Chapter 8: Social Engineering
“You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
Kevin Mitnick
A comic from XKCD, a popular techy-nerdy comic strip. CC-BY-NC
https://xkcd.com/1694/
8.1 What is Social Engineering?
8.2 Techniques of Social Engineering
8.3 Social Engineering in Action
8.4 Social Engineering in Hollywood
8.5 Preventing Social Engineering
Social engineering is leveraging social contracts and manipulating people to divulge information or behave in a certain way. Social engineering is hacking humans. Social engineering is conning people.
One of the best known social engineering artists is Kevin Mitnick. Kevin spent five years in jail for a number of computer related crimes. Most of his imprisonment and charges were highly controversial, and Mitnick was seen as an idol in the hacking community. Since his release, he has written four books. His first, The Art of Deception, is the bible of social engineering (you should totally read the book!). [a]
He owns Mitnick Security Consulting, LLC and is also the Chief Hacking Officer and part owner of the security awareness training company KnowBe4[1]. One of the KnowBe4 tools includes sending fake emails to employees at companies to see if they fall for the bait (they also offer cybersecurity training). If you’d like to know more, you can read chapter 3 from the 2012 book The Path of Least Resistance for free.
You should be intimately aware of phishing by now - and phishing falls under the umbrella of social engineering. Consider these real-life cases:
Though his identity remains anonymous (and you’ll see why in a minute), in 2019 the CEO of an unnamed UK energy firm received a phone call from the Chief Executive of the parent company - a person he knew well. He transferred about $240,000 to the account of a Hungarian supplier.[2] Business as usual. Sure, there was a bit of urgency to the request, but he knew the person requesting the transfer so it didn’t raise any flags. The catch? The CEO of the parent company never made the request and the transferred money was immediately moved to another account (and was lost for good). The culprit? The voice of the CEO was mimicked by artificial intelligence.[3]
In 2021, a 90-year-old woman in Hong Kong was contacted by law enforcement in mainland China. It seemed that someone had been using her identity for criminal activities. The law enforcement agency sent over an officer to deliver a cell phone for direct communication with them. Happily, she was able to rectify the mistaken identity by giving the authorities roughly $32 million dollars… Or did she? Turns out the phone calls and the officer were both part of a scam.[4]
Back in the 1960s it was common for businesses to drop bags of money off at banks after hours; they would deposit the money in a one-way vault at the bank. On one particular night, around thirty people from various companies arrived at the bank to see a sign that said, “NIGHT DEPOSIT VAULT OUT OF ORDER. PLEASE MAKE DEPOSITS WITH SECURITY OFFICER.” Each of the thirty employees did as instructed and received a hand-written receipt from the bank’s security guard. Turns out the security guard was not employed by the bank; he had just obtained a uniform and fabricated the sign.[5] Perhaps you’ve heard of the imposter - Frank Abagnale (whose adventures were chronicled in the 2002 movie Catch Me if You Can.
In 2019 the Department of Justice finally caught up with Evaldas Rimasauskas (a Lithuanian citizen). He discovered the name of a company in Asia that sold products to big tech companies like Facebook and Google and then incorporated a company with the same name in Latvia. After creating a few corporate bank accounts with the same name in Latvia and Cyprus, he started sending invoices to the big tech companies. Over the course of three years, he stole over $100 million![6]
In 2022 the Department of Labor sent emails to vendors inviting them to submit bids for upcoming projects. The professional emails had PDFs attached with instructions on how to submit a bid. The PDF had a link to the bidding site, and the site had DoL branding. One of the steps for bidding included a Microsoft Office 365 login (you probably see where this is going). Turns out that the URL for submitting the bids (and the email address) were not genuine DoL addresses. Instead, they were derivatives (like doi-bids.us, for instance)[7].
In April 2021, people across the country started receiving texts from the United States Postal Service about packages in transit that had been rerouted. All you had to do was click on the link to track the package and see the updates. As you’ve probably guessed, the link led to malware with the intention of stealing some of your data. Of course, an astute person would recognize that the link looks wonky, but that didn’t stop people from clicking on it.[8]
Later that year, attackers ramped up their methods. A man’s daughter received a text from J.P. Morgan inquiring about a $5000 transaction. She replied “NO” and immediately received a phone call from the bank confirming that the transaction attempt was fraudulent. The catch is that she was asked to verify some account details to make sure she was who she claimed she was. This story has a happy ending; she was savvy enough to tell the caller that she would call the bank herself - using the official phone number. She avoided a potentially catastrophic attack.[9]
Social engineering is a serious threat to organizations. In 2021, over 80% of organizations surveyed by Proofpoint reported a successful email phishing attempt (that was up from 46% in 2020!). Proofpoint attributes three factors - “Pandemic Fatigue” (employees are more likely to make an error in their inbox attentiveness), shifting infrastructures (cloud computing and personal devices have been adopted without sufficient training and configuration), and seductive lures in emails (namely Squid Game, Justin Bieber World Tour, and economic issues such as unemployment and relief[10]).
A report from Stanford found that 47% of respondents have admitted to clicking on links in phishing emails. While this data is insightful, there is concern that it is underreported. Based on other factors in the survey, Stanford suggests that some respondents were unaware that they had engaged with phishing emails. They also hypothesized that people under report for fear of their job.[11]
Phishing attempts typically result in either compromised data or ransomware victimization. According to Sophos, the average bill for rectifying a ransomware attack in 2021 was $1.85 million.[12] Perhaps you remember the Colonial Pipeline ransomware attack - that cost about $5 million (though the FBI was able to recover about half of that after the fact).[13] But the trophy for the biggest payout of 2021 (and a new World Record!) goes to CNA Financial Corporation. A payout of $40 million in March of 2021 to a Russian Cybergang.[14]
In the vignettes above, did you notice that all but one of the examples required the attacker to get the target to install malicious software? One of the things that is so scary about social engineering is that you don’t necessarily need technical prowess; you just need to be good at getting people to trust you.
That is not to say that social engineering does not rely on technical skills - indeed many attacks do. But social engineering is certainly a good way to start an attack. I have an affinity for social engineering because it is a bit of a cerebral attack. Any script kiddie[15] can download software and launch an attack. But it takes a refined, sophisticated, clever mind to successfully perpetrate a social engineering attack.
Typically an attacker will start with OSINT (open source intelligence). OSINT is information that is openly available. For instance, an attacker might electronically “case the joint'' as their first step. Let’s say they want to compromise the CEO of a company. Well, a good first step would be to visit the CEO’s LinkedIn profile. Who are some of the employees at the company? Who else outside of the organization does the CEO communicate with? Next the attacker might look for an Instagram feed. Unlike Facebook (where you need to be friends), Instagram allows attackers to get a lot of information on the target. Does the victim go on vacation at the same time every year? Is there information in the photos that indicates where the victim spends time? What hobbies does the victim enjoy (hobbies are an easy way to artificially engage in conversation)? Check out Network Chuck’s quick demo on Osintgram!
OSINT is not just social media. Most towns have public tax rolls that list home addresses and property tax information. Perhaps the target is on a board of directors or the school board - their name (and ideas) will appear in published minutes from meetings. Maybe the victim has been in the local newspaper. Maybe the victim has a criminal record. Maybe the victim hasn’t changed the default settings on some of the apps they use so things like their Venmo transactions[16], Strava runs[17], or Amazon Wish Lists[18] are visible. Heck, there is even a book entitled “You Can Find Anybody!” by Joseph Culligan (licensed PI) that contains hundreds of resources where you can find information on people (an aggregation of thousands of public databases). There are plenty of OSINT tools that social engineers can use (like Maltego, Creepy, theHarvester, SpiderFoot, metagoofil, and TinEye) and we’ll be using Sherlock and Social Engineering Toolkit in this chapter. There are also some really neat OSINT Search Bookmarklets you can put into your browser.[19]
After gathering information on a target, there are plenty of techniques a social engineer can use to trick the target.
Authority | Attackers assume an authoritative position. This could be as simple as wearing an outfit (like when a thief stole an ATM disguised as a repairman[20]) or appearing important, knowledgeable, and trustworthy. |
Baiting | Luring marks into compromising situations. This can be done with USB drives (that’s how Stuxnet was brought into Iranian centrifuges[21]) or clicking on malicious links. |
Dual reality | A technique where two (or more) parties are experiencing the same thing but how they internalize the event is different. |
Dumpster diving | Going through the trash of a person or organization in an effort to gain inside information. A social engineering firm went dumpster diving in the trash of a company they wanted to infiltrate - they were able to find the names of the tech support team for the company and used that to craft a successful infiltration[22]. |
Phishing | An attempt to lure a victim into a trap via a fraudulent email crafted to look like a legitimate opportunity. In 2016, $78 million was stolen from Crelan Bank in Belgium because of a phishing email.[23] |
Pretexting | This is a stage of social engineering that takes place before the attack; it lays the foundation by creating a plausible situation where the attacker earns the trust of the mark. For instance, in the iconic movie Home Alone, Harry and Marv convince everyone in the neighborhood that they are police officers and will keep an eye on all the houses as families travel for the holiday season. |
Quid pro quo | Giving something to someone in return for something else. Brian Brushwood talks about the Coke study, but this technique is used as a vector of attack (for instance, Office Depot offered a PC Health Check, but would inform the customer that their computer was broken and charge them $180[24]). |
Scareware | “Your computer may be infected!” - you’ve probably seen this before. It’s a scare tactic intended to drive users to pay for software to protect their computer (though there is no actual issue). In 2021 reports of the Cryxos trojan increased; the software scares users with pop-ups declaring that a virus has been found - but you can remove it by calling a number and paying for tech support[25]! |
Shoulder surfing | Looking over the shoulder of a victim as they enter their keycode into a keypad on a door or their PIN number at an ATM. |
Smishing | Phishing via SMS (texting). Texts that evoke urgency, texts that suggest you’ve won a prize, and texts that suggest unusual account activity that needs corrective actions are all suspect[26]. The “Zelle Fraud Scam”[27] is a great example of creating urgency and lending authority - and it tricks the victim into surrendering their six digit 2FA number! |
Spear phishing | Pointed phishing that usually requires reconnaissance on the target. One step of the reconnaissance is OSINT (open-source intelligence). |
Tailgating | Unauthorized access into a facility perpetrated by following authorized people. Wearing a uniform (delivery, for instance) can help sell the tailgating endeavor. Standing outside a building and smoking/vaping where everyone else in the building goes to smoke is a good way to tailgate. |
Urgency | A method of social engineering where the attacker pressures the victim by time-boxing them (“This offer is only good for 19 more minutes!” or “This is your bank and you need to confirm your personal information immediately!”). |
Vishing | Phishing via voice. Recently a UK energy company was scammed out of $243,000 because of a vishing scheme[28] (it happened to use a deep fake voice), but urgency was a key ingredient. |
Whaling | Whaling is spear phishing high-profile or high-ranking personnel (like the CEO of a company). |
Bad actors are constantly developing new tools to attack our systems. Not surprisingly, social engineering is always at the forefront of innovation because of two things - it’s cheap and it’s effective. Oftentimes emerging social engineering trends are low fidelity and easy to implement.
One of the more clever forms of social engineering and phishing has just emerged. Known as browser in the browser attack, the website uses Javascript to craft a Single Sign On (SSO) modal window that looks just like a bonafide SSO window).[29] The catch is that the window that pops up will harvest your credentials if you enter them. This is almost impossible to detect, and most people are used to single sign-on which might increase victimization.
Consider this image - can you determine if the single sign-on modal is legitimate or an imposter?
The easiest way to determine the validity of this modal is to test to see if it is in fact a standalone browser window - which it should be or a Javascript-created box. Try minimizing the browser tab (in this case, Canva). If the SSO box is still visible, then it is a window and it is not a BitB attack. However, if the SSO box vanishes when you minimize the browser, then it is likely fake and you should be cautious.
Some might argue that QR codes are not a social engineering scam but they do fit squarely into the social engineering space. People trust them (authority), they pray on our need for immediacy (urgency bias and convenience), and they are easy to distribute. However, unlike robbing a cryptovault, there typically needs to be boots on the ground to implement.
QR codes were introduced in 1994 but didn’t gain widespread adoption until 2011[30]. During the pandemic, QR codes gained even more momentum as they were used as a mechanism to provide contactless services (such as downloading a menu at a restaurant). Evidence of the popularity of QR codes was given during the Superbowl in 2022 when cryptocurrency company Coinbase aired a sixty second ad that was nothing but a QR code. More than 20 million people used their phone to scan the code, breaking the Coinbase app![31] The scary thing is that 20 million people pointed their phones at a QR code not caring about the risks.
In January 2022, the FBI warned that QR codes are the “perfect example of people exploiting a daily exercise.”[32] The FBI released a public service announcement the same month:
Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.
They also suggested a list of tips to protect yourself.[33]
Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
Do not download an app from a QR code. Use your phone's app store for a safer download.
If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Even without malware, failing to be vigilant with QR codes can be disastrous. In some cities in Texas, parking meters have a QR code and instructions to pay with your phone. In February 2022, someone printed their own QR code stickers and slapped them over the existing one. When patrons scanned it with their phone, they were directed to a fake website that looked just like the real parking website. Patrons were instructed to enter their credit card information and then assured that the meter fare was paid.[34]
Not surprisingly, the credit card information was abused and many people probably wound up with parking tickets!
In an even more flummoxing case, QR codes have started showing up in phishing emails and online ads.[35] One rationale might be that QR codes can probably sneak through spam filters easily. But the reality that people who are in front of a computer will take out their phone and snap a QR code is troubling - that’s one critical reason why it’s important to train people about the hazards.
CSO Online published an article laying out five old social engineering attacks that are still popular today - as well as four emerging trends.[36]
Some of the best ways to learn about social engineering is to learn some of the tactics that social engineers use. The following three videos are TOTALLY worth your time to watch:
Penetration tester David Kennedy is hired by companies to test their security. In an interview for CNN, Kennedy shows off his skills. In under three minutes he manages to convince a tech support specialist at a company to click on a malicious link. David Kennedy is the founder of TrustedSec and authored the Social Engineering Toolkit utility. | |
A brilliant demonstration of social engineering from a hacker at DefCon. Note how in this video the hacker creates a sense of urgency and confusion by using exasperation, a crying baby, and wonderful social engineering techniques. Jessica Clark demonstrates in under three minutes how easy it is to get personal information from a phone company - this is how SIM swapping happens! | |
Brian Brushwood is an entertainer, juggler, magician, and author who has a long running YouTube channel called Scam Nation. He also co-hosts the Modern Rogue YouTube shows as well. In this YouTube video, you’ll see Brian give a great TEDx talk about social engineering. It is roughly 16 minutes, but you’ll walk away with some foundational understanding of the psychology behind social engineering. If you like this video, check out his podcast, The World’s Greatest Con. |
The following video clips are from movies. I’ve done my best to curate a small, digestible, binge-worthy list of clips from movies you may not have seen. Two thoughts:
Matchstick Men is a 2003 movie about con men. Starring Nicolas Cage (Roy), Sam Rockwell (Frank), and Alison Lohman (Angela), the movie chronicles the scamming tricks of the trio. Things start to heat up as the movie unfurls in unsuspecting ways.
There are two clips worth looking at. In this one, Frank sets his mark up by guaranteeing that they have won a high-end prize (a new car, a trip, etc.). Once he establishes rapport--note that he gets to know how many grandchildren the mark has), he pulls his AUTHORITY card; he tells them that they are on the hook for the sales tax. The AUTHORITY is fortified by Roy posing as a Frank’s boss:
https://www.youtube.com/watch?v=GwQdBsTpmOM
In this second clip, Angela is learning how to scam. In the previous scene, she accompanies Roy's character into a convenience store. They buy a lotto ticket for today, but select four of the five numbers from yesterday’s winning numbers. Then they distress the ticket by rubbing it on surfaces so it looks like it’s been through the wash. They take special care to rub off the date of the ticket. Angela comes into a laundromat and subtly suggests to a patron that a found lottery ticket might be a winner. Note that this scam relies on a few things - AUTHORITY of a (fake) winning lotto ticket, RAPPORT of a young, polite, innocent girl, a HUNGRY MARK (the con men bank on patrons of a laundromat to have lotto dreams), and INCEPTION of the idea (the mark is the one who advances the plan -- of her own volition).
https://www.youtube.com/watch?v=TOrEE5NeZ9w
Sneakers is a 1992 movie about penetration testers that totally stands the test of time. In this scene, the team is attempting to break into a rather secure building. One of the plants, River Phoenix (Carl) has arrived before the infiltration occurs. His AUTHORITY is asserted because of his costume and his delivery of Drano. Carl is arguing with the front desk guard who is not expecting the delivery. Quickly we see Robert Redford (Martin) establish IDENTITY and PRETEXT in his first contact. He has a LEGITIMATE REASON for being in the building; there is a party on the fourth floor and he is expecting the cake to be delivered. Luckily, Martin sees the delivery and vanishes from the front desk. He arrives a few seconds later with a cake so big he can’t reach his ID card (which clearly he doesn’t have anyhow). Tension is rising as the security guard’s argument with Carl escalates. There is CONFUSION and URGENCY (remember, the cake is late!) as Martin tries to get the guard to buzz him in. Only the first 40 seconds are relevant to the conversation of social engineering:
https://www.youtube.com/watch?v=oG5vsPJ5Tos
The 2013 movie Wolf of Wall Street is a true story of Jordan Belfort (played by Leonardo DiCaprio), a huckster who made a fortune selling “penny stocks” or “pink sheet stock”. His rise to crime and corruption is a fascinating story.
In this scene, Belfort, coming off a job at a big brokerage firm, brings his guile to a small outfit that specializes in cheap stocks. Belfort brings URGENCY into his conversations with his marks, AUTHORITY because of his knowledge, and leverages EXPLOIT (the “pink sheets” are not really regulated like blue chip stocks are).
This clip has some vulgar language and may not be appropriate for some audiences; watching this clip is optional!
https://youtu.be/nJzo5TDfamk?t=166
In this second clip, we see Belfort training his new employees how to scam marks. There are a number of tactics here that work out well for the crew. They establish URGENCY by saying that these stocks are going to go up immediately, and waiting until then will be too late. They established PEDIGREE with a firm name that is completely made up -- Stratton Oakmont. Even their logo inspires pride, tradition, knowledge, and trust. The crew establishes AUTHORITY by reciting stocks of big, well-known companies in an effort to sell “penny stocks”.
This clip has some vulgar language and may not be appropriate for some audiences; watching this clip is optional!
https://www.youtube.com/watch?v=sxRStrx8xtc
In the 1995 movie Hackers, Johnny Lee Miller plays Dade, a talented hacker. In this scene, Dade calls a local TV station and using CONFUSION and KNOWLEDGE successfully convinces an unsuspecting employee to reveal the phone number for the modem to the station. This lets him change the TV programming schedule so the station broadcasts an episode of The Outer Limits.
https://www.youtube.com/watch?v=_G3NT91AWUE
The true story of Frank Abagnale is captured in the 2002 film Catch Me If You Can. Frank Abagnale was a true con artist -- most notable for faking (convincingly) as a pilot, doctor, and lawyer. The following clip shows how Frank (Leonardo DiCaprio) realized how effective AUTHORITY is. He shows up to his first day at a public high school after spending his childhood in a public school. He’s wearing a suit jacket and is mistaken for the substitute teacher. Note the DUAL REALITY that he employs (the students believe he is assigned to the class for the first time, meanwhile the actual substitute teacher is convinced that he is always the substitute for Roberta):
https://www.youtube.com/watch?v=KAeAqaA0Llg
Though not portrayed in the film, there was another stunt Frank orchestrated that relied on the AUTHORITY of a uniform. He brought a chair to a bank one night and sat outside the nighttime deposit box. He also rented a security guard outfit. He fashioned a sign that read, “Deposit broken. Please leave money with the Guard.” Between the outfit and the SOCIAL CONTRACT of the patrons (they certainly did not want to be embarrassed by not trusting the guard!), it was enough to convince patrons that their money was safe.
In another scene of Catch Me If You Can, Frank is caught by FBI agent Carl Hanratty (Tom Hanks) who has been pursuing Frank for a while now. Frank emerges from the bathroom of the apartment he is renting only to find Agent Hanratty with his gun drawn. Frank quickly realizes that Agent Hanratty does not know what he looks like, so he convinces Hanratty that he is a Secret Service agent who is also hot on the trail of Abagnale, too. By using AUTHORITY, INSIDER KNOWLEDGE (about how the Secret Service works) and DUAL REALITY (he convinces Hanratty that his neighbor, Murphy, has already caught Abagnale while Murphy has no idea what is going on - Frank even covers any confused response Murphy may have had with a cough):
https://www.youtube.com/watch?v=CiXTwfipyqk
If you are interested in learning more about social engineering, you might want to check out these links:
Social engineers and magicians have overlapping skill sets. The concept of dual reality has been around in magic for centuries. Penn & Teller perform a trick that demonstrates dual reality very clearly. In this case, the participant experiences something completely different than the audience. Typically in magic, neither the audience or the participant will actually experience the secret. But this is Penn & Teller.
This video shows David Blaine performing a trick called “Invisible Touch”, which is a good example of dual reality (though this performance doesn’t really highlight the concept). The revelation of this trick is similar to a longer routine performed here.
A really good explanation of how magicians leverage dual reality is described by O’Brien Magic here (watch from 4:35 to 7:00).
Jen Fox (DefCon Capture-the-Flag black badge!) talks about -- and demos -- social engineering in her talk at the SANS Security Awareness Summit (2018)
Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!
[6] Lithuanian Man Pleads Guilty To Wire Fraud For Theft Of Over $100 Million In Fraudulent Business Email Compromise Scheme
[20] Police searching for ATM thief who posed as repairman & Robber Dressed Up as ATM Repairman: Police
[a]Professor Dave, it would be cool if you added a date/timeframe for when this happened with Kevin! Like what year and where? Just as a point of reference =)!
