InfoSec Blog - Everything You Wanted to Know About Social Engineering but Were Afraid to Ask
May 13, 2016
What is Social Engineering?
If you think about hacking, your mind may automatically go to the Hollywood-style hacking seen in blockbuster movies or you might envision a hoodie-wearing hacker living in his parent’s basement typing lines of malicious code. But in reality, there is a much easier way to get sensitive information and to gain access to someone’s account. In most cases it is much simpler to trick someone into giving out their password than it is to try to hack it.
And that is Social Engineering – a non-technical approach to hacking which relies on human interactions and not technology. And let’s be honest…since it relies on human interaction it is usually quite successful, because humans are prone to errors in judgement.
Here is an amusing but quite accurate illustration of how easy it can be. While this Jimmy Kimmel segment may be an exaggerated example, check out how easily these people gave up their passwords without even realizing it! Watch the video here.
In more sophisticated attacks, a social engineer may be after sensitive information or system access. A skilled social engineer will be respectable and completely believable, possibly claiming to be a new employee, repair technician, or manager in another department. By doing reconnaissance ahead of time, they may know enough information about the company, such as reporting structure and internal processes, to sound believable. They will then leverage that knowledge and our natural human tendencies to appear trusting and helpful in order to gain access or information they shouldn’t have.
Kevin Mitnick is a reformed computer hacker and social engineer, and in his book, Ghost in the Wires, he details several accounts where he successfully used social engineering tactics to gain access to sensitive data, systems, and software from many large corporations just for the sheer thrill of it. The book is an excellent read and highly recommended for anyone interested in cyber security.
For example, many of the cons in Mitnick's book revolve around the theft of credit card or Social Security numbers. In one case, he pretended to be the manager at a chain video store. Over a period of time he built up a friendship over the telephone with a clerk at another location of that video store chain across town. One day Kevin called up the clerk he had befriended, claiming that his computer was down, and said, "I've got a customer of yours here who wants to rent Godfather II and doesn't have his card with him.... Could you verify his information for me?" Trying to help, the clerk revealed the target customer's name, address, credit card number, and his recent rentals. Pretty simple and scary, right?!
Another great example of how simple and effective social engineering was recently documented by the show ‘Real Future’. Focusing on several highly publicized breaches in the past couple of years, the host, Kevin Roose, was interested in seeing how it was done and just how bad it could be. He invited a couple of expert hackers to do their worst…and they did! Watch the video here.
How do you avoid being a victim?
Now that you know what social engineering is, here are some tips on how to avoid becoming a victim yourself:
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.
Always ensure all sensitive documents are locked away and not easily accessible on your desk. Even seemingly innocent documents, such as organizational charts, can be very valuable to a social engineer.
If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company. Don’t use a call back number provided by the individual, but instead find the number from a reliable source. For example, only use the phone number on the back of your credit card to reach your provider, never one provided in an email or left as a voicemail.
Similarly if the request comes via email, if you are unsure whether the email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Do not provide personal information or information about the University of Guelph, including its organizational structure, networks or systems unless you are certain of a person's authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Don't send sensitive information over the Internet before checking a website's security.
Pay attention to the URL of websites. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
Install and maintain anti-virus software on your computer.
Take advantage of any anti-phishing features offered by your email client and web browser.
What do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about the University, report it to the Information Security team (firstname.lastname@example.org).
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft. More information can be found here - https://www.us-cert.gov/ncas/tips/ST05-019
Written by: Stephen Willem (Manager, CCS Information Security)