#108: Security Briefing - Social Engineering

Continuing my mini-series on security, I introduce Social Engineering.

Social Engineering is a direct attempt to manipulate us into doing something that we otherwise would not. Its not a new technique, but the modern connected world gives social engineers more tools to work with.

Or listen at:

Published: Wed, 10 Nov 2021 16:19:10 GMT



Hello, and welcome back to the Better ROI from software development podcast.

In this episode, I'm going to give you another Security Briefing - and in this one, I want to introduce Social Engineering.

Now I find Social Engineering a fascinating subject. It's very much conning people. It's very much back to that idea of conmen.

Now, you could argue this may not be a particularly cyber related subject - personally, I would disagree. The advent of the internet and so much information being available online has helped the ability of conmen to move into that cyber arena and take advantage of what's available. So with us having so much information about ourselves online, conmen can find so much more about it, whether it be our likes, our dislikes, what we do via Facebook, via Twitter, via Instagram. Or maybe if they're trying to look at a physical location, they can look at it through things like Google Maps. They're able to do a lot of reconnaissance work to target their con at us much better.

The other thing the internet enables is the ability to target many people at once. And we'll talk briefly later about phishing attacks where you can attack a lot of people in one go. We con people into answering emails and providing us their bank details, but we'll come back to that later on in this episode.

So what are we talking about when we talk about Social Engineering?

Wikipedia describes Social Engineering as:.

"Social engineering is the psychological manipulation of people into performing actions or divulging confidential information."

"A type of confidence trick for the purpose of information gathering, fraud, or system access."

"It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

Social engineering is basically exploiting that natural tendency to want to help, to want to trust people, to want to work together. It may be through manipulation of something like fear or guilt or just that desire to want to help, but that's what it is. It's trying to get someone to do something they might not normally do through manipulation.

So what would this look like?

Let's say you're about to go through the door into your office. The door has a card swipe system. You need to swipe your card to be able to gain access to the office. However, as you're going through the door, you see a woman approaching. She's heavily pregnant. One arm is in a cast, she's obviously broken it. The other arm is full of paperwork. You're obviously going to hold the door open and let her through.

Unfortunately, that lady is an actress. She's faking the pregnancy, she faking the broken arm and the paperwork is hiding the tools she needs to be able to access your computer systems once you've let her into your corporate HQ.

She has played on your good nature, your desire to help.

But then again, most people would do that. It's human nature that social engineers are manipulating.

Or maybe it's the aircon maintenance engineer who desperately needs to get into the building. He's received an emergency call because your board is meeting, but there's sweating to death in a badly air conditioned room.

They're getting upset.

They're getting angsty.

And as such, it's an emergency, and they've been asked to get him out immediately so that the problem can be rectified. The board are overheating. Your board are upset. Their patience is wearing thin.

Are you going to stop that aircon maintenance engineer from accessing the building?

Maybe it's a call into accounts payable to update the bank account details from your main supplier. Now, they're really sorry that they haven't done this before, they're meant to have done this weeks ago. They're meant to have gone for a process. They're really sorry, but their son's just gone through major surgery and their mind hasn't been on the job. Can you do this as a favour to them otherwise their jobs on the line. Their boss is already upset with them having taken so much time out for their son having to go through major surgery.

And if they don't do this, then the boss is likely to fire them.

Can you help?

Being on the receiving end of a Social Engineer attack seems unfair, more so than any other security attack.

It's much more personal. It makes us feel stupid and guilty.

But I've listened to podcasts where professional penetration testers, people that are being paid to test the ability to get into company sites such as that pregnant lady or the air con engineer to test people security, they feel bad about using those tactics.

They feel bad about conning you.

But, they know that the bad actors will use those. So if they're trying to test your organisation, as they've been requested to do, then they need to employ those same tactics.

And attackers are not going to have negative feelings about using these tactics. They're not going to blink an eyelid at pretending to be pregnant or telling you that one of their children has been desperately ill. They're not going to be upset about playing on heartstrings.

And yes, it's unfair. But confidence tricksters throughout history have been doing this. They've been using manipulation to get what they want and they will continue to do so.

Let's talk about methods of attack.

You'll generally find that Social Engineering is probably part of a wider attack. So where we've talked about impersonation, where somebody is pretending to be somebody else to gain access to your corporate HQ, that's probably as part of another attack to then gain access to your network. Maybe they'll look for a meeting room where they can gain access to an unsecured PC or a network port where they can plug their own equipment in.

It's generally part of some other attack.

But other than impersonating, you have things like phishing.

Phishing is where somebody will send you an email asking maybe for help or asking for a donation. So certainly where we've had major crisis over the last few years, you'll find that there is a raft of emails that will come out asking for donations to help the affected people. These are phishing attacks. They're asking you, and playing on your good nature, to donate money to what you believe to be a good cause. But actually, it's just going into their pockets.

Phishing is also used to gain things like people's authentication details. I wouldn't be surprised that every single listener to this episode has at one point or another received an email pertaining to be from PayPal - saying their accounts been locked or there's been a strange transaction, "please log in here", "click on this link".

These are examples of phishing emails where they're being sent in bulk to a lot of people and asking them to go to a site and put their details in and log into PayPal. Now this site you're going to isn't PayPal, it's a fake site. It's actually owned by the person that sent the phishing email. When you put in your username and password, they're then using those details to then access your real PayPal account and access money.

And of course, this happens in other forms of systems that need authentication, so maybe they're trying to get access to your bank. Maybe they're asking you to put in credit card details.

Phishing works because they can do it in bulk. They can send thousands upon thousands of emails quickly, easily, cheaply, and they only need a very small percentage of people to actually fall for it. They need a very small percentage of people to actually put in their details to actually make money.

Sending millions of phishing emails costs nothing or next to nothing. So if you get maybe one or two percent take-up, you can see how it been quite lucrative.

An alternative to this is something like vishing - which is voice phishing. Where somebody is ringing you up and pretending to be someone they're not.

Maybe they're ringing you from the tax office claiming that you owe tax and you need to pay them immediately. They're asking your bank details.

Maybe it's tech support telling you that you've got a virus on your PC. I've certainly heard of people pretending to be Microsoft ringing up and saying "You've got some form of problem with your PC - We're ringing up to fix it - Let us download this software onto your machine" - at which point they use that as an ability to download some sort of malware onto your machine.

And there's also bank account fraud. Where the bank will ring you up, claiming to have seen suspicious activity on your account - and to protect you, what they want you to do is move all your money into this new account. This new safe account.

These are all means of being able to try and con you into giving them something, whether that's given you the bank details directly, whether it's paying them directly, whether it's installing software on your systems that they can use to then control and monitor what you do, or whether it's actually just passing details from one bank account to another.

These are all trying to move you to do something you don't want to do.

And there are obviously variations on this.

Maybe you get this through SMS or text - the ways that these attacks are occurring continue to evolve.

As technologies change, these Social Engineers become more creative and bring more innovation to how they can try to fool you.

Let's talk about how maybe a Social Engineer would use available systems to make a much more focussed attack against you and your organisation. The more information they have about you and your organisation, if they're trying to make a focussed attack, the better the chance of their success.

So for example, say they want to send a fake email to your accounts team, asking them to send money to them.

Now, if they just email your accounts department and say "Hi, sent me half a million pounds", I find that very unlikely your accounts payable will do it.

However, if they start looking at researching you, using LinkedIn to find out the appropriate people in the organisation and the relationships between them. So they know, for example, that you are the CEO and they can find explicitly who is in charge of your accounts payable, who would normally process payments from things like LinkedIn.

They can take that information.

And then they can maybe look for some form of major event in the company, something maybe like a major product launch that may be being advertised on your website or again on something like Facebook or LinkedIn.

Then they can research you and the individual from accounts payable on things like Facebook and Twitter to understand what you like, how you behave, and more specifically, maybe if you're going on holiday.

All of this information is easy to gather. It's publicly available, but it makes our fake email so much better.

Imagine if that accounts payable person receives an email directly to them from you as the CEO saying:.

"Really sorry, I'm just about to jump on a plane. As you know, I'm just going on holiday and I'll be off line for the next so many hours. But to support the major product launch that we need for the company, I really need this payment making. Please, I'm really sorry to have done this in such a way, but I'm desperate to get this done and I can't get hold of anyone else. Can you make sure this urgent payment gets to this bank immediately? Thanks."

The more research they put in, the more credence it gives that email and it makes it more believable. And when the receiver receives this, they know you, they know you're on the way to holiday.

Yeah, OK, it's not normal for you to do this, but they know you're about to go on a family holiday. And they also know the company is about to do this major event. They know this is critical to how the company is going to be able to perform over the coming years. They know this is probably the most important thing that the company can do. So maybe they do what they're asked.

In this episode, I've introduced Social Engineering.

It feels inherently unfair, but it is a real danger to an organisation. In time, our systems will add further protections. The artificial intelligence recognition of the pregnant lady being allowed through the door. The change of details without verification. The multiple approvals needed for emergency payments. There are all ways to try and protect us against those Social Engineers, but that takes time - and as new technologies become available, these Social Engineers, which are effectively conmen, are learning them quickly and understanding how to make the best of them, how to exploit them, how to exploit you through them.

Thus, it will take time for our systems to catch up and be in a position to be able to protect us against them.

As such, in the meanwhile, most of all we can do is think about training and awareness. Making people aware of why we have protections in place. Reminding people why you need to have a security card to access the building.

Yes, we all understand that our natural tendency is to help. Our natural tendency is to let that other person through. But we do need to be able to think about how to protect ourselves from our own inherent human behaviours.

And again, this is a difficult one because most of us want to help. But that's unfortunately exactly the thing that the Social Engineers want to play on.

If you'd like to hear a bit more about social engineering, I really would recommend the podcast series Darknet Diaries. The host is very good at really researching security topics, and he's covered a number that includes Social Engineering. I think there's some excellently produced podcasts, very well written, very good level of detail and excellent to listen to. So certainly recommend having listened to some of those episodes.

Thank you very much for taking the time to listen to this episode and I look forward to speaking to you again next week.