Henry Dalziel | General Hacking Posts, Hacker Hotshots, Latest InfoSec News | February 25, 2013
Not that long ago we organized an excellent Hacker Hotshots session with Chris Silvers titled: Go With the Flow: Strategies For Successful Social Engineering and he outlined several “easy” ways to socially hack companies and corporations and get them to relinquish sensitive information either by giving it directly or by facilitating a method from which the attacker can extort information. Many social engineering hacks of 2013 involve sophisticated attacks or just simple brute force in a physical way.
Chris used a lot of phone call demonstrations that just show how possible it is to manipulate a person into doing something, or giving away information they otherwise wouldn’t.
Here is our list of popular social engineering hacks that we came across when researching the Hacker Hotshots presentation December 4th: “Strategies For Successful Social Engineering”
1. Social Networks
Having your Facebook account hacked can easily result in having a friend (who is a genuine friend of yours) asking for cash because their “wallet was stolen” whilst they were travelling. Clearly, receiving an email from a friend is exactly that: from a friend, so the barrier of trust is completely open.
2. “Someone has a secret crush on you! Download this app and find out who it is!”
This social engineering attack also comes from social networks like Facebook. Facebook applications are for the most part free from any malware of bad intent, but some still contain nefarious objectives. The wording of the app is all too important and needs to touch some fundamental human emotional buttons, because, as the title of this entry states, who wouldn’t want to know who had a “secret crush on you!”
The “I love you” computer worm that attacked millions of Windows personal computers May 5th 2000 started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The success of this download was due to the wording.
3. “Click this link!”
On the same subject of effective copy to entice a social engineering attack, social engineers title an email to solicit an action – i.e. getting the user to “click here”. Again, the attacker’s ideal set-up is to have gained access to a user’s social account or email account. The inherent trust that you will have to open and click on a link from someone you know is second nature. Visiting an infected site or page from an email can install malware on your machine, either by a Java drive-by or another means. Another good example is Twitter spam that we often receive which contains the subject “Did you see this video of you?” again it’s a play on words. See the 2nd “secret crush” scam and you’ll see how being able to connect on an emotional level will ensure a pretty decent success rate for the hackers.
4. Fake office IT Support
This is a pretty varied but very popular social engineering attack whereby someone pretends to be an IT Support Technician and offer to fix a “broken computer” or an “infected machine” that contains viruses and malware. All you need is confidence and authority in your voice and choice of words. Again, refer to back to our Hacker Hotshots event with Chris Silvers and listen to some of the calls that he and his team made to solicit passwords and other sensitive information. In some extremes examples the attacker will actually enter the business and pose as an IT Technician. We learned about a technique called “tailgating” when we compiled our Concise Courses ComPTIA Security+ Information Pack – which is actually a unit within section 3.0 Threats and Vulnerabilities of the syllabus. As the terms suggests, tailgating is when the attacker attempting access to a building will purposely wait near an office lobby waiting for real employees to enter the building with their genuine ID cards – as they open the door they politely hold the door open for the attacker. Appearance is vital for this to work. Being dressed like an IT Technician would for that particular organization will certainly greatly assist this particular social engineered scam.
5. Phishing lures
Receiving an email that claims that you have not paid for an item on eBay can very often solicit an action from an unsuspecting victim. You might think that that is a ridiculous scam that will not affect anyone, but as long as the attackers are sending out millions of messages like that – their success rate can be low but yet profitable. Like several other social engineering attacks listed in this post, the eBay Phising Lure Scam also works on a human emotion. EBay users are very aware of the impact of receiving negative reviews, therefore any message that arrives in their inbox from someone who seems to be from eBay often will result in an action being taken. When the user falls for this attack they can be send to a spoofed eBay page that looks just like the real login page with the user’s login information being captured and then used against them to withdraw funds etc. Withdrawing funds from eBay is often possible owing to the fact that many users login information for their eBay and PayPal accounts will be the same. One solution with this particular scam is to manually open up a browser and hit your account yourself – is there a message in your eBay inbox? If yes then it is genuine. If not, then ignore your other message.
6. “You have been dismissed” or “Help victims of ‘fill in the blank’ natural disaster”
Social engineering tactics are becoming increasingly specific. Sending out blanket emails to hundreds of employees saying that regrettably their position at the organization has been terminated and that they must download a certain form etc can have a decent success rate. Why? Because perhaps there was a rumour circulating that redundancies were inevitable owing to the financial crisis. Timing is everything with this scam.
Unfortunately, every time there is a natural disaster there is an associated social engineered attack. Again, as is consistent throughout this blog post, the natural disaster scam along with the redundancy email is associated to human emotion for curiosity.
7.Hijacked Twitter hashtags
Social engineers just need to look at what is trending on Twitter to fabricate or hijack a hashtag that has an embedded link to a malware site or Java Drive-by.
Social engineering scams, techniques and methodologies continue to grow and amaze us here at Concise Courses. Bottom line is this: use your common sense. Love everyone but trust no one when online. Have you been a victim of a social engineering scam or attack, what do you think of our list are we missing an obvious method?