Is it easy to crack an interview

Social engineering, or: how to "crack" people

While reports on intrusions into computer networks tend to go into the technical details of the attack in great detail, it is often overlooked that social components play an increasingly important role in targeted attacks. With the help of "social engineering", potential victims are analyzed and specifically tailored tricks are used to make the attack a success. Security expert Sharon Conheady has been dealing with this topic for several years. In her job at First Defense Information Security Ltd, she offers targeted "social engineering" training courses for companies - and also tests their security herself.

In the following interview she talks about the new possibilities offered by social networks, mass scams, and the historical background of "social engineering". The interview was conducted by Andreas Proschofsky as part of the DeepSec security conference held in Vienna at the end of November, at which "social engineering" played a prominent role.

The interview is also available in the original English.

derStandard.at: What are the current trends in the area of ​​"social engineering"?

Sharon Conheady: The nature of "social engineering" has changed dramatically in the last three to four years, mainly due to the spread of social networks. These initially offer a huge target area, you can now target hundreds of thousands of people with one attack, which was not so easy in the past. Above all, however, a lot of information is revealed there that can be used for attacks. Be it your own name and birthday, your favorite pizza, whether you intend to quit smoking, where your workplace is, what's going on there, whether you like your boss or not. All of this can be used as a basis for attacks.

derStandard.at: So social networks not only offer more information but also a wider range of destinations?

Sharon Conheady: Yes absolutely. And they are based on trust - and that is exactly what "social engineers" take advantage of.

derStandard.at: A few developments beyond social networks ...?

Sharon Conheady: Well, phishing has gotten quite big in the last few years, now Vishing is added, where you get an email asking you to call someone back. Vishing can also mean that you find a call on your own voicebox that pretends to come from your own bank and tries to entice you to visit a fake website or call an inauthentic telephone number. Another relatively new form of attack is called smishing, which mainly involves sending text messages that pretend to be from your own bank.

Lately I've been seeing people becoming more cautious about anything that's happening on their computer screen, but when an attack like this comes by fax or cell phone there is a much greater chance that it will work.

derStandard.at: Can something like "social engineering" be expressed in numbers, that is, in a kind of "success rate"?

Sharon Conheady: Of course, I can only talk about my own work, we are more than 90 percent successful there when we try to get access to companies or their secret information.

In general, however, it is of course difficult to put something like this in numbers, especially because most of them do not even notice when they have been attacked. And when they find out, they often only see the technical part of the attack, not the social part that made it possible in the first place.

derStandard.at: What does your daily work usually consist of?

Sharon Conheady: Mainly from various types of "social engineering" tests and training courses. This could mean, for example, we run a series of phishing attacks to find out how employees are reacting to them and whether there has been any improvement over the months. Or we try to get information over the phone, that is, to get call center employees to reveal confidential data. Furthermore, it can also be an attempt to get physical access to the company building or the data center.

derStandard.at: Can you give an example of what that would look like in practice?

Sharon Conheady: For sure. I recently did such a test with a large European organization. Then I just claimed that I came from their US offices and used the name of someone who actually worked there. I went to reception early in the morning and introduced myself, which of course led to some confusion as they weren't expecting me. So they called the US offices to be on the safe side, which of course doesn't make sense at the time, as it was there in the middle of the night. In the end, they told me that I should just go up into the building and choose any meeting room.

derStandard.at: That's it?

Sharon Conheady: Yes. Often times it's really incredibly easy.

For an email attack, on the other hand, I once invested a lot of time to examine an organization. In the end, I found out on the website that some employees had just taken part in a marathon. So I pretended that I was from the organization of the marathon and sent an email with the content "Congratulations to John and Jack, who achieved the goal in a great time, you can find the exact times in the attachment". And attached, of course, was a proof-of-concept Trojan that would have compromised the company's computers in the event of a real attack.

So-called "marble attacks" are becoming more and more common over the phone. These are actually pretty cruel attacks where someone claims they are calling for someone who has language problems. And if the operator then wants to speak directly to the person concerned, you simply imitate this handicap. This is of course quite uncomfortable, but time and again it leads to the telephone contact circumventing security restrictions because they simply do not understand what the other person is saying. There are actually some documented cases of this being successful.

derStandard.at: You are actually talking about two quite different forms of attack. On the one hand there are mass frauds, on the other hand there are also very targeted and specific attacks against a person or organization. Is relevance shifting here?

Sharon Conheady: There is definitely a clear trend emerging right now. There will always be mass attacks because there are always enough people who fall for them. But we can find more and more very targeted attacks where, for example, instead of a blanket phishing email, you find a message aimed at a person. Of course, this leads to the fact that you fall for the fraud much more often. And, as I said, with social networks this has become much easier.

derStandard.at: Who is the target of such specific attacks?

Sharon Conheady: Often they are companies, but such attacks are also happening more and more frequently against individual individuals. Identity theft is already a huge problem.

derStandard.at: Who would you choose as a point of attack within a company in order to get secret information?

Sharon Conheady: For every attack you first have to do a lot of research; 90 percent of my work consists of choosing the right people. Most often, however, the switchboard or IT help desk are chosen simply because there are people there who often have access to sensitive information. If you want to gain physical access to a building, the reception or the security officers are of course decisive. But in all honesty, practically everyone from middle management to the people who work in their canteen can be the point of attack today.

derStandard.at: Do you have examples of real-world attacks?

Sharon Conheady: Naturally. For example, there was an incident recently at a company where the attackers identified some employees who use social networks. So they took over one of those accounts and found out that a company picnic was imminent. Then they analyzed the person's communication behavior and identified five close friends. Immediately after the picnic, they sent these five people a message supposedly from their friend, in which they claimed to include photos from the event as an attachment. And since the attacked had to assume that the message came from their friend, they of course opened the attachment, which promptly installed a keylogger. This gave the attackers access to an employee's company login, which they naturally took advantage of. In the end, they spent two weeks in the internal network, collecting information and also getting two servers under their control.

In the end, they were only exposed because one of the victims approached his friend about the message - and the photos that were not displayed - and of course he knew nothing about it. So they informed the IT department that subsequently discovered the break-in.

derStandard.at: Social engineering has received increasing attention in recent years, but is it really a new phenomenon?

Sharon Conheady: Social engineering has been around for as long as mankind has existed, in the last 20 years people have simply thrown themselves into information technology. Social engineering always adapts to the times, for every new technology there are fraudsters and criminals who know how to use it to their advantage. The "advance fraud" began with letters before it finally ended up with e-mail via telex and fax. - and now slowly moving to social networks. Instead of unknown people from Nigeria, this attack is now - ostensibly - from one's own friends - and it is very difficult to defend against it because everyone wants to help a friend in need.

derStandard.at: Do you have any examples of how "social engineering" techniques were used before the information age?

Sharon Conheady: Advance fraud is a good example here again. Hundreds of years ago, at the time of the Spanish Armada, there was a scam targeting the British aristocracy. The scammer claimed to be from Spain and always had a good-looking Spanish woman by his side. So he approached an aristocrat with the story that this lady's father was trapped in Spain and that he needed money to escape. In return for this help, the aristocrat would not only get a lot of money, but would also be allowed to marry his daughter. And that actually worked regularly, those affected gave away the money and of course never heard from the pretty woman again.

Then, at the end of the eighteenth century, there was a man named Eugène François Vidocq who started out as a criminal but then became the founder of the modern police force. And in his memoirs he documented his own prison time and the prevailing methods of fraud at the time. One of the examples documented here is called the "Letter from Jerusalem", in which criminals pretended to be an assistant to a marquis or someone else with plenty of money to aristocrats. These letters then claimed that the Marquis had lost a vast amount of jewels and that he only needed a comparatively small amount of money to recruit the people who could bring his riches back to him. This of course combined with the promise to share the jewels with the noble helper afterwards.

Vidocq says in his memoir that 20 out of a hundred of these letters were successful. The success rate isn't that high today, of course, but the statistics are still pretty interesting here.

derStandard.at: If you consider that these attacks are amazingly similar to the scams used today, does that mean that humanity simply does not learn anything from such incidents?

Sharon Conheady: I think people are learning, but the world has just gotten a lot bigger. So the same tricks work over and over again. And in that case you just take advantage of the fact that people like to do a good deal, especially when they don't have to do anything for it, people are greedy.

There are innumerable examples of this. In the 1920s there was a man named Victor Lustig who pretended to represent the government in their plans to sell the Eiffel Tower as scrap metal. And of course that is a business that is actually too good to be true. Still, he was actually successful with it. In addition, the dupes were so embarrassed about this incident that they did not go to the police. By the way: Just this year a truck driver tried to sell the Ritz Hotel in London.

derStandard.at: And how far did he get?

Sharon Conheady: Quite far, he pretended to be a friend of the owners and took a million pounds in advance.

derStandard.at: If you tried to get my email, how would you go about it?

Sharon Conheady: First, I'd start by finding out as much about you as possible. I would see if you are on LinkedIn, if you use other social networks. Then I would probably send a phishing email adapted to this information. If you make it public what bars or clubs they go to, I might be waiting for you there.

derStandard.at: Personally?

Sharon Conheady: Yes, perhaps. I might steal your bag to get your phone. I could also try to take over the account of one of your friends and impersonate them. And of course I could break into your home or office to find out if you wrote your password down somewhere. There are just so many options ...

derStandard.at: Thank you for the conversation.

(Andreas Proschofsky, derStandard.at, January 30, 2011)

The web standard on Facebook