or "attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication"[1], is the most common social engineering tactic (as everyone has most likely received SPAM mail before), that I felt as though it deserved its own section to discuss it.

We've all gotten SPAM e-mails that attempt to lure us to a (usually malicious) website. Most of the time these are obvious and stick out like a sore thumb to make it easier to delete - if it managed to bypass the filters in place. However, there is a particular type of phishing called "spear phishing" that can be surprisingly effective.

As noted above, the difference between spear phishing and phishing is simply that spear phishing is specially crafted to be more effective when sent to a particular target. Everyone has interests and things with which they are familiar. If we receive an e-mail pertaining to those interests or familiarities, then we are much more likely to click on them. This can be used in a variety of ways by social engineers. Since e-mail headers can be easily spoofed, an attacker can send an e-mail to the CEO posing as the CFO of the company, that includes "urgent financial reports," which would really be a malicious trojan that would compromise the CEO's computer.

Although SPAM filters have greatly increased in accuracy, there will always be some that slips through the cracks. In defense, one must be aware of this, and always verify with the supposed sender before opening a suspicious attachment or link.

Automated Toolkits

Just like Metasploit offers an automated exploitation framework, there are different toolkits available to automate the process of crafting and deploying a social engineering attack.

The first (and arguably more well known) of these toolkits is call the Social Engineer's Toolkit (SET). Developed in Python by Dave 'ReL1K' Kennedy, and included in the popular pentesting distribution Backtrack, SET has become a very useful tool for penetration testers. While this is not a tutorial on how to use SET (though this may come later), it has the ability to primarily perform the following:
  • Creating a malicious clone of an existing website which contains one of numerous different payloads, ranging from Java-based attacks to Metasploit payloads.
  • Crafting and sending phishing e-mails via mail-relays or Gmail.
For more information on SET, visit:

Another well known and commonly used social engineering toolkit is the Simple Phishing Toolkit (spt). This toolkit, originally designed to help system administrators measure social engineering awareness and the effectiveness of training given to employees.

SPT works primarily by allowing administrators (or social engineers) to create "campaigns", which are the equivalent of a social engineering attack. This works by creating phishing e-mails and sending to a list of targets, and then tracking the results.

For more information on spt, visit:

Social Engineering in Social Networks

The creation of social networking sites such as Facebook creates new opportunities for social engineers. The ability to share links can be a very useful feature, but also a very dangerous one. Consider all of the "Facebook  scam" posts. These usually include an appealing title designed to provoke the user into clicking the given link to see the enticing content. While one might think that these can be seen and avoided from a mile away, it should be noticed that these scams can have a very large impact in a very short time

In addition to the active attack vectors found in submitted malicious links, social engineers can use popular social networking sites for passive information gathering as well. The premise for this tactic is simple: essentially everyone has a Facebook. This includes the targets of the social engineers. These accounts contain information that would prove to be very useful when creating pretexts to use in an active attack. One could argue that, if configured properly, this type of information wouldn't be accessible. However, the counter-argument to this would be that:
  • Even if people have their privacy settings configured properly, an attacker could try to "friend them" on Facebook with an appealing profile.
  • If someone refuses to accept friend requests from people they don't know or trust, an attacker could change angles, try to befriend the target's other friends first, and then send a friend request to the target. By seeing multiple mutual friends, the target is more likely to accept the request. An example of this in action can be seen here.
Hopefully this post has given you some insight to the ease of attack and the danger associated with social engineering. By preying on the people's trust, social engineers are able to extract information or manipulate people to perform specific actions very quickly and very easily, usually with a low rate of detection.

With the nature of these vulnerabilities, the only real mitigation techniques to social engineering attacks are awareness and training. Testing employees by exposing them to mock-social engineering attacks that emulate the real attack process (perhaps using tools such as spt mentioned above) will cause them to realize just how easy they can be exploited. And, just like any mitigation, being reactive accomplishes nothing. Being proactive in training employees can be the difference between a successful or unsuccessful social engineering attack. However, it is important to note that training is not a panacea, as people will always be inherently trusting of others, however at the least it might cause an employee to think twice before opening an attachment, or giving network access to the ISP field tech who walks in the door.

Security is always only as strong as its weakest link, and unfortunately, with the ever-trusting nature of people in addition to the lack of foolproof mitigation strategies, the human aspect of security will always the weakest.

  • - Provides a complete social engineering framework (more thorough than what was provided here), as well as a blog to keep up-to-date on all things social-engineering related. 
  • CTF - The team at host started hosting a Capture-the-Flag contest at Defcon in which contestants attempt to use social engineering techniques to extract specific, yet fairly benign, data from large companies. The results of these contests (found at the link) can provide excellent information into the types of attacks and information gathering techniques employed, as well as the success of these methods.
  • Social Engineering: The Art of Human Hacking - Written by Christopher Hadnagy, this book provides a very in depth look at what social engineering is, the psychology behind it, and methods that attackers would use in a social engineering attack. This book also provides great examples and case studies of attacks - I would highly recommend it!

No comments:

Post a Comment