Why do most of cybersecurity issues come from employees’ misuse?
The art of getting information from someone who gladly gives you the key for his company’s data
Just let’s first be agreed on that exploiting the human error to get information that helps the attacker to breach a company or personal device is called social engineering. Such human error that the social engineer exploits is totally a psychological one. Social engineers learn well how to use human nature to get information from them even without asking for it.
Christopher Hadnagy in his book, ‘the Science of Human Hacking’, says that one of the things that makes a successful social engineer is to be aware of:
- Psychology: to know how we make decisions
- Social Psychology: how we interact in social groups, and how they affect us
So, what the social engineer needs is to play on the human nature that if he can deal with and exploit its vulnerabilities, he maybe doesn’t need a technical attack. Things will go swiftly without even discovering that the hacking has happened.
Kevin Mitnick, one of the most famous hackers, used to depend more on social engineering rather than the technical attack. He admitted that he “was so successful in that line of attack that he rarely had to resort to a technical attack”
Let’s have a quick look at some social engineering forms and then see the techniques used beyond them. But if you already know the forms, you can jump to the techniques section.
How social engineers knock your door?
Phishing is attacking people through sending an email to them to click on a malicious file or link to obtain remote access. The mail also may ask for login to take the username and password.
Ex. To receive an email from PayPal (appears to be from PayPal) telling you that you paid an amount of money and if you suspect this charge, you can cancel the payment via a link. Whether you just clicked on the like or logged in, you’re in trouble!
2- Spear Phishing
A very personalized email that contain details about the personal life of the target.
An example of spear phishing from Christopher Hadnagy’s book ‘The Science of Human Hacking’ where he knew from the target’s social media accounts that he stayed in a hotel. The spear phishing email was as following:
How many times did you visit a website and suddenly a message appeared to tell you that there is a virus on your device, and you should download a tool to get rid of it? I am sorry to say that this tool itself is a malware. And when you download this tool or app, a malware becomes on your device giving remote access to the attacker.
4- Vishing (Voice phishing)
It’s phishing via a phone call. The attack doesn’t happen during the phone call, it’s just to take information that helps him breach company’s network. Dislike the email phishing or the other types of phishing, vishing can take more than 4 months to really get the required information.
Why does it take such time? Because in phishing, the victim just takes a certain action and then the hacker will get the information or access that he needs from the victim’s device, just an object, but here the social engineer gets the information from man whose feelings and thoughts control him. So, he needs excellent communication skills to deal with him using feelings or logic depending on the victim’s personality. The attacker needs then building rapport, trust, and use every possible trick for a successful communication with the victim to get the information he needs.
So, what are the techniques a social engineer uses and what is it in the human nature he/she can use easier than the technical breaching?
Let’s see an example from Ian Mann’s book, ‘Hacking the Human’ to discover together what techniques and human weaknesses are used.
It’s three phone calls between a help desk employee, Johnny, and a hacker who claimed to be a new HR employee that doesn’t get used to company’s system yet.
The First Call:
- The Hacker: Hello, can I please speak to the helpdesk?
- Johnny: This is the support desk; can I help you?
- The Hacker: Oh thanks, this is Sarah Clark calling from BankY. I haven’t called you before, but is this the right number for help with PeopleEasy?
- Johnny: Yes, this is the right number Sarah, what is the difficulty?
- The Hacker: Well, you will have to forgive me, as I am quite new in this role. I am doing some analysis and need help with summary reports. I work mainly from home and tend to catch up with things once I have put my daughter to bed. I am so glad that you are still available to help me. Tell me, do you always work this late?
- Johnny: Yes, I am the lucky person who covers the 7pm to 7am shift on Monday to Thursday.
- The Hacker: So is it okay if I call you at this time? Sorry, I didn’t get your name?
- Johnny: Johnny. Yes, that is fine, your support contract is 24/7, and to be honest it can get a bit dull through the night.
- The Hacker: [Laughs]. Okay Johnny, I might just do that if Jessica gets me up like she often does. Well, as I said Johnny, I am quite new to this. I am just not sure how to run a report for a department to get our usual employee summary.
- Johnny: Well, are you in the reports section?
- The Hacker: Yes, I think so. I have searched for reports, but get lots of results. I’m not sure which is the best.
- Johnny: Oh yes, much beer to go to the management tab, then select reports.
- The Hacker: Thanks. I can see you are an expert at this. Lucky I called you.
what are techniques used and human weaknesses that are exploited in the first call?
1- Pretending to be a certain character
Such pretending includes using certain words of an industry, tone of voice (fearing or decisive), body language and even clothing.
Here in our example, the hacker pretends to be a new employee who needs help and fears to lose her job using the tone of voice of fear and some term of human resources department that give her credibility and encourage the human nature of liking to help.
The Human Weakness exploited by the technique: Trapping of the Role
- Just imagine with me that your friend tells you that her fiancé is a doctor. What do you now think of him without even knowing his name? I’ll tell you what’s the picture you draw to him: serious, respectful, cultured, honest, humane and empathetic man.
- This is exactly what the social engineer plays on in this example! Just to say on a phone call that she is an HR employee and using some terms of the HR field such as summary reports is enough to make an employee believe her and be ready for building rapport as a first step for gathering information.
It’s just to say, “can you help me?” and to show that you will be in trouble if the other person doesn’t help you. In the example, the hacker gains the employee’s sympathy telling him that she is a new employee who needs help and fears to do anything wrong and lose her job. She also gains sympathy for being a mother who needs to get her work done before her baby wakes up.
The Human Weakness exploited by the technique: The desire to help
Psychologists stated that we like to play the role of a helper. I’m sorry to say that we don’t do that for others. Rather, it’s for us at the first place as it makes us feel good about ourselves and feed our pride. Social engineers exploit that very well, using the technique of ‘Sympathy’ mentioned above.
Then the hacker makes a second call for a little help and a nice conversation to build rapport.
The Third Call:
The Hacker: Thanks Johnny. You are great at helping me when I need it. I bet you have to deal with much more complex problems than my silly requests
Johnny: Well, it does vary. But most people are not as nice as you. But yes, the other night I was running custom SQL queries directly from the database.
The Hacker: Wow, not sure what that is, but sounds complicated. Can you pretty much do anything then?
Johnny: Yes, the system’s not that difficult when you’ve been at it for a while.
What are techniques used and human weaknesses that are exploited in the first call?
Elicitation is to get information without asking for it. It’s just to keep talking with someone about his life, family, and job, building rapport with him and then he will tell you all of it including information about his job. He will give the hacker information he thinks it’s useless, but the social engineer knows very well how to use such info.
One of the tactics to do this
- Using open ended questions such as ‘how’, ‘when’, and ‘why’
- Giving a little information about yourself to encourage the other person to talk about himself.
In our example, after 3 calls between Johnny and the hacker, Johnny tells the hacker some of his tasks such as “running custom SQL queries directly from the database.” Such words tell the hacker that Johnny has full access to the database, so she doesn’t need to play on someone else. And the next and last step should be also with him.
The Human Weakness exploited by Elicitation: Liking
We are all as human beings like and even need to be liked, and unfortunately, as Kevin Mitnick says, “all of us are more likely to say “yes” to requests from people we like.” Social engineers play on this weakness and try to build a rapport with the target. Each man has its way to build rapport with people such as our example:
- The hacker uses flattery saying “I can see you are an expert at this” & “You are great at helping me when I need it”
- The hacker always uses Johnny’s first name damaging any barriers between him and the target.
Now let’s see the result of the three calls after building rapport with the help desk employee who now speaks to his nice friend, not just an employee.
Hacker: Crying … Oh Johnny, sorry to call you. It’s Sarah again. Don’t know what to do. I’m in a real mess here.
Johnny: It’s all right, can I help? Sarah, don’t cry, I’ll do my best.
Hacker: I don’t know what to do. I’ve got to get this information for first thing. I’ve been up half the night with Jessica, and now it won’t work.
Johnny: What’s wrong? Tell me the problem, and I’ll see what I can do.
Hacker: I don’t think you can help me. It just won’t work at all. I should have done this yesterday. My boss will probably fire me if I don’t have it for the morning.
Johnny: I’ll do my best. Just tell me the problem Sarah, and we’ll sort it out.
Hacker: I can’t get anything to work. My computer’s playing up and Explorer won’t come up. I’ve rebooted about 50 times. I know you are great at helping, but I’ve only really used spreadsheets before. At my last job they taught me to do loads of things with spreadsheets. Now I can’t even get into PeopleEasy. What can I do?
Johnny: Oh, I don’t know. You say you can’t open Explorer. This is the only way into the system. Are you sure it won’t work?
Hacker: [Crying] … I’ve told you it won’t work. I have to get these figures. I need lots of reports. I’ve got to summarize all this information. If only it was here in a spreadsheet I could do it in time. [Crying] …
Johnny: Sarah, don’t cry. You say, if you had a spreadsheet, you could do what you need to do?
Hacker: Yes, I think so. It’s just that I need all the information. Can you help me Johnny?
Johnny: Look, I can get you that information. The database is really quite simple. I can make you some spreadsheets with everything you need.
It’s done! Johnny gave the hacker all spreadsheets not even some, because she told him that she’s nervous and can’t define what data she exactly needs.
As we see in the example, Johnny gave the hacker all the information gladly, thinking that he helps a poor and ‘nice’ employee that almost became his friend.
It’s done with only communication skills, some tricks and full understanding of human nature.
If you want to know more techniques of social engineering and how to fight them, read part two of the article