Social Engineering: Eight Common Tactics
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages. And experts say hackers today continue to steal password, install malware or grab profits by employing a mix of old and new tactics.
Here's a refresher course on some of the most prevalent social engineering tricks used by phone, email and Web.
1. Ten degrees of separation
The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either 1) a fellow employee or 2) a trusted outside authority (such as law enforcement or an auditor). But if his ultimate goal is to gain information from or about employee X, his first calls or emails might go to a different person.
The old game of six degrees of separation has a few more layers when it comes to crime. According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, there might be ten steps between a criminal's target and the person he or she can start with in the organization.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff. The secretary or receptionist criminals start with might be ten moves away from the person they want to get to."
Lifrieri says criminals use simple ideas to cozy up to more accessible people in an organization in order to get information about people higher up in the hierarchy.
"The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
2. Learning your corporate language
Every industry has a short hand, according to Lifrieri. A social engineering criminal will study that language and be able to rattle it off with the best of them.
"It's all about surrounding cues," he said. "If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
3. Borrowing your 'hold' music
Successful scammers need, time, persistence and patience, said Lifrieri. Attacks are often done slowly and methodically. The build-up not only includes collecting personal tidbits about people, but also collecting other "social cues" to build trust and even fool other into thinking they are an employee when they are not.
Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.
"The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
4. Phone-number spoofing
Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.
"The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company," said Lifrieri.
Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
5. Using the news against you
"Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams," said Dave Marcus, director of security research and communications for McAfee Avert Labs.