Cybercrime has gone "pro". The bad guys send you spear-phishing attacks and try to trick you into clicking on phishing links or open infected attachments. These slides explain today's hidden IT vulnerability and what the seven social engineering vices are that let the bad guys into an organization's network.
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
The Seven Social Engineering Vices
1.
2. You may not be aware that there is a scale of seven deadly
vices connected to social engineering. The deadliest social
engineering attacks are the ones that have the highest
success rates, often approaching 100%.
What is the secret of these attacks, how come they
succeed so well?
3. Your own observations show you that people are very
different. Some are always enthusiastic and willing to learn
something new. Others are more conservative but
courteous to their co-workers.
A bit further down this scale are people that always looks
like they are bored with life and then at the bottom are
those who just don't care and basically are in apathy about
everything.
4. Successful social engineers first determine where their
target is on this scale, and then select an attack that will
have the highest degree of success with that person, trying
to closely match their target's look on life.
5. This scale of vices can be approached from either a
negative or positive side. You can either call it gullibility or
you can call it trust, call it greed or self-interest, but since
we're talking vices here we'll stick to the negative labels.
Here are seven social engineering attacks that I hope are a
good example of each one of the deadly vices, but note
there is always overlap and things are not that clear-cut.
We are dealing with humans after all!
6. Curiosity:
The attacker left a USB stick next to the washing basin in
the restroom of the floor that had the executive offices and
their administrative assistants. It was clearly marked 'Q1
Salary Updates'.
The USB drive had modified malware on it that installed
itself and called home from any workstation it was plugged
into. This attack was 90% effective.
1
7. Courtesy:
The attacker focused in on the CEO of his target company.
He did his research, found the CEO had a relative battling
cancer and was active in an anti-cancer charity. The
attacker spoofed someone from the charity, asked the CEO
for his feedback on a fund-raising campaign and attached
an infected PDF.
Mission achieved, the CEO's PC was owned and the
network followed shortly after. And of course holding the
door open for a stranger with his hands full of boxes is a
classic 'Courtesy' piggybacking example that we all know.
2
8. Gullibility:
Attackers identified the proper managers at two separate
branches of their targeted bank. They bought a domain
name that looked very similar to the bank's domain.
They spoofed the bank exec's emails and sent bogus
emails to the manager authorizing transaction. They
walked in with a counterfeit check and a fake driver's
license, and walked out with 25,000 in cash...repeatedly!
3
9. Greed:
Did you know that the Nigerian 419 scams these days use
the word 'Nigeria' on purpose to qualify their targets up
front?
It's now utilized as a filter to weed out people and grab the
uneducated ones that are greedy enough to take a risk and
answer the 26 year old orphan girl that has $12,500,000 in
the bank, needs a guardian and some help transferring the
funds...
4
10. Thoughtlessness:
The combined U.S. and Israeli intelligence arms created
the Stuxnet malware which sabotaged Iran's Natanz
uranium enrichment centrifuges. It was carried in via a
simple USB attack on one of their scientists.
The Mossad slipped a USB drive to the scientist who
plugged the stick in his laptop at his house, went to work
and there connected the laptop to the internal Natanz
network. Social Engineering jumped the air-gap due to a
scientist who should have known better.
5
11. Shyness:
A Brad Pitt look-alike walks up to the internal reception of
the Human Resources Department of a French
multinational's Boston office. He profusely apologizes for
being a few minutes late and shows a piece of paper with
coffee stains. He explains he spilled coffee over his resume
and if the receptionist "pretty please with sugar" can print a
fresh copy for his interview?
He hands over the USB drive, the shy receptionist does not
confront him with the company policy that no foreign
devices are allowed on the network, quickly prints a new
copy and hands him the stick back. The young man
disappears to the rest rooms and the network is so owned.
6
12. Apathy:
Q: Which is the most useful to a social engineer? Ignorance
or apathy?
A: I don’t know and I don’t care
The three employees of the shipping department all got the
same generic phishing email from UPS popping into their
inbox more or less at the same time. None of them took the
time to hover their mouse over the link and see that the link
really went to a Slovak site with '.cz' at the end.
Furthermore, not one of them 'prairie-dogged' up from their
cubicle to warn the others. Two of the three clicked on the
link and got their workstation infected with nasty malware
that required a wipe-and-rebuild of their machines.
7
13. As you can see the genie is out of the bottle. Cybercrime has taken the concept
of social engineering and it's out in the wild. So, what to do?
1.Publish and distribute comprehensive security policy.
2.Understand that policy is the start of dealing with the problem.
3.Acknowledge that there is no effective implementation of policy which doesn’t
include a degree of education.
4.Be realistic. Education doesn’t mean making end-users security experts. It
means teaching them all they need to know to use computers safely.
5.Have a look at Kevin Mitnick Security Awareness Training.
Hat Tip to David Harley, Kevin Mitnick, Chris Hadnagy, SANS, and many others. For more info and useful links about
Social Engineering check out the WikiPedia page, and a great article by David Harley over at the cluestick site.