Social engineering – the art of human hacking
by Steve Bell
January 24, 2014
If you’ve ever wondered what ‘social engineering’ means it can be summed up in one word: manipulation. It’s the art of hacking into the human psyche and getting people to do something you want them to do but they wouldn’t want to do if they knew what you were up to. Got that? It can be devious or it can be very simple. Its practitioners used to be simply known as con men, or if a victim was particularly unlucky, sociopaths (some might argue politicians). But in a world where everything is digitised, anonymised and hooked up to a network - even your ailing gran whose health is remotely monitored - it’s happening on a far larger scale with far more misfits getting in on the act. And it’s affecting far more people too.
A big fat whopper
All those phishing emails you receive from some company you think you may have done some sort of business with are classic examples. Thankfully, some of them are laughably amateurish like the Facebook-based Christmas whopper from mega UK retailer Asda offering a free £500 shopping voucher. Seriously, who ever heard of any business, whose sole raison d’être is to pump up the profit, giving money away? Fortunately the numpties who put this one together couldn’t even spell Asda correctly – they called it Adsa. That’s a nice touch of dimness. But some social engineering is scarily subtle. Just a few days ago a friend received a payment from a company based in Dubai. A few hours after receiving notification of the payment by email he received another from a Dubai currency exchange. Thinking it was related to the payment he clicked on the link. Thankfully, his antivirus software immediately quarantined the web page; it was loaded with malware designed to sniff around his computer and transmit personal info back to the hackers. But how did they do that? The hackers have clearly got some sort of sniffer code that’s picking up the outgoing email addresses of the accounts’ payable department. Welcome to the shiny world of digital social engineering – the art of human hacking, as some say.
Whistle your way to nuclear war
You may or maybe not have heard of Kevin Mitnick, who helped bring the phrase ‘social engineering’ into the everyday vernacular. Today he’s a security consultant but back in the day, law enforcement almost considered him public enemy number one. He did five years in prison after being convicted on a number of ‘hacking’ charges. Such was the trepidation felt by the authorities towards Mitnick that he spent eight months in solitary confinement because according to Mitnick a judge was convinced that he had the ability to “start a nuclear war by whistling into a pay phone.” Law enforcement had told the judge he could somehow dial into a NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles. If it was that easy to launch nuclear missiles, we’d probably all be little more than fading memories in the seared minds of a few survivors. While this simply betrays ignorance on the part of the authorities at the time, Mitnick claims he never actually hacked systems, he simply applied social engineering skills to get passwords and codes that allowed access to systems. Such is the persuasive power of social engineering.
Get rich by clicking on this link
Even though our inboxes may be assailed with poorly crafted phishing attempts, or for that matter blindingly brilliant endeavours, few of us think we’ll fall victim to social engineering attempts. After all we’re too clever to be fooled – aren’t we? But how many of us think our homes will be burgled? It’s only when it happens that we become aware of the many vulnerabilities and points of entry for burglars and we begin to question ourselves about why we missed the obvious. Ditto social engineering. The classic social engineering scam that everyone knows is the Nigerian email, or more recently, letter. It offers mega-riches in return for a small investment needed to release funds. It’s so widespread these days that few people fall for it though undoubtedly it has roped in a lot of victims. After all, which smart person wouldn’t want to invest a relatively small amount to gain a larger amount? It’s a smart thing to do, isn’t it? Well, not if it involves someone sounding like Ofu Oliyemendu, unlocking vast treasury reserves in return for a small payment from you.
The devil and his juju
In an interesting reverse of social engineering a London-based investigator had a client who was being plagued by some Nigerian scam artists. He did a bit of background research and discovered how superstitious these people were. He then called them and chanted some devil juju down the phone. They never troubled his client again. Social Engineering – The Art of Human Hacking, by Christopher Hadnagy, was published three years ago. In the digital sphere that may be the equivalent of three decades but if you want a detailed insight into social engineering it’s an informative and easy read that offers a good understanding. It’s also got some great examples of social engineering. One in particular, involved a security consultant (who else?) who waltzed away with $10 million from a bank and using a variety of social engineering techniques skipped off into the sunset clutching a bag of diamonds valued at £10 million (it’s how he laundered the money). But the three years on from the publication of this tome social engineering is almost de rigueur for many hackers. Software vendors are better at creating code that is more difficult to break into which is one of the reasons hackers are increasingly turning to social engineering skills. But with so much personal information online of course its identity thieves who use many aspects of social engineering to get their hands on a person’s name, bank account numbers, address, birth date without the owner’s knowledge.
So you want a shiny iPad at a third of the price?
This is one of the drivers behind the surge in social engineering phishing. Click on that link and you’ll unwittingly implant malware on your computer which will harvest your personal details. It’s the ideal tool for hackers. It’s anonymous, it’s effective and there’s little chance of getting caught. On the deep web there are many hackers who’ve made a business out of it. One particular mob, which seems to be based in India, has set up a shop offering buyers goods from Amazon at a third of the retail price. They focus on pushing Apple goods, because of the high demand for all things Apple, from tablets to phones. They’ simply buy the goods by using social engineering to harvest credit/debit card numbers and then use the details to make the purchase, which they then sell on to deep web buyers.
Doctor, lawyer, salesman, spy
But the real experts in social engineering are the spooks. In fact, it’s a central part of any spy’s tradecraft, a way of life. They are the experts and are taught different methods of tricking victims into believing they are someone or something they are not. If you follow the news, you’ll probably recall the gas attacks in the Syrian city of Damascus. Months down the line, a UN report later, several deep investigations on and the evidence suggests it wasn’t the Damascene authorities. No big deal you might think, except that there was some serious social engineering taking place using the gas attack as a pretext to bomb the Assad regime into submission. Naughty. Thankfully, in the digital realm the destructive effects of social engineering tends to be a little more limited and doesn’t involve the loss of life. And the fact is that many of us experience ‘positive’ social engineering every day without being aware of it. Sales people use social engineering skills to find out what a customer’s needs are; doctors, psychologists, and lawyers ‘hack into the psyche’ to manipulate their clients into the direction they want them to take. Even governments utilize social engineering to control the messages they release as well as the people they govern. This type of social engineering is not always negative, because some of the messages are for the greater good - or are they?