T 5.42 Social Engineering

Social engineering is a method used to gain unauthorised access to information or IT systems by "listening in". Social engineering exploits human characteristics such as the willingness to help others, trust, fear, or respect for authority. Employees can be manipulated using social engineering so that they perform unauthorised tasks. A typical case of attacks carried out with the help of social engineering includes the manipulation of employees by calling them on the telephone and masquerading as one of the following persons, for example:

• a receptionist whose superior wants to do something quickly but has forgotten his password and needs it urgently now,
• an administrator who calls because of a system error, since he/she needs the user's password to eliminate the error,
• a telephone technician who wants to know some technical details, for example the telephone number of a connected modem and the settings of the modem,
• an outsider who would like to talk to Mr. X who is not available at the moment. Telling the outsider that Mr. X will be absent for three days also means telling him/her that Mr X's account will not be used and therefore will be unobserved during this time.

If asked critical questions, the inquisitive caller may say that he/she is somebody "important" or "just an assistant".

Another strategy used in systematic social engineering is to build a long-term relationship with the victim. By making numerous trivial telephone calls in advance, the attacker is able to collect information and build trust, which he/she can then exploit later.

Such attacks can also be conducted in several stages by using the knowledge and techniques gained in the previous stages.

Example:

• It is much easier for an attacker if he/she succeeds in bringing the victims to call him/her on their own accord. For example, the attacker could manipulate the telephone system of the organisation targeted in such a way that all calls to the administrator are forwarded to him/her. For example, this may happen after conducting a successful social engineering attack on the telephone technician or after successfully compromising an insecurely configured telephone system from the outside. If the attacker is then able to conduct a denial-of-service attack, for example, the victim of the attack will inform the administrator of the attack. However, the victim will only be able to reach the attacker due to the manipulation of the telephone system. During normal daily business, no one would normally consider questioning the fact that the person on the other end of the line is a "real" administrator.

Many users know that they are not allowed to give their passwords to anyone else. Social engineers are aware of this and therefore need to find other ways to reach their goals. Examples of this include:

• An attacker may ask the victim to execute commands or run programs the victim is not familiar with, for example to help solve an alleged problem with the IT. However, the request could contain disguised commands for changing the data access rights. The attacker may then be able to gain access to sensitive information.
• Many users use a strong password, but they use the same password for several accounts. If an attacker is running a useful network service (such as an email address system) the users need to provide authentication for, then the attacker could obtain the desired passwords and login information. Many users will use the login data for this service for other services as well.

When conducting a social engineering attack, the attacker will not always be visible because there are also other versions of this type of attack where the attacker remains in the background. In many cases, the victims never even find out that they have been exploited. If this is the case, the attacker does not even have to worry about criminal prosecution and also has a source for obtaining additional information later.

The use of email and internet services offers numerous ways of obtaining information under false pretences. Once the trust of the victim is gained, it is easy for the attacker to provide the victim with an email containing an attached Trojan horse, for example. Since the victim knows the attacker and considers him/her to be trustworthy, the email and the attachment are also considered trustworthy and are then opened.

Social networks

Social networks on the internet offer a good basis for social engineering. These platforms can be used in order to obtain numerous background information about persons. The information people disclose by means of their profile may be collected and used as a basis for obtaining further information.