Social Engineering..... whats truth??

Please note this article is for educational purpose only.

What be your reaction if you get a mail in your corporate Inbox with from field as “HR Helpdesk” (assuming that’s how HR mail appears in your organization) with subject as “Best Employee Bonus of Rs. 1,50,000”? The mail reads that you have been awarded the bonus because of your hard work, dedication etc. All you need to do is reply with some of your official & personal details and the bonus is yours. If I were you I would jump on it and reply in matter of 30 seconds.

However, what you would have failed to notice is that the email ID in reply field would not be one of your HR’s corporate email ID’s but some malicious unknown email ID on the public domain. This is what we called Social Engineering.

Social Engineering is a term associated with attacker’s abilities to manipulate the natural human tendency of trust leading to malicious activities like unauthorized access, loss of confidential details, phishing etc. It’s actually an art of luring people in getting them to do what you desire. A child emotional pursuing his parents to buy her a toy, a sales person convincing the customer to buy his products or a phishing attack are all examples of Social Engineering.

Social Engineering can be categorized as Physical & Physiological.

1  Physical – In this case an attacker attempts to circumvent physical security controls.

Amongst many, some of the examples dealing with Physical Social Engineering are:

• Bypassing the physical security checks and gaining unauthorized access to physical premises
• As a visitor entering the cabin of a Top level executive in her / his absence
• Impersonating as a courier agent and dropping off an unchecked parcel to a C-Suite executive’s cabin.
• Entering restricted areas like data center and gain unauthorized access to critical details like network setup
• Tailgating thru main entrance and other entry / exit points (Fire exits, smoking zones etc.)
• Impersonating as a government official / person belonging to an authorized department (Electricity Board, Fire Department etc.) and conducting a site visit to gain critical information related to the facility

2   Psychological – In this case attacker plays with victims trust basically uses a human psychological factor.

Amongst many, some of the examples of psychological social engineering are:

• An email from Public domain ID example ABC@goodsite.com (name in the INBOX could be displayed as HR@corporatenetwork.com / IT@corporatenetwork.com)

The content of the mails could be:

1)“This is an automated employee detail collection form. In the view of current HINI Pandemic and heavy rains we are in process of updating and maintaining an up to date employee database. All the ‘CorporateNetwork’ employees are requested to cooperate and provide the necessary details at the earliest. Please fill in all the details and submit the form. This is an auto generated email, please do not reply to this email.”

2)“Virus Alert Recipient name: This is an automated alert sent by the virus update engine. A new virus which targets IT Services and Software Development organizations has been circulating the Internet. This particular virus requires an immediate software update to prevent infection. Please click the link below to update your workstation with necessary patches”

• Cold Calls to Employee’s impersonating as vendors or media personnel’s inquiring about the internal related details like Applications, IT Infrastructure, Physical Security etc.
• Calls to employees impersonating as IT Helpdesk requesting for login credentials. The imposter could convince the victim by stating that the credentials are required for maintenance activities
• Imposter could obtain employee details from Public domain and call up the organizations IT Helpdesk to reset the victims password and thus gain unauthorized access
• Mails from forged Bank ID’s requesting for Internet Banking login credentials

Don’t want to be victim to Social Engineering attacks, follow some basic thumb rules:

• Never allow people to tailgate with you.
• Verify the identity of the visitor against his/her valid ID Card
• Ensure all Entries / Exit points are secured at all times
• Visitors should not be allowed in the office space without appointments. The could be requested to be at the reception.
• Avoid use of corporate ID’s on public domain, blogs, discussion forums etc.
• Do not share login credentials with anyone. IT Helpdesk or Banks do not need employees / customers login credentials for any of their operations.
• Before replying to mails asking for sensitive / personal information verify the origin and sender’s details
• Never click on unknown links / links contained in the mails of unknown origin. An innocent URL like www.goodsite.com could actually be linked to www.xyz.abc.net etc. which might infest your PC with Malwares, Trojans, Virus and worse Back-Doors giving complete remote access of your PC to attackers
• Avoid accessing confidential and critical online details like corporate mail box, Bank accounts etc. in public places, hotels etc. where Internet security cannot be trusted
• Read and follow the security guidelines dealing with Internet Banking issued by the Banks from time to time
• Verify the SSL certificate of the Bank website before getting into any Internet Banking transaction
• Use a strong and complex password
• Do not note down the user ID & passwords on piece of paper, notepads etc. which could be accessible to others
• Use virtual keyboard where applicable
• Avoid installing software’s / tools of unknown origin because these might open backdoors to your PC

Educational Reference:

• http://www.social-engineer.org
• http://www.phishme.com/
• Club hack Magazine