I made you click – my Social Engineering trick revealed @ ITWeb Security Summit [Part 2]

ITWeb Security Summit

The line up of both local and international speakers at the ITWeb Security Summit was world class [see Part 1]. These ranged from Tech, to Business, to Vendors, to Politics, to Analysis and everything in between.

Raj SamaniOne speaker that I was really looking forward to hearing was Raj Samani, CTO of McAfee EMEA. Raj’s topic is something that I have been preaching about for a long time – Social engineering

Not only was I fortunate enough to listen to his keynote presentation, but I also managed to get a one on one interview with Raj to discuss all things Social Engineering and share some Party Tricks too !

What is Social Engineering ?

Raj describes Social Engineering as a “Deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information”

This basically means that the Attacker uses compliance tendencies techniques  to extract information from their target in such a way that the target is not even aware that they are doing anything wrong when being targeted.

How does the Attacker extract information ?

There are six compliance tendencies that are used to extract info:

  1. Authority: People comply when a request comes from a figure of authority eg. someone flashing an official looking badge or wearing a uniform
  2. Liking: People tend to give information freely to people that they get on with & like.
  3. Reciprocation: Creating a situation where somebody feels indebted as if they should do a favour for the Adversary.
  4. Consistency: People want to seem trustworthy and so will keep their word of a promise to assist.
  5. Social Validation: People don’t want to stand out and so will comply if others are doing the same thing.
  6. Scarcity: Creating a situation where the target believes that there is a short supply of an item they need or want and therefore will help in order to get that item.

What is the Attack Lifecycle ?

Attack lifecycle

The attack lifecycle is made up of 4 components:

  1. Research – this is where the the attacker looks for the right hook, how to approach the target, which angle to use.
  2. Hook – this is where the attacker engages with the target and begins to build a rapport
  3. Play – this is where the attacker extracts the information from the target
  4. Exit – this is where the attacker ends the relationship in a non-suspicious way

The lifecycle can be executed over a short period (known as hunting) or long time (known as Farming). It all depends on what the attacker is trying to achieve and what they want. The attacker usually targets the individual for specific information however random almost opportunities information can be gleamed anytime and anywhere. Raj recalls being on a train hearing sensitive information being discussed between employees of a large firm.  I had a similar situation where I waited outside a closed boardroom meeting & whilst the employees were leaving they were discussing the new confidential prototype they just saw – loud enough for everyone to hear.

Why would someone do this ?

Companies hire attackers to get information form their competitors and they employ the services of professionals to get this information. Since Information Technology has advanced, it is not always feasible to “hack in” and steal the information and therefore the attacker uses Social Engineering as a much easier method to gain the required info.

There are “information brokers” who earn 50 000 pounds per month just from one client ! There is a going rate of 35 pounds per records supplied….

Who would fall for this ?

One would be forgiven for thinking that we are all well educated not to click on links we don’t recognise, not speak in public about sensitive information and not to divulge information to an external person – but you would be wrong.

Raj recalls a case study where Cadets at West Point in the USA received 4 hour security awareness training. Later, these same Cadets received this email:

Cadet training in security false email

90% of the cadets clicked on the link even though there were errors in it that they were just trained to spot [there is no 7th Floor in an area that they visit often and there is no Col Robert Melville]

So even after 4 hour security awareness, these Cadets were tricked into clicking on a link.

This was a once-off right ? Well not exactly. During Raj keynote presentation, I sent the following Tweet:

Liron_Segev Tweet Experiment to see how many people would click blindly

When people clicked on the URL it took them to this web page that I knocked up in 30 seconds which displayed all their information:

Experiment to see how many people would click blindly

I was being kind. I could have captured information secretly and rerouted them to the ITWeb conference page and they would have been non-the-wiser.

Now bearing in mind we are at a SECURITY conference  it was astounding at just how many people blindly clicked on this link !  [side note: I look forward to reading Raj’s Blog post on my little experiment…]

So if a hall full of security trained experts clicked on this link what can we expect from our users in our organisations ?  We are all susceptible to this kind of attack.

So what can be done ?

Raj sites two main items: Raise awareness and stop the blame culture.

We have IT policy documents that each employee signs and if they were manipulated into divulging information they are not going to own up to it as they will be fired.

We need to change this perception and encourage user participation to report in anything suspicious without fear. Raj say that when a system is put in place the amount of incidents should RISE – this is a sign that the system is working as users are not afraid to report in.

So in Summary:

The threat is real and not movie-stuff. There is a very profitable underground industry that trades in information. Information can literally be converted to currency.

I am particularly passionate about this type of attack as this is the ONLY attack that can bypass all the technology methods that are put in place. In our organisation we have full and legitimate access to information and at the end of the day we are all human susceptible to this type of attack. In a lot of circumstances the victim doesn’t even know that they were even played.

Its just genius play on human emotions. Simple and Effective.

Links: Raj’s Blog, McAfee.com (its not just ant anti virus tool ie not Dr Solomon anymore)

Book to read:  The Art of Deception by Kevin Mitnick

3 Comments

on “I made you click – my Social Engineering trick revealed @ ITWeb Security Summit [Part 2]