Social Engineering psychological tips and tricks (Part Two)
Analysis of a hacking case of using human weaknesses to breach company’s network and data
Let’s analyze an example from Kevin Mitnick’s book, ‘The Art of Deception’ and find together the techniques that are used. Our example is a phone call between an accountant called Mary and the hacker who plays the role of a helpdesk employee.
- The Hacker: Hi, this is Peter Sheppard. I’m with Arbuclde Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer or connecting to the network?
- Mary: I have not turned on my computer yet, so I don’t know. Just a second to turn it on.
- The Hacker: I’d like to run a couple of tests with you. I’m able to see on my screen the keystrokes you type, and I want to make sure they’re going across the network correctly. So, every time you type a stroke, I want you to tell me what it is, and I’ll see if the same letter or number is appearing here. Okay
- Mary: I have the login screen, and I’m going to type in my ID. I’m typing it now– M…A…R…Y…D.
- The Hacker: Great so far. I’m seeing that here. Now, go ahead and type your password but don’t tell me what it is. You should never tell anybody your password, not even tech support. I’ll just see asterisks here–your password is protected so I can’t see it. Let me know once your computer has started up.
Mary: Thanks God! My computer is running, and everything seems to be working normally.
The Hacker: I’m glad I could make sure you’ll be able to use your computer okay. And listen, we just installed an update that allow people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?
Mary: Yes sure!
The Hacker: Now go ahead and enter your password. But remember not to say it out loud.
Just for this quick test, when it asks for your new password, enter ‘test123.’ Then type it again in the Verification box and click Enter.
The hacker then quickly logged onto the system with the same temporary password that Mary used, test123 and installed a small program that made him access the company’s computer system whenever he wanted, using a secret password of his own.
what are techniques used and human weaknesses that are exploited in the first call?
One of the most important steps in social engineering is to be seen trustworthy, because this what makes the victim give the social engineer much valuable information for the hacking process. There are many ways to gain credibility one of them is here in our example. It’s simply advising the target with something even if it’s against the social engineer himself:
The hacker tells Mary, “Now, go ahead and type your password but don’t tell me what it is. You should never tell anybody your password, not even tech support”. He just wants to build trust. Actually, checking the computer doesn’t mean anything to him. He just uses it to build trust to prepare the victim for the hacking step. It’s because when someone gives us advice that might be against them, we feel that they are good people who want only to help us for nothing.
2- Me too
It means that we as human beings feel that we can’t refuse to help someone because they help us before. This is exactly what the hacker does with Mary who would be in trouble if her computer stopped working and she couldn’t do her tasks.
He puts her in this situation when he checks the computer for her to find out any troubles, as he says, to make her feel grateful to him. She then can’t refuse his request for trying the program that change passwords.
What are The Human Weaknesses exploited in the previous example?
All of us are likely to take actions without thinking, when we feel some trouble is about to happen. We think only about solving the problem, so we just do what we are asking to do without arguing.
In the previous example, the hacker tells Mary that some employees complained about troubles in their computer and so he should check whether her computer works or not. Thinking about her tasks and what may happen if her computer turned off all day, Mary accepts immediately!
It’s simply to obey instructions just because you are ignorant of the situation and what to do. And with the image of an expert that you’re drawing for the attacker (the human weakness of Trapping the Role), it’s more likely to obey the instructions. Mary, in the example, is ignorant of what she could do if her computer turned off, and with imaging herself staying without work because she isn’t able to solve the problem, she immediately agreed on what the hacker told her.
Unfortunately, the solution of social engineering attacks is more complex than the technical attacks because it depends on man himself. It depends on our nature that we cannot always change.
However, there are some solutions managers can do to mitigate such attacks, and don’t be shocked when I tell you that they will not be applied in just two weeks or even a month. They are long-term solutions which means that you permanently need to use those solutions and test them again and again to ensure that they are applied well enough to protect you company’s data.
So, what to do to decrease the likelihood of such social engineering tricks?
- Spread awareness among employees about social engineering tricks and human weaknesses that help attacking to be successful
- Even better, create a training program as following:
Showing social engineering ways:
Can we fight something we don’t know? Never! So, employees should know how to identify social engineering attacks to be able to apply your policy. The training program should begin with teaching them the different forms of social engineering attacks, phishing, smishing, and vishing.
Some employees and even you as a manager may say, “No! I think it’s far away from me.”
Sometimes we have a strange feeling that some danger is far away from us. So, to get rid of such feeling, give employees real cases of social engineering attacks to be convinced that they really exist and already attacked big companies.
Setting clear and applicable policies:
If you just take the human weaknesses mentioned above and tell your employees don’t trust in people, don’t like them, and so on, it will not make any change. Because it’s not easy to change our human nature and we surely don’t have to change our good qualities to protect ourselves.
- Set a clear policy like that identity must be verified before providing any piece of information
- Identify exactly what information they can tell and what they can’t
- Tell them exactly clear steps for what to do when they suspect an attack
- Restrict their access if conditions of the requester’s authentication are not acquired
Christopher Hadnagy in his book ‘The Science of Human Hacking’ mentions a case study for a financial institution that applied a wonderful policy to protect employees from social engineers.
They made a real, actionable policy: “You are not allowed to give any information out to unauthenticated users.” And they didn’t stop there. They defined both what is valued information and how to authenticate users properly. Then they did one more thing that made a huge difference: They disabled the employees’ ability to move past this first stage if the questions were not answered properly.
Performing regular tests:
You can contract with a pen test agency to conduct regular social engineering attacks to employees including IT ones.
The benefits of testing are:
- To ensure that your employees are ready for any trial of attack
- To help them always memorize what are the social engineering attack and what to do against it