General Aspects on Social Engineering

Social Engineering as it Applies to Information Systems Security

The research takes into account several aspects that better create an overview of the term and the impact it has on security systems. In this sense, the first part of the analysis reviews the concept of social engineering and the aspects it entails. Secondly, it provides a series of cases that were influenced by social engineering and the effects each had on the wider picture of information security. Thirdly, the research looks at what policies are set in place to avoid this type of practice and how has the information security society responded to the threat posed by social engineering. Finally, possible solutions to the issues social engineering raises are also presented in the context of the increased technological environment in which business is conducted in the world we live in today.

General aspects on social engineering

A non-academic definition of what social engineering stands for has been provided in several instances as the matter grew in attention and more cases of such "behavior" became known. Putting it bluntly, "Social engineering aims to exploit the weakest link in information security -- people. Just as in historical examples in which people were manipulated into meeting one's ends, social engineering is grounded in the same principle. Yet social engineering does not necessarily need the use of technical methods. By nature, people tend to be helpful and polite. Social engineering techniques take advantage of this intrinsic nature to manipulate people into divulging sensitive information" (Schneier, 2009). At a first glance, it can be argued that the concept takes into account human nature as a default condition for their activity. More precisely, social engineering and a successful individual who practices this endeavor focuses on the social nature of an individual and transforms this part of the personality into a weakness. From a first perspective, it is fair to say that social engineering as a practice uses people to achieve different goals, in this particular case information that would have otherwise be restricted by security protocols.

A more formal definition of social engineering provides a stricter description of the practice. In this sense, "Social engineering is the practice of obtaining confidential information by manipulation of legitimate users" (Allen, 2006). Under this definition, the term incurs several considerations. On the one hand, it must be pointed out that the incentives for this practice are represented by the acquisition of confidential information. In general, it is not considered social engineering, the access to public information that would otherwise be available to everyone. Therefore, a first aspect is related to the fact that social engineering implies a breach of security and automatically of the law. Secondly, it must be pointed out that those that are targeted by social engineers are the individuals and links that handle this type of information, the legitimate users of the information. From this point-of-view and given a general outlook, in fact, it is not the social engineer that is committing a wrongdoing but rather the authorized user for divulging the information. Therefore, it can be noted that social engineering as a practice is in fact a manipulation of the human component of a security system.

Aside from the legitimate users that are targeted and involved in the process, the social engineer, the individual that is carrying out the process, plays the main role. It must be pointed out from the onset that the term "engineering" and "engineer" does not necessarily reflect a technical nature of the activity undergone by such an operator. It is the definition of the term engineering that refers to "calculated manipulation or direction (as of behavior)" that needs to be taken into account (Merriam-Webster, n.d.). The social engineer in this case is, more or less, the individual who engages in such a manipulation activity with the purpose of obtaining information. A more comprehensive definition is that a social engineer is "a hacker who uses brains instead of computer brawn" (Allen, 2006).

The term "hacker" has often been associated in the popular belief with activities that relate strictly to Internet or web-based processes that focus on breaching security of information in an informational environment that includes hardware, computers, software firewalls and other IT related security measures. In this case however, the raw material that such hackers use are the personality and individuality of human beings. This is an important aspect to be taken into account especially given that in such circumstances, the possibilities to limit social engineering are rather limited and it is rather difficult to consider all aspects and all possible situations in order to limit them at the level of legislation.

There are other definitions that provide a rather comprehensive and at the same time rather straightforward definition of the entire process of social engineering, with a clear mention of the roles each party plays in the overall process. In this sense, Microsoft considers that "To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker -- someone who tries to gain unauthorized access to your computer systems -- are similar to those of any other hacker: they want your company's money, information, or IT resources." (Microsoft, 2014)

Although most of the situations that have been investigated by Security did in fact prove to be social engineering, there are also cases in which a person can engage into such an action without actually knowing that he or she is committing a breach. In this sense, "Social engineering attacks can essentially be executed by accident or with the best of intentions by an innocent "attacker" whose motivations are generally benevolent. Understanding the breadth of possibilities for social engineering attacks to compromise a system, and the fact that the attacker may often not even consider its actions an attack, can help you arm yourself against social engineering" (Perrin, 2010) This is an important aspect to be taken into account particularly because it is rather difficult to ascertain precisely the rational behind one attack or another at the level of a working environment for example. This mention is particularly done for such cases in which, without a clear consideration for creating in fact a pattern or a malicious act, people may look over their shoulder into their colleague's computer and this does not necessarily need to be an act of social engineering.

There are numerous techniques used by social engineers in conducting their activities. Most of do not include the use of any type of technological devices. In this sense, according to manuals that have been written to assist companies, individuals, and governments alike to safeguard their employees from such social engineering, the most common techniques are the ones that are based strictly on other human beings not being careful enough or being to over police and trusting. In this sense, some of these techniques include shoulder surfing, "dumpster diving," or mail-outs (Allen, 2006) As it can be seen, all these type of procedures are based on the social interaction with one or more individual. While shoulder surfing represents a more personal approach, as the social engineer would need to be in the vicinity of the targeted user, dumpster diving can occur more often. Even so, according to surveys conducted among employees from different environments email phishing is seen as most common. In this sense, "Phishing -- pretending to be a trustworthy entity in an electronic communication -- was identified as the most typical source (47%), followed by social networking sites such as LinkedIn that allow new employees to be targeted (39%)" (Dimension Research, 2011). Finally, mail-outs are seen among the most common means to gather information about people who could include passwords, pins, private information about work place, income, and even marital status. An example in this sense are the questionnaires or various links that become viral on the Internet and, when interpreted correctly, can provide a considerable amount of information about individuals and then be used either against them or for different purposes.

The rational and motivation of social engineering is firstly one of material gain for the engineers. Most often from a general perspective, social engineers can either sell the information gathered or can use it to their own personal advantage. Another motivation for conducting this activity is also personal revenge. In this sense, according to a study conducted, "51% of social engineering attacks are motivated by financial gain - 14% of social engineering attacks are motivated by revenge" (Dimensional Research, 2011). Other reasons include competitive advantage and personal vendetta. There are numerous cases in which personal revenge has been used as a motivation for social engineering and, despite the fact that people conducting activities such as shoulder fishing were not aware of the name of this type of process, the information gathered was used against the rightful owner of that information, which classifies the act as social engineering.

In terms of actual examples of social engineering, these are numerous and include acts from the smallest of scale to increasingly difficult and with most serious effects that are still ongoing and even spreading (Francophoned case study presented below). As an example, in a day-to-day situation, a social engineering process can be identified in a communication from an individual advising he or she represents, for the sake of argument, a telephone company and would want to offer a new subscription model. Without any type of confirmation from the caller, the person being called is requested to provide details. In such a situation, it is important to consider that it is the caller who needs to identify himself in order to confirm that he or she represents the telephone company. In such situations policies provide that the identification be done immediately or that contact be interrupted and assistance required. In such cases, in day-to-day, people cannot be fully aware of these aspects and rely on the goodwill of people. At the same time though, social engineers rely on the same gullible nature of individuals.

Case study: Francoohoned

An administrative assistant of a vice president receive a phone call, from another VP in the company, in regards to an invoice to be processed. This scenario, as common as might be, became the 'signature' for what became one of the most sophisticated cybercriminal attacks that combines phone-based social engineering with spear phishing and malware aiming to steal money from organizations, particularly from French speaking nationals.

The unusual attack, later called ' Francophoned', has been initially reported in April 2013, traces of its presence leading to February 2011. The investigation, conducted by Symantec, company specialized in such investigations, showed a thoroughly prepared document with usage of previously obtained names, e-mail addresses and phone numbers of the victims and their peers. With purely financial motivations, the attackers targeted employees with authority to facilitate transactions on behalf of their organization, aiming to gain access to confidential information such as bank accounts, invoices and contract agreements or secure certificates.

As "modus operandi" the VP was impersonated by an attacker which with authority requested a swift process of an invoice received minutes earlier via e-mail. The supposed invoice, initially stored on a popular file sharing service was a remote access trojan (RAT) configured to connect to a control server located in Ukraine. Once installed, the RAT provided a way in that facilitated keystrokes logging, access to documents as disaster recovery plans, the organization's bank accounts and telecom providers with points of contacts. Using this data the attackers further impersonated the company representative and contacted the telecom provider with a request to redirect all the organization's phone numbers to attacker-controlled phones, claiming a physical disaster. With the phone redirection in place, the attacker faxed a request to organization's bank, requesting multiple, large-sum wire transfers to numerous off-shore accounts. Facing an unusual transaction, bank representatives obtained phone confirmation from the attackers by the means of redirected phones. Once successfully transferred the money was subsequently laundered further through other off-shore accounts and monetary instruments.

The information obtained in previous attacks was used to plan the next ones, with increased rate of success. As example, the attackers run over a proprietary in-house system to transfer funds that employed a two-factor hardware dongle. Impersonating an IT staff, the attackers called the victim and under the reason of fund transfer maintenance, convinced the victim (using customer privacy reasons), to turn off the monitor during the maintenance task. With the monitor off, the attacker used the victims' credentials to access to the in-house transfer system and transfer large sums of money to offshore accounts.

By examining the traffic, Symantec was able to determine that the attacker was located in, or routing the attack through an Israeli mobile telecom company's IP address. Further investigations determined that the attacks were indeed originating from a mobile network and that the attacker used a mobile Wi-Fi hotspot with a prepaid data plan, as results the investigation not being able to lead to an individual. "Even more surprising, the traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace. The use of such a technique for cybercrime illustrates the increasingly sophisticated techniques that attackers employ. Finding a moving mobile Wi-Fi hotspot requires active on-the-ground on-call personnel with special equipment and the telecom provider's assistance to triangulate its location." (Symantec, August 2013)

If the initial 2013 RAT used in the attacks, identified by Symantec as W32.Shadesrat (Blackshade) remote access Trojan was limited as operational power the February 2014 phishing campaign took a new turn. The new version, identified by Symantec as Trojan.Rokamal, despite using the same command-and-control server, is now obfuscated with a DotNet packer and allows to be configured to perform a series of compiled tasks as downloading and executing potentially malicious files; performing distributed denial-of-service (DDoS) attacks; stealing information; mining crypto currency and opening a back door to the system. Technical Details can be found in the Appendix 1.

The operation Francophoned was specifically targeting French-speaking victims. French is the second most widely spoken language in the world being official language in 29 countries. With 110 million speakers and 190 million as second language (according to Symantec) the large pool of potential victims are not as heavily targeted as English speakers. This swift conducted with the increased sophistication of the RAT tool, shows that 'those behind these attacks are eager to evolve their business and innovate new ways of making money'. (Symantec, April 2014)

Given that this case represents an ongoing investigation, there are few resources available to analyze further the case (Appendix 1 contains the full Security Response from Symantec). However, the magnitude of the case together with the fact that the process is rather complex and well planned, it will be rather difficult to find an end to it and secure the guilty parties. At the same time though, this example points out the fact that social engineering taken to an international level can cause severe repercussions from a financial point-of-view.

The next case study reviews the impact social engineering may have on the personal effects and belongings of an individual and places a size on the magnitude of social engineering from a perspective of an individual. In 2012, the technology journalist, Mat Honan, senior writer for Wired, witnessed his digital identity stripped and deleted by hackers who, using social engineering manage to takeover his iCloud account (Honan, 2012). Abusing the system, the hackers spared nothing: iPhone, iPad and even the hard drive of his Mac Book -- full of irreplaceable family photos -- which was completely erased, all in order to prevent any retaliation over the attempt to hack his Twitter profile, @mat.

Without using brute force or other password guessing technologies, hackers managed to gain access over his Gmail account and use it to compromise the twitter account and use it as a platform to broadcast racist and homophobic messages. The attack used social engineering techniques to trick the customer service representatives of Apple and Amazon. The mechanism, was striking on its simplicity: using the linkage between the twitter account and a personal webpage, the hackers identified the publicly available Gmail address and correctly guessed that is also used for twitter account. Using the account recovery options from Gmail the hackers managed to identify an existing Apple ID (@me.com email address). A simple Whois on the domain provided the valuable information regarding the billing address. Using the billing address, the name on the account and an associated e-mail address Amazon allows the hackers to input a new fake credit card to account. On a second support request, using the fake credit card information and the billing address, Amazon allows to add a new e-mail address to the account. Using Amazon's password reset system the hackers gain access to the account information stored as all the credit cards on file for the account -- not the complete numbers, just the last four digits. With the billing address and last four digits of a credit card, Apple customer services allowed an account reset for the iCloud services. With the iCloud account hijacked the connected devices were easily wiped using Find My iPhone, while the Gmail and Twitter credentials were easily accessible stored in the keychain, among bank and other sensitive credentials. A 19 years teenager, using a Mac Book and a phone, made the entire process possible.

Policies on social engineering

Policies on social engineering and means in which companies can train and prevent such attacks have been set in place by numerous entities; however, despite these actions, numerous cases have occurred that set employees at fault and in breach of company policies because trainings are not necessarily conducted properly or in a timely manner.

The phenomenon is widely spread and as mentioned previously, and companies as well as government organizations are aware of the threat posed by social engineering and the damages caused by such practices. Studies conducted have pointed out that despite the fact that the threat is visible, there are few awareness campaigns being conducted at the level of the companies to ensure that such incidents do not take place. In one such study, "Only 26% of participants actively train employees on the threat. An additional 34% do not have any initiatives in place now, although some of those (19%) do have plans to start a program to educate employees. The largest segment of participants, 40%, put the responsibility on the employee to read and understand their organization's overall security policy documents to prevent data loss, security attacks, and social engineering-based threats" (Dimension Research, 2006) This comes to point out that there is an increased need to rethink the awareness strategy in order to allow employees to better protect themselves from the possible attacks from social engineers.

The general framework of a policy requires that the company inform the employees of the issue of social engineering. According to SANS Institute, the role of the policy is two fold: "To make employees aware that (a) fraudulent social engineering attacks occur, and (b) there are procedures that employees can use to detect attacks" (SANS Institute, n.d) Therefore, it can be said that on the one hand the role of the policy is to ensure an increased awareness concerning the way in which social engineering functions and what are the means through which these acts can be detected and, at the same time, to advise employees on how to detect the cases of social engineering and how to best use the policies to their advantage. It must be pointed out that in case of breach, it is the employee that initially gets the warning and is questioned on the breach of security hence the increased attention employees must give to such policies.

These policies also include a certain level of detail for the way in companies tend to view the acts of social engineering. In this sense, companies provide different levels fo attention to the subject. While some consider these acts in strict terms, others tend to view them as mere actions employees should be aware and define them in their policies in a rather general manner. A general manner can be seen in a policy template stating that employees should be self alerted when "Someone is contacting the employee - via phone, in person, email, fax or online - and elusively trying to collect 's sensitive information. 2.2.1 The employee is being "socially pressured" or "socially encouraged or tricked" into sharing sensitive data." (SANS Institute, n.d.) Such a description can be seen as interpretable and may not guide the employee to a very clear identification of the possible social engineering process. At the same time though, it does provide him or her with a notice of having to pay attention to certain out of the ordinary behavior that would fall in those mentioned lines. From this point-of-view, the policies represent mere guidelines for raising a general awareness of the existence of the process yet these guidelines being rather general, it does not offer protection to the employee in case of a sophisticated attack of this type.

Another part of the standard policies concerning social engineering refers to the actual actions that need to be taken by an employee once they encounter a possible social engineering case. Firstly, it must be pointed out that trainings should be conducted every 6 months on the job for every employee. However it is rather difficult to assess the effectiveness of these trainings, especially once the information provided becomes more or less a routine information pack. Secondly, the actions needed to be taken from an employee once identified such a practice include identification of the requester of the information. This is a viable case if the requester is online or by phone. In person it is rather difficult to perform such an action as people have a tendency to adjust during the conversation and rarely ask for full details in a face-to-face discussion. The second step to be taken is the immediate notice of the supervisor and the report of a possible breach. In case the supervisor is not available, security personnel should be contacted. Finally, in order to reduce to the minimum the possible damage that would be conducted by a social engineer, all interaction with the individual is interrupted and minimizing the damage is attempted (SANS Institute, n.d.). Once security personal is contacted, the notice is further analyzed and processed by Security.

Microsoft, as one of the most important IT companies in the world has tried to educate its users and the general public on the issue of social engineering in numerous occasions and thru different means. This is particularly because the technological and especially software components in most computers are Microsoft property and it was only natural that special attention be provided to such possible security breaches. Despite the fact that Microsoft did not issue particular public policies concerning means thru which employees can protect themselves and the company from social engineering, their education of the public is rather significant. In this sense, they take into account the online threats and in particular the way in which a virus email may look like and what should be done with it (Microsoft, 2014). This approach is a rather technical one and crosses the border from a general type of information to a more detailed one, yet still extremely useful for the employee.

As part of a more technical presentation of what social engineering is and what threat it represents for the company, another aspect that needs to be taken into account is not only the official type of interaction such as email or phone, but also instant messaging, which is more and more common even in corporation communication (internal communicator). This means of communication, if not clearly supervised and taken care of, may pose a real threat to the security of the company. As part of the unofficial information Microsoft is constantly conducting, it is explained how instant messaging can become a liability for the company. "The hacker (red) impersonates another known user and sends either an e-mail or IM message that their target will assume comes from someone they know. Familiarity relaxes user defenses, so they are far more likely to click a link or open an attachment from someone that they know -- or they think that they know. Most IM providers allow identification of users based on e-mail address, which can enable a hacker who has identified an addressing standard within your company to send IM contact invitations to other people in the organization. This functionality does not pose a threat, but it does means that the number of targets within your company is greatly increased" (Microsoft, 2014).