Thanks to an embarrassing hack where someone gained access to a Twitter administration tool and used high-profile accounts to tweet out a Bitcoin scam in July 2020, social engineering has a lot of attention. But what is social engineering? How does it work?
There’s no need to complicate social engineering. It’s not something new, it’s just an old-fashioned con job in modern times, sometimes using modern technology.
I won’t out him, but a family member got social engineered. He was at work, minding his own business, when someone walked in the door and asked where the server room was. The guy looked credible enough, so my relative walked him over to the server room and badged him in. His then-employer failed its PCI certification because of it.
“Dude!” I said. “You know that’s what I do for a living, right?”
He had no idea.
In 2007 or so, one of my coworkers got social engineered. He never admitted exactly what happened, assuming he even knew. But he let someone install a keylogger on his system. And then he logged onto the segmented-off network I administered. My network was fully patched, had a clean Nessus scan that was less than two weeks old. But that doesn’t help when someone can steal a domain admin’s password. I had a long weekend cleaning that up. It’s fun fighting off a government red team when you have no training in that field.
Why use the phrase social engineering?
This is just my theory, but my theory is someone coined the phrase social engineering out of disrespect for the arts. You can get a bachelor of arts in psychology, which, in some circles, is worse than having no degree at all. Having had to defend my journalism degree far too many times, I’ve experienced it myself.
We have to call it social engineering because snooty guys with engineering degrees from third-rate schools won’t take it seriously if we call it psychology, which they think is beneath them. I wish I was kidding, but I’ve worked with more than one of those people.
But that’s really what social engineering is. It’s using psychology to manipulate people instead of using it to help people. I hear people call the 1899 short story “The Amateur Cracksman” a story about lockpicking and social engineering in the Victorian era. It is. But in 1899 they called it a story about a gentleman burglar. He got away with his crimes because he looked and behaved like a refined, upper-class gentleman.
If you want to understand social engineering, study psychology.
What social engineering looks like
Social engineering can happen over any form of communication. It’s like any other scam. It can happen in person, through written communication like e-mail or even a printed letter sent through the regular mail, over a phone call, or any other means I’m not thinking of. You just act like you’re someone you’re not and trick someone into doing something.
Arguably, the time I made a slide in a presentation at work called “How to cheat at patching,” I was doing a form of social engineering. I figured if I framed it as a security dude telling you how to cheat, the audience would at least listen, and maybe do what I suggested on the slide.
Looking like you work there
I was at a security conference in 2018 with my boss, and I forgot to take my nametag off over lunch. I ran to the store during the break, and someone walked up to me and started asking me questions. He saw my engraved nametag and assumed I worked there. It didn’t even say the right thing on it. When I met back up with my boss, I bragged that I’d just accidentally social engineered someone. He laughed, because he’s done it too.
Acting like you know what you’re doing
I’ve lost count of the number of times I carried a computer, or rolled a whole cart of computers, out the door of a building. No one ever said anything to me, but I got looks. Looks that said, “He’s stealing that!” But no one ever stopped me. Sometimes someone even held the door for me.
I’ve gotten caught trying to buy lunch in a cafeteria in a building I wasn’t technically authorized to be in before, but I’ve never had trouble taking a computer out of a building, even in cases where what I was doing looked very suspicious. What’s that tell you?
Interviewing for a job
A very common tactic for professional social engineers is to send an attractive woman. She’ll act frazzled, say she’s running late, has a job interview in five minutes and wasn’t able to print her resume. Of course the first person she finds will try to help her. She hands that person a flash drive, they plug it into their computer, print the resume, and hand it to her. They have no idea they just infected their computer, and now it’s beaconing to her accomplice, who could be sitting in the parking lot, or on the other side of the world, and they just start moving further along the Cyber Kill Chain while she continues to distract.
This plays on people’s innate desire to help people. It’s not all that different from the time I showed up for a job interview and my collar was messed up. The guy at the front desk said, “Well, you can’t go into an interview like that,” and helped me straighten my collar before he called my point of contact. I can’t infect your computer that way, but I can infect your computer with a flash drive. And a good natured person will just as readily print a resume for someone as they will straighten a collar, or help someone tie a tie.
I’ll give you some free advice: If you don’t have extra security precautions on your HR department’s computers, you’re doing it wrong. Opening resumes from strangers is very high-risk activity, and that’s literally what they do for a living.
What does the social engineer do after convincing you to print her resume? You’ll know you’ve been had when it turns out she doesn’t really have a job interview, right? She can play dumb. She can say, “Is this [some other company name]?” And she has her out. “Oh, silly me, I went to the wrong place, now I’m really going to be late!”
Posing as someone else
Sometimes social engineering looks like posing as someone else. This works better over the phone or e-mail than in person. I get e-mail from my company’s CEO all the time. It’s fake though. When he wants something from me, it doesn’t come over e-mail, or at least not directly from him.
But this is a very common tactic, whether it’s posing as your company’s IT department or a high-ranking manager or officer to try to get you to do something. It’s especially effective for getting people to give up their passwords.
Those notorious tech support scam calls are a form of social engineering.
What to do if you think you’ve been social engineered
Getting social engineered is like being pulled over. By the time you see the cop, the cop has already made the decision whether to pull you over or not. You won’t stop it at that point.
But unlike being pulled over, where anything you do after seeing the cop will probably just make things worse, you can contain the damage.
Personally, I would disconnect the computer from the network, both wired and wireless if it has a wireless connection, then call the help desk and say I think I’ve been involved in a security incident and need someone from the corporate incident response team to contact me. Hopefully your company has one. If your company is too small to have one, tell them you need someone from the IT security department to contact you. When I was working at a small company with about 500 employees, I handled incident response AND about three other things.
I don’t recommend shutting your computer off. While that may contain the damage, it will also destroy evidence. I’d rather let the incident handler decide whether to power the computer off or leave it as-is.
But whatever you do, report the incident. It will go much better for you if you report it than if you try to cover it up.
Is social engineering bad?
Every company is susceptible to social engineering. Of course it can cause a great deal of harm. But when I read the results from a penetration test, I get very unhappy very quickly when it doesn’t start with social engineering. I look at any other way in as the equivalent of not locking the doors at night.
Social engineering is preventable (more on that in a minute), but if you try enough times, eventually it’s going to work. You won’t prevent 100% of social engineering attacks, but that doesn’t mean you should roll over and play dead. A 90% success rate may be good enough.
You see, if it’s too difficult to get into your company, a real attacker will probably go after an easier target. There are lots of those. A penetration tester will get in, because you’ve paid them to do it, and if they have to try a couple hundred ways, they’ll try a couple hundred ways. Make them earn their money.
Preventing social engineering
The way you prevent, or, more realistically, reduce social engineering is by having a security awareness program. This should be something you do every year, just like sexual harassment and anti-discrimination training. I know security companies that don’t do it (I won’t name names) but they should. If you have to outsource it to Knowbe4 and Kevin Mitnick, that’s fine. I have some problems with Mitnick’s training, but if I were grading it, I’d give it an A-. And, admittedly, the problems I have with it may make him more effective with part of his audience. I’ve had to take the U.S. military’s security awareness training nine or ten times and it’s no better than the Mitnick training.