ITS Homepage Click here for text version of ITS homepage University at AlbanyUAlbany Site IndexUAlbany Search
Information Security Home
Threat Matrix
Security Threats
System Alerts
Security Defenses
Best Practices
Technical Controls
 
Security Tools
Network Standards


 Phishing Phishing Samples

 robotIcon Bot/Bot Herd

 handClawIcon Hackers

 bombIcon Malware

 computerSafe Password Cracking

 rabbithaticon Social Engineering

 spyicon Spyware

 computerbombicon Viruses

Information Security
 

Social Engineering

rabbithaticon Social Engineering:

In the spring of 2006, an information security company in Europe conducted a survey just outside Victoria Station in London, asking people about their Easter candy giving habits.  They stopped people at random and lured them into participating in the survey with the promise of winning up to 60 pounds of chocolate. Eighty-one percent of commuters they spoke with were willing to part with all the personal information needed to steal their identity for the chance to win the imaginary sweets.

In June of 2006, a consultant service was asked to test the security of a credit union. The consultant was told that the employees were aware that something was up and would be on the look out for attempts to get past their security measures. The individual in charge of the test gathered together all the leftover USB pen give-aways lying around his office. He had one of his staff write a simple Trojan horse that collected passwords and emailed them back to the consultant company, and loaded it onto the USB pens. He then went to the office of the credit union at 6:00 am and scattered the pens all around the grounds: parking lots, picnic areas, entry ways, etc. Later that morning he watched while the employees arrived for work. Sure enough, they started picking up the pens when they found them and put them in their pockets. Back at the consultant's offices, the staff there began receiving emails containing passwords and other confidential information that was being transmitted by the Trojan. Curiosity had gotten the better of the credit union employees. They had loaded the USB drives on to the company's computers and opened a hole in the company's security measures. Confidential information was leaking from their systems...and they didn't even know it.

These are two classic examples of social engineering, manipulating human behavior to put people and information at risk. In this section, we'll examine different social engineering techniques and tactics.

Social Engineering Techniques

Impersonation & Pulling Rank:
Impersonation involves an attacker assuming the role of an individual who pretends to have some legitimate need for the information being sought. The assumed role could be that of an actual employee, or someone outside the organization who purports to have a relationship with the company, or is simply doing some work on the company premises (e.g. phone repair).

This can easily evolve into a slightly different tack where the attacker assumes the role of someone in a position of authority, i.e., pulling rank. It doesn’t require a precise impersonation of the company officer, just an assumption of that position’s authority. Who among us doesn’t want to please the boss, or the boss’s administrative assistant?  By adopting a high status attitude, an attacker can get what she is looking for.

A particularly effective variation of this technique is to impersonate someone with authority coupled with an urgent situation that pressures an employee for an immediate response.

Conformity:
Conformity is another powerful social force. If an attacker can convince an employee that everyone else has already performed the actions requested, such as confirming account names and passwords, it becomes very difficult for an individual to resist.  

A variation on this theme is diffusion of responsibility. If an attacker can convince his victim that the victim’s supervisor has already approved the action, and if the assignment of duties among staff is not clearly delineated, it is possible to fool the employee into revealing the sought-after information.

Helplessness:
A combination of friendliness and helplessness can trigger an outpouring of information, particularly from help desk staff.  Help Desk employees are especially vulnerable to individuals who show an appreciation for their assistance. A natural response is to provide even more information when the customer is so eager for, as well as impressed by, your knowledge. By playing dumb and carefully asking leading questions (baiting), prompted by the real time responses of the help desk agent, an attacker can come away from the encounter with a wealth of information about a company’s IT organization.

Surveys:
As demonstrated by the Easter candy example cited above, surveys are an information gathering instrument tailor made for attackers.  They require no special relationship between the attacker and the victim, and are by their very nature designed to elicit information in a question and answer format. Through careful coordination, a team of attackers might be able to prepare employees ahead of time for the survey process and even provide them with permission to disclose sensitive information!

Shoulder Surfing & Eavesdropping:
Shoulder surfing and eavesdropping can be very effective in gathering useful information about a company’s personnel and operations. The term shoulder surfing refers to any direct observation of sensitive information such as individuals keying in passwords or PINs, the display of information on computer monitors, or simply personnel forms with SSNs left exposed on someone’s desk. 

Eavesdropping is defined as listening in on conversations among individuals associated with the target organization. In the context of Information Security it extends to remote listening and recording devices, including the interception of telephone calls, fax transmissions, e-mails, and data transmissions, particularly on unsecured wireless networks. 

Social Engineering Tactics

Links-Legit and Illicit :
When browsing a webpage, it is common to run across many different hyperlinks that can bring you to other pages or files. However, a common method of infecting a computer is to mislabel a link. It's important to know that a hyperlink can be called anything!  KaptainKangaroo.org could really point to sleazyporn.com. This is a common tactic used to fool people into visiting sites they normally would avoid. By mislabeling the link, cyber criminals hope to force you to visit a counterfeit site (phishing) or sites that will install malware on your PC.

Sending poison links via AIM has proven to be particularly effective in deceiving people.  Since the message came from your buddy, it must be legit, right? Wrong! AIM viruses can generate their own IMs and send them out to everyone on your buddy list. Using AIM to infect computers with malware has proven to be very popular with cyber thieves because they can take advantage of the implicit trust built into the relationship between you and your buddies. Classic social engineering!

Phishing:
Phishing (pronounced "Fishing") is a method used to gather personal or financial information for the purpose of commiting fraud. These email requests simulate legitimate businesses such as EBay, PayPal, and various financial institutions. They can be very deceptive. The authors go to great lengths to make their fraudulent requests look as legitimate as possible. There is usually a matter of some urgency that requires you to respond within a short time frame, and if you have an account with the business or institution that is replicated, you may be convinced that the request is real. 
 
You are usually instructed to click on a link to provide the requested personal information. The link takes you to a counterfeit web site run by thieves. The web site is designed to convince you that you are dealing with a legitimate business or financial services provider, going so far as to load many of its visual elements (e.g., company logos) from the real site.
 
All of these requests are fraudulent. No legitimate business will ask you for personal or account information via an email solicitation. If you receive such a request, you can safely ignore it, or report it to the Anti-Phishing Working Group at http://www.antiphishing.org where you can find additional information and samples of phishing scams.

Identity Theft:
Identity theft occurs when a thief uses another person's SSN and other identifying information to fraudulently open new accounts and obtain financial gain at the expense of the victim. It is one of the fastest growing crimes in America. Everyone is a potential target. As of 2005, an estimated 41M Americans were affected at a cost of $5b annually. Phishing and spyware accounted for approximately 9% of these incidents. It is the primary reason why it is so important to properly protect personally identifiable information (name, SSN, driver's license number, etc.)

Preventative Measures You Can Take:
With all theses threats everyone needs to be careful not to disclose information to the wrong people. With this in mind, here are a few steps that can help keep your identity safe.

  • Call your bank using the number printed on your statements, or listed in a phone book. DO NOT USE A NUMBER LISTED IN A EMAIL. Some phishing scams have been known to ask you to call the "bank's" toll-free phone number where accomplices or an automated system will ask for your account number.
  • Use separate passwords for diferent financial sites. That way, if one is stolen, all your accounts won't be compromised.
  • Never fill out a form or survey from an untrusted source.  
  • Watch for misleading URLs. You can sometimes reveal discrepancies between the text and the real URL by rolling over the link with your mouse and looking at what is displayed at the bottom of your browser window. 
  • Look for character replacements in URLs, like 1 for L , 7 for T, etc.
  • Never click on links in emails or IMs, open attachments, or accept files unless you verify their legitimacy with the sender.

Glossary

 SiteMap