The Evil Art of Human Hacking
Social engineering is a technique hacker’s use to take over an account by persuading or psychologically manipulating people to divulge confidential information. This is usually the first step within a more complex scheme. Social engineering uses “confidence building” techniques to set the victim at ease and convince him or her that the attacker is legitimate and presenting a valid scenario.
Social engineering is very common and occurs regularly; it is so pervasive, in fact, that two prominent internet companies, GoDaddy and PayPal, recently fell for a carefully crafted social engineering attack. This attack enabled unauthorized parties to hijack the account of a significant user and, through that breach, to access other confidential accounts. Cases like this “should have thrown up red flags for any Internet company dealing in identity,” reports techcrunch.com. “These are not new tactics and they should be guarded against as a very basic precaution.”
More alarming than the frequency of social engineering attacks is the relatively low risk for the attacker, who can disengage at any time simply by hanging up the phone or deleting the address used to send fraudulent emails. When this low risk is combined with the inviting ratio of success to failure, social engineering becomes an attractive alternative to much riskier fraud that requires facing your victim.
The means to defeat social engineering, however, are relatively simple if you understand what social engineering is: social engineering is a con. It relies on the victim’s reluctance or inability to question the authenticity of the attacker. Once that authenticity is questioned, the attacker must deviate from their “script” and flounder to avoid being discovered. The more you drive the attacker off the script, the more information you can gain; proportionally, this increases the risk to the attacker. Five simple steps can help you avoid becoming a victim of social engineering:
- Question the authenticity of every communication. This is especially true if you are asked for information such as usernames, passwords, or other sensitive data.
- Do not be afraid to validate the caller. Advanced social engineers will set up “bounce” numbers; these are phone numbers that are answered by co-conspirators who serve to falsely validate the authenticity of the caller. You can avoid this trap by instead calling a number you know to be legitimate, such as the published number for a company or the internal extension for the employee’s supervisor.
- Insist on two-way validation. If someone asks you for your information, ask them for their information about you. For example, if a caller identifying himself as an IT technician asks for your information, ask what equipment his database reports for you. Then request from him his supervisor’s name, which you can validate in an employee directory, and call that supervisor to validate his request.
- If you have identified a social engineering attempt, be sure to communicate your finding to management; news of this attempt should then be shared companywide to limit the attacker’s possible success.
- Validate through testing. Every organization should, as one component of a thorough penetration test, evaluate employee readiness for social engineering attempts. A firm well versed in social engineering testing will go beyond mere phone calls, employing a multitude of techniques to perform extensive tests in this discipline.
Originally released in part by VIMRO,
Michael Horsch Fizz