Social engineering resources

Social engineering and pretexting

Find out how social engineering attacks work and get some ideas on thwarting them from this CERT podcast and EDPACS article by our CEO Gary Hinson.

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document.

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story about intruders on the roof.

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon) looks like an interesting book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, fa Art of Intrusion cover 150 mous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

The Art of Deception by Kevin Mitnick and William Simon (~$18 from Amazon) is reviewed elsewhere on this website. It describes social engineering techniques. Kevin’s original first chapter didn’t make it into the book mysteriously appeared on the web. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers is another Kevin Mitnick and William Simon book (also ~$18 from Amazon). This book tells other hackers’ stories in nine main chapters. A tenth chapter gives further, albeit fairly basic advice on social engineering controls. .

Zen and the Art of Information Security by Ira Winkler is reviewed here. It’s a gentle introduction to information security for those with little if any prior exposure. Ira admits it is a book version of popular presentations he has given to non-technical audiences worldwide: we were left wanting more depth but then we are not the target audience..

‘Catch Me If You Can: the True Story of a Real Fake’ is the title of a biography and movie starring Tom Hanks based on the life of Frank W. Abagnale, an infamous fraudster. The descriptions of Frank’s brazen social engineering attacks are both entertaining and informative. Paperback ~$10 from Amazon. DVD $12.

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals.

A social engineer has been stealing the personal data of thousands of American corporate executives, including senior execs at Fortune 500 companies such as airlines, banks, manufacturers and pharmaceuticals, using ‘spear phishing’ (targeted emails).

Nigerian fraudsters are breaking into Web-based email accounts, impersonating the owners and sending pleas for money to everyone in their address books, asking them to wire emergency money to Nigeria. The emails weave some story about getting mugged or losing a wallet while on a trip to Nigeria.

“Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” [Wikipedia]

Kevin Mitnick’s entertaining autobiographical speech at the H.O.P.E. conference in July 2004 was recorded for posterity and is available as a streaming MP3 here and here. His 2005 keynote presentation at the Citrix iForum conference in Australia highlighted the threat of social engineering: “Mitnick said social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it’s free or very low cost, it’s low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem.”

A Dutch bank has been stung to the tune of £15m by a gentleman thief who used his persuasive charms and chocolate to obtain a key to the diamond safe.

In spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. “Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga. , received e-mails saying they were being laid off. The subject line read ‘Urgent - employment issue,’ and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.”

A classic social engineering attack on a bank, as described by the boss of a penetration testing company, is just as scary as the case studies in Ira Winkler’s Spies Among Us. The perpetrator gains access to the bank network simply by posing as a photocopier technician. It’s scary because the story rings true. [More social engineering articles are available at DarkReading]

The US Senate looks likely to vote through a pretexting law on a fast-track procedure. Pretexting in general is already outlawed in California and throughout the US if used to obtain financial information.

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.

“‘Phone Phishing’, a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to ‘take care’ of callers and often they are more than willing to help.” So says a piece in India’s Economic Times.

Hear someone turn the tables on a telemarketer, using ‘social engineering’ methods to persuade them they have called a police officer attending a serious crime scene. Very amusing.

Mike Berryclearly has a lot of fun baiting the 419 scammers through 419eater website, even getting one to send impressive wooden sculptures of Creature Comforts characters and a Commodore 64 computer ... but there’s a serious undercurrent to this form of social engineering. Estimates vary but thousands of dollars are thought to be lost to 419ers every day and the scams remains as popular as ever

Read NZ Ministry of Economic Development’s scamwatch website.

One way to get personal information out of people is through fake job ads. Candidates expect to supply a fair amount of information about themselves as part of the application process and, perhaps because of their circumstances, their guards are down. Enterprising social engineers are evidently using the opportunity to obtain sufficient information to commit identity theft.

Social Engineering, the USB Way is a worrying report into a successful penetration test using a mixture of social engineering and malware techniques. One morning before work, the testers scattered USB thumb drives containing Trojans in the parking lot and smokers’ corners outside their target credit union premises. The workers duly discovered the ‘lost’ drives, took them in, plugged them in and compromised their systems security. The worrying part is the success rate, the potential impact and the likelihood of success elsewhere. Possible controls include security awareness training, antivirus tools, IDS and USB blocking software.

Identity theft often involves a social engineering element. A Cyber Security Tip from CERT offers some practical advice to reduce the chances of being taken in by the identity thieves, and to identify and respond to them if you are.

The Washington Post reported that people falsely claiming to be unannounced inspectors working for a US government hospital inspection body were identified as imposters and ejected from at least three hospitals. Their motives were unclear. Up to two weeks before the last incident, the inspection body had routinely posted the names of its inspectors on its website (’nuff said).

Social engineers’ skills are not limited to the realm of computing. A British court case involving someone who tried to con his way into Windsor Castle has led to the press digging up information on his past exploits.

Gartner predicts that social engineering is “the single greatest security risk in the decade ahead” [... or at least until Gartner’s next security report ...].

A US-CERT Cyber Security Tip offers basic advice to reduce the risk of social engineering and phishing.

How to Defend Your Network Against Social Engineers recommends, amongst other things, developing and enforcing a security policy addressing social engineering, and training users in how to recognize a social engineering attempt. [Naturally, we’d recommend NoticeBored for that, and more].

Sarah Granger has written a good overview of social engineering including suitable controls. Part 1. Part 2.

Social Engineering 101 is an unmoderated bulletin board system where people post questions and answers about social engineering. The techniques described are pretty naive ... but are probably quite effective nonetheless.

Social engineering and pretexting

Related NoticeBored links collections