Social Engineering Tactics

-- Joe Brian [joeshepitob@hadeed.com.sa] wrote:

Social Engineering Tactics

A social engineer intentionally manipulates his or her victim into believing that he or she is authorized and entitled to receive the information requested. As the social engineer moves though the organization gaining familiarity with the names, terms, acronyms, and jargon of the target company, the credibility of the social engineer is enhanced and therefore more likely to appear as an authorized Oracle employee thus making it easier and easier to gain confidential information.

Why would someone do this? The simple answer is to gain information concerning your organization. This information can be used to gain access to your system, electronic files, e-mail system, etc. Avoid being taken in by social engineering:

• Never reveal your password to anyone
• Don't mention names of other employees or use Oracle terminology unless you are sure of the identity of the caller and their need to know.
• Be especially wary if the caller wants telecommunications information (telephones, modems, voice mail, fax, etc.)
• Don't send documents, plans, schedules, or any other document unless you are sure that the recipient is authorized to receive them.
• If you have doubts, tell the caller that you will have to call back later and ask for a name and telephone number.
• Never answer questions from telephone surveys. Tell the caller that employees do not participate in telephone surveys from vendors
• Never type things into the computer when someone tells you to unless you know exactly what the results of the commands are.
• Remember a social engineer can spend months collecting, what may seem to you, trivial pieces of information. Once all the pieces are put together, the social engineer may have enough information to acquire the keys to the castle.

Tendencies of Human Nature

Six basic tendencies of human nature are involved in an attempt to gain compliance to a request. Social engineers rely on these basic tendencies of human nature, either consciously or, most often, unconsciously in their attempts to manipulate. Shown below is each tendency along with an example of the type of social engineering attack:

Authority

A social engineer attempts to cloak himself in the mantle of authority by claiming that he is with the IT department, or that he is an executive or works for an executive in the company.

Liking

Through conversation, the attacker manages to learn a hobby or interest of the victim, and claims an interest and enthusiasm for the same hobby or interest. Or he may claim to be from the same state or school, or to have similar goals. The social engineer will also attempt to mimic the behaviors of his target to create the appearance of similarity.

Reciprocation

An employee receives a call from a person who identifies himself as being from the IT department. The caller explains that some company computers have been infected with a new virus, not recognized by the antivirus software, and can destroy all files on a computer and offers to talk the person through some steps to prevent problems. Following this, the caller asks the person to test a software utility that has just been recently upgraded for allowing users to change passwords. The employee is reluctant to refuse, because the caller has just provided help that will supposedly protect the user from a virus. He reciprocates by complying with the caller's request.

Consistency

The attacker contacts a relatively new employee and advises her of the agreement to abide by certain security policies and procedures as a condition of being allowed to use company information systems. After discussing a few security practices, the caller asks the user for her password "to verify compliance" with policy on choosing a difficult-to-guess password. Once the user reveals her password, the caller makes a recommendation to construct future passwords in such a way that the attacker will be able to guess it. The victim complies because of her prior agreement to abide by company policies and her assumption that the caller is merely verifying her compliance.

Social Validation

The caller says he is conducting a survey and names other people in the department who he claims have already cooperated with him. The victim, believing that cooperation by others validates the authenticity of the request, agrees to take part. The caller then asks a series of questions, among which are questions that draw the victim into revealing his computer username and password.

Scarcity

The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a password. Many people, motivated by convenience, have the propensity to use the same or a similar password in every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and password that have been entered during the Web site registration process.