Social Engineering, Part 2

Understanding How Attackers Take Advantage of Human Nature

Authority
People have a tendency to comply when a request is made by a person in authority. A person can be convinced to comply with a request if he believes the requestor is a person in authority to make such request. In our society, we have always been told not to question someone who is in authority.

For example, if a person requesting a piece of information from you and this person claim that he is from the executive office, you will have the tendency to comply without question because you know you should never challenges your bosses.

Liking/ Deceptive Relationship
People have a tendency to comply when the requestor seems to have similar interests, belief, attitudes and backgrounds as the victim. We always implicitly trust someone who shares similarity with us. We subconsciously believe that people who have similarity with us will also think and behave in a similar way and they are always good guys.

Deceptive Relationship is sharing information or discuss about a common enemy or problem with the victim making the victim to believe that they are in the same camp.

For example, when we are talking to someone who seems to share the same interest with us, we have a tendency to let down our defense guard and go further in the conversation with them and reveal more information.

Reciprocation
We may automatically comply with a request when we have been given or promise something of value. When someone has done something for you, you feel an inclination to reciprocate. One of the most effective ways of influence people to do us a favor is by giving some gift or assistance that forms an underlying obligation.

Very often, we felt reluctant to decline request from someone who has just done us a favor or who has given us a small gift even though in our mind we are uncomfortable of doing so. In our education, we have been taught to remember those who have help us and we should always help back when needed to.


Consistency
People have the tendency to comply once they have made a public statement or commitment. Once we have promised we will do something, we don't want to appear untrustworthy and will tend to follow through in order to be consistent with our statement or commitment.

Social Validation
People have the tendency to comply when doing so appears to be inline with others are doing. The actions of others are accepted as validation that the behavior in question is correct.

When we are in doubt whether to take certain action, we always refer to the peoples surrounding us to find out whether they did the same. Most of the time we will just follow what others did without questioning the validity of our decision.

When a social engineer is asking for information from a victim, he would mention that what he is asking for is a routine questionnaire and that the victim's peers have also responded to the same set of questionnaires. The victim will then feel no reason to decline since their peers has done it, it must be the right thing to do.

Scarcity
People have the tendency to comply when it is believed that the object sought is in short supply, or is only available for a short period of time.

Peoples have natural tendency to take advantage of offers that are made to them such as a free gift if they could just respond to certain request. A social engineer may approach you and offer you a drink voucher if you could just spent five minutes to complete a questionnaire for their survey.

Strong Affect
Strong Affect plays on the victim's emotion. The attacker can create fear, panic or excitement.

For example, the attacker will make his request sounds very urgent and stress out his victim so that his victim will panic and reveal the information without careful thinking.

Another example is to create excitement and surprises by telling the victim he could stand a chance to win a big prize by registering themselves as a member of some community or club.

The surge of strong emotion will distract the victim ability to evaluate and think logically.

Diffusion of Responsibility
In this method, the attacker makes the victim to believe that he will not be responsible and liable for his action. It is much easier to get someone to carry out an action if he believes that he does not need to be responsible for his decision.

Moral Duty
Human feel great and delight when they can do something to help out the others. The social engineer play on this fact to convince his victim he needs that information to help put the others.

For example, the attacker may ask the victim for his user name and password because he needs to simulate a network login to troubleshoot network problem which has been troubling the victim's coworker.

Another example would be a social engineer may be you to ask for the phone number of your friend who he has also met before because he has a business opportunity that your friend may be interested in. Of course you would want to help your friend and how often you will think that giving out phone number is a big deal? But the fact is that it is sometimes a big deal. The social engineer can use the phone number to find out about the owner phone billing info or sell the phone number to third party for telemarketing.

Other Mean of Social Engineering Attack

So far we have seen how social engineering attack can be conducted using physiological and persuasion technique. The other mean of social engineering attack is through a physical aspect (such as presence at workplace, dumpster diving and on-line) and reverse social engineering.

Workplace
The social engineer will make a physical presence at the workplace or office of his victim or target attack. He will find ways to by pass security check at the entrance. For example, during morning when the crowds get to work, the security can be circumvented due to the vast amount of peoples who are flowing in and out of the building and the security guard may not be able to keep track of all these peoples. A professional social engineer will dress just like what other people surrounding him is dressing so that he doesn't look foreign, walking confidently and pretend to be talking to someone in the crowd while walking into the lift.

Another way will be that the social engineer pretend that he has forgot his badge, but he will say something to show that he is familiar with the place and the people around it to make the security guard to believe that he work there.

Once the social engineer gets in, he can then freely move within the building to find the information he need.

Although this looks like movie trick, but it does work in real life.


Dumpster Diving
Dumpster diving is also know as trashing. This involve the searching the company dumpster to look for useful information and this effort usually pay off. How often do we ever think of the value of the documents that we throw into the dump bin? Something that seems to have no value to us can mean something else to other people.

Social engineer can find out about contacts of person from address book, software and hardware vulnerabilities from source code print out, people with specific position and authority from the organization hierarchy chart, company policy about business operation guide. This information will give the attacker a great deal of knowledge how he should plan his next step.


On-line
Social engineer can find out vast variety of information from on-line websites. Such information may include company product and services information, executive profiles, events calendar and business partners and customers. The attacker can then use this information to gain knowledge of their victim and launch attack against them.

Other source of on-line source may include search engine, on-line chat rooms, news group and discussion room. Search engine reveal a lot of links to a particular topic of interest. In newsgroup where peoples are posting question to source for help for their problem, they may accidentally include sensitive information such as user name, password, and system configuration info in their posted question.

Reverse Social Engineering
This is when the hacker creates a problematic situation for the victim and makes himself available to help fix the problem.

Consider the following phone conversation:

Hacker : "I am Bob from IT department. Is it Joe speaking?"
Victim : "Yes. How can I help you?"
Hacker : "Hi, Joe. Other users has reported problem with their network connectivity. Are you having any problem with your network?"
Victim : "Everything seems to be fine."
Hacker : "That sounds good. But just in case you have any problem, please call me immediately so that I can fix it for you. You can call me at this number - xxxxxxx"
Victim : "Sure. Thanks. Bye"

Now, the attacker will proceed to create the problem and wait for the victim to call for help. Once he solves the problem for the victim, the victim will be thankful to him and the attacker will gain trust and confidence from the victim. Now the attacker can proceed to exploit the trust to extract valuable information from the victim.

However, reverse social engineering is more complex because it requires the hacker to gain access to the victim's network and computer ahead of time to create the problem but it is not impossible.