Social Engineering – The Mental Game, Part II.

Now, let’s talk technical.

Malicious executable are used to deliver a payload to a victim. These can be very technical packages that can be used for remote access to the victim’s host or can be much simpler making the attack footprint and code smaller by simply prompting the user for a response.  Email attachments are one of the best known social engineering attack vectors. Sending a file with malicious code embedded within it and waiting for the user to execute or open it. These attacks are some of the oldest social engineering attacks.

Spam and Chain letters, these types of attacks are not inherently dangerous, but can be used by social engineers for information gathering or other nuisance purposes.

Websites, every website, on the entire internet, is bad…. Well, not really, but an attacker can use both public and organization owned websites to execute attacks against victims. From creating a hijacked copy of google and embedding malicious code within that executes when a user browses to the page to executing an attack against a vulnerable web application that is owned by the organization targeting the users. Websites can be used for many many different types of social engineering attacks.

PsyOps or Psychological Operation.  We have talked about the actions of the attacker and looked at the vectors that the attacker may use, but now we are going to focus on why these things work. The psychology behind the success of a social engineering attack is the goal of this publication.

The first is the diffusion of responsibility. Diffusion of Responsibility explains why we are more likely to take action in a situation where the victim is made to believe that someone else is responsible for their actions. This can be likened to group think or mob mentality. When we as humans believe that there are others that can be blamed for our actions should something adverse result we are likely to execute that action. If we have to take sole responsibility for the action, we think through them more.

Ingratiation or the expectations of doing something that will result in the victim being the the good graces of someone of authority.

A social engineer will make the victim believe that if they do the requested task that the victim will be rewarded or have an in with an authority figure. The human mind seeks acceptance and most people want to strive to success within their organization, an attacker to make the victim believe they are going to help their career grow in some cases can leverage this.

Trust is important, there must be some kind of trust relationship between the attacker and the victim, if not, the attack will not be successful. Establishing a moral duty to the victim, making them feel as though the need to comply with the request or something bad may happen. This can lead to a high level of success, but can have deep psychological impacts on the victim.

Guilt is another valid attack vector. Most humans do not enjoy the feeling of guilt and avoid situations that may place the person in a position to feel guilty. Social engineers create situations where they are able to create situations that pull on the heartstrings of the target, manipulate empathy, and create sympathetic feelings. They create situations where believing if they do not fulfill the request it will lead to a significant problem and often weigh the balance in favor of compliance with the request.

The social engineer wants the victim to identify with them at a human and personal level. The more the victim feels connected and identifies with the attacker the larger the success rate of the attack. And, again back to the inherent human trait of wanting to help. The attacker will always leverage this by against the victim and in many cases goes unlooked at. In the end, the social engineer wants the victim to cooperate; they will attempt to guide the victim using things that make sense to them. But the attacker controls the direction.

In some cases, a social engineer will execute a direct request for the information or data. This can be done by simply asking for it, these attacks are not the most successful, but they are used.

The more in-depth the situation or more vectors that a social engineering attacker is able to build into the overall situation or express depth that may have brought them to the situation of initiating contact can leverage make the victim more likely to assist. In the end a social engineer wants the victim to perform the task without thinking that anything is happening. This means the victim will spend less time considering the actions or initiating the process for mitigation of an issue.

Let’s look at some of the potential areas that a social engineer will attempt to execute an attack against.

Passwords are the weakest security control. Many people have trouble remembering them or reuse passwords over and over. This has always been the most basic security control available, but most widely integrated.

Modems are still widely used in many organizations still today. Many organizations may also not be aware that they are still active. This can allow an attacker to execute attacks known as WarDialing, made famous by the movie War Games. Help Desk is another vector many social engineers will use. The Help Desk of most organizations is to provide just that, Help. These people are used to providing information or access to personnel that are having issues. If a social engineer is able to successfully impersonate someone within the organization the Help Desk may provide detailed information just by doing his or her job.

Let’s look at some of the common defenses that we have available. Everyone that enters an organization’s location should have to be processed by some kind of physical security barrier. This can be a security guard or a technical control such as badge access. Everyone that enters a organization’s building should have some kind of identification, this includes contractors, business partners, vendors, and employees. Passwords should never be spoken aloud or over the phone nor written down and left lying around. Passwords can be difficult to remember, especially complex passwords, many people have been found to keep these written on a post-it note and stuck under keyboards.

Shredders and shredder entities should be employed for protection business critical physical documents. It should be noted that just because someone appears to be from an organization that takes these documents does not mean that person actually picking up the documents cannot be impersonated. Validation of personnel that interact at any level with business critical or secure documentation should take place at every level.

Policies and procedures should be in place within the organization, available to every employee, and clearly state the execution and elevation of an incident should one occur. Policies should include information related to account setup, password change policy, help desk procedures, access privileges, violation handling, unique user identification, confidential information handling, modem usage and acquisition, secure sensitive areas, privacy policy, and a centralized security repository for retention of the information.

A good training program will also assist in reducing the success of an attack. If a victim is able to recognize the signs of an attack early they can initiate the response procedure and restrict or reduce the impact of the attack. Some of the signs that can initiate the recognition process are things such as the attacker refuses to provide return contact information, a rush to have the requested action performed, providing names of key individuals or people of importance within the organization, intimidation, small mistakes such as spelling in the case of a phishing campaign, and the request of secure or otherwise critical or forbidden information.

To protect our organizations, the data, and ourselves each person is responsible for successfully stopping a social engineering attack. Training is key to the success. Understanding the techniques and attacks used will provide each individual with the knowledge of what to be aware of. Trust your instinct or gut, everyone has a gut reaction to human-to-human interaction. This instinct goes a long way towards determining if something is a coincidence or a pattern. Notification and execution of the response plan, if an individual does not know what to do should an attack take place it may go a long time before it is disclosed, controlled, mitigated, or remediated. Test the organization’s and personnel’s readiness against an attack. Having a social engineering penetration test can provide the organization data metrics to better understand their current stance, but also provides a map for future maturing of the program as a whole.