The rise of the internet paved the way for the term ‘social engineering' to boom into what it is today. The internet lowered the barrier to social engineering attacks to the point where your average person is now at least somewhat familiar with the term. In the past, social engineering needed to be accomplished in person, but now it can be done remotely and on a global scale.
In terms of tactics and techniques, social engineering has changed and evolved over the years, but the methodology, the ‘human hacking,' remains the same. As long as there has been a human being on earth, there have been social engineers seeking to take advantage of others for one reason or another. But the meaning itself has evolved.
In the early 2000s, there was an online show called The Broken where social engineers played out a seemingly harmless social engineering scam to score free pizza. They would follow someone into a pizza store, stand behind them to hear what they ordered, and then walk out. 20-30 minutes later, they would call the pizza place to say that they were just in and ordered XYZ pizza, but they got the toppings wrong. Then, they would either ask for a refund or ask for a fresh pizza. What was originally a trick to getting free pizza has since evolved into malicious actors using deceptive social engineering tactics to steal passwords, take over bank accounts, and do all kinds of other nefarious things.
Social engineering has been embedded into our civilizations forever, from the Trojan Horse used by the Greeks during the Trojan War to sneak into the city of Troy, ultimately leading to their war victory, to the biblical Book of Genesis, where an aged and blind father is deceived by one of his sons who impersonates his twin brother in a ploy to steal his birthright (Jacob and Esau).
Social engineering is so effective because inherent trust is something that humans need in our society to get to where we are today. This trust allowed humanity to work together in small tribes that let us be more successful in gathering more food, lifting heavier objects, and hunting more animals. But eventually, people realized that with implicit trust comes the potential for that to be exploited in order to gain more resources for personal gain. It is something that is ingrained in all of us, on a biological level, because everyone has some sense of trust built into them because we have always needed it as humans to survive. Understanding some of the evolutionary psychology around social engineering and its global effectiveness over the years can also help increase awareness of these threats.
The majority of social engineering attacks are executed remotely using email phishing as the preferred and most successful attack vector. The preference for remote/virtual social engineering attacks is due to the low cost and ability to launch 400 attacks in a single day as opposed to a single person doing either in-person social engineering or telephone phishing (vishing), where you are limited by how many actual interactions you can have in a day.
The success of a social engineering attack depends on how much effort has been put into it. A generic Nigerian Prince scheme isn't going to be very successful today, but if a social engineer is doing their due diligence and reconnaissance on their target, that alone will increase their success rate. This goes for in-person social engineering as well. If a person shows up to an office building in a casual t-shirt and asks to be let into the server room, that will probably not work out. But if they show up impersonating a known vendor of the organization in appropriate attire based on recon work, their success rate will undoubtedly increase.
While phishing emails reach the masses, good spam filters or employees simply not opening the email can thwart even the best phishing email. On the other hand, with in-person social engineering, good reconnaissance and a good pretext story will likely get a social engineer farther than a phishing email. In-person, social engineers are able to actually present themselves as figures of authority, draw on emotions, and establish credibility and trustworthiness through face-to-face interactions.
When establishing a pretext, social engineers at RedTeam Security start at the end and work their way backward. Starting with open-source intelligence gathering and reconnaissance, they gather as much information on the company as possible. Even seemingly insignificant details that may never be used are still included in the OSINT report. This includes things like what software they use, what vendors they use, what time of day they operate, every little inconsequential piece of data is collected and then analyzed. This process may also include in-person/active reconnaissance to gather more information. Working backward from the final goals, we ask, what are we trying to do? Who would be a good person to accomplish that goal? Would it be an IT support person? A delivery driver? HVAC maintenance person? Construction worker? Or just an unsuspecting employee blending into the masses? Our team of highly trained ethical hackers reverse engineer the whole process and keep asking the ‘why' question.
Why would someone be in the CEOs office?
They're going to be there because they need to do an upgrade to her Microsoft Office account.
Why are they doing an upgrade to his Microsoft Office account?
There's a new system rollout from the IT department.
Why is the IT department doing this update in the first place?
Because their CTO wants them to be more effective.
Why is this happening on a Thursday?
During active on-site reconnaissance we found out the CEO leaves 30 minutes early on Thursdays to pick up their son from school which means we show up a half an hour before the CEO leaves so that we have a time constraint. This is because we know they are more likely to help us and push us through and not ask questions because they want to get going to pick up their son on time.
Disguises are often part of a good pretext for social engineers, and the success of those disguises all depends upon the reconnaissance that was done leading up to the engagement. For example, dressing up in a UPS uniform and walking into an office building with a stack of packages on Tuesday is only going to be successful if that is what actually happens. If the organization only receives FedEx packages, and on Thursdays, the engineer is going to stick out like a sore thumb to those who receive those packages on a regular basis.
One disguise is not necessarily more successful than the next, but rather the important factor is having the right disguise for the specific objective. A good pretext will get a social engineer all the way to where they want to go. While posing as an Amazon delivery person may get you through the front door, an IT support pretext with a fake badge and the right dose of authority might get you to the server room or the top floor.
An exterminator is another great pretext established during reconnaissance when the goal is to gain information about physical entry points into a building or to be able to look around a facility without looking suspicious. By simply informing the front desk they are there to look around and provide a free estimate, the social engineer has clearance to walk around the building, take photos of doors, locks, names of security systems, and more.
Additionally, one pretext can lead to another pretext. Using the example of the exterminator surveying the exterior perimeter of a building, perhaps when walking around, the social engineer gained new insights by peering through windows such as names of clients or vendors, shift changeover times, or where in the building keys are stored.
Ultimately, a great disguise builds credibility and enables a social engineer to be questioned less in order to take the actions they want to take to achieve their goals. Recalling attribution bias in psychology, when someone looks like they belong, the human brain tends to draw the conclusion that they are not suspicious and are indeed supposed to be there.
Trust but verify. At the end of the day, although a lot of social engineering attacks are attacks on our inherent trust with other people, we have the power to trust that they are who they say they are and still verify it is true using an alternative means of verification such as reaching out to HR or walking down to the person's office to confirm.
Our social engineering solutions test your employees and highlight potential vulnerabilities before they become breach points. Talk with a RedTeam Security expert today or complete a scoping questionnaire to receive a free customized project quote for your unique security needs.