Top 5 Social Engineering Exploit Techniques
If you want to hack a corporation fast, Social Engineering (SE) techniques work every time and more often than not it works the first time. I'm talking about in your face, Mano-a-mano, live in the flesh social engineering techniques. Securing the information that is in the human mind is a monumental, colossal, epic, task compared with securing digital data! So it is no surprise that it is also the largest gap in a corporations IT security.
The security industry is constantly trying to create techno widgets to help us with this human problem, but to date there are not bona fide solutions available. If you give someone access, no matter how many hoops you make him or her go through to get there, then they are a human risk and subject to social engineering attacks.
I've collected a list of my top 10 social engineering techniques. These techniques come from a variety of sources. Some are from my experiences, some are from my customers, and some are from buddies that use social engineering attacks in their daily job as security consultants. Are you vulnerable to these techniques in your organization? Pick up the phone and try some of them (if you are authorized to of course). I bet you won't be surprised when they all work. ?
1) Familiarity Exploit – This is one of the best and is a corner stone of social engineering. In a nutshell, you are trying to make it appear perfectly normal to everyone that you should be there. Making yourself familiar to those that you want to exploit helps to lower their guard. People react differently to people they know, have talked to or at least seen around a lot. People are way more comfortable responding and carrying out requests by familiar people than they are with complete strangers. A familiar person, in the eyes of your mark, is perfectly normal, doesn't set off alarm bells in the brain of "who is that and why are they here". Once you become familiar then you strike. Tailgating into a secure area behind someone who is familiar with you works often.
2) Creating a hostile situation – People withdraw from those that appear to be mad, upset or angry at something or someone other than themselves. For example, if you are on the phone and fake having a heated conversation with someone people around you will absolutely notice you but they will go out of their way to avoid you as well. You can create a hostile situation in a ton of different ways; just don't create a hostile situation between you and your marks. This rarely works. Instead you want the hostile situation to be between yourself and your phone, your accomplice, or mumbling to yourself as if you just had a huge argument with someone.
If you find yourself in a situation where you need to go through areas with people that are otherwise likely to stop and question your presence this technique comes in handy. If you are angry, people are much, much less likely to stop and question you. In fact, people are much more likely to obey your wishes when you are angry as well. People just want to get rid of angry people, so it works well for asking people to open doors for you or give you information on the location of things, etc. A good real world example of this is my buddy wanted to sneak some alcohol into an amusement park. The park has a guard station to check the bags and a wand to detect metal. My buddy started up a heated fight with his wife before they walked up and the guards just waved them by the checkpoint without checking or wanding them!
3) Gathering and Using Information – When it comes right down to it the key to being a successful social engineer is information gathering. The more information you have about your mark the more likely you are to get what you want from him or her, obviously. Good places to gather this info:
a. Parking lot – Cars that are unlocked (or are easily unlocked) might have security badges, uniforms, paperwork, intel, smart phones, wallets, all sorts of goodies you can use.
b. Online site like Linked In, Google, Facebook, MySpace, etc.
c. Things in their workspace area (posters, pictures, books, etc.)
d. Asking their friends and colleagues. Pretend to be a manager from another office or branch.
e. Tail them home or to their favorite watering hole. Try to figure out their patterns, interests, places they frequent. These are all good data points you can use to help make a personal connection to the mark.
f. Dumpster diving. Sure going through their trash is nasty but the gems that will be there are invaluable.
4) Get a Job There – If the reward is worth it, just get a job at your target and grab all the information you can. Most small-medium size businesses do not perform even simple background checks on new hires. Most large companies will but they are typically not very extensive. HR and hiring managers are almost never trained on how to spot warning signs they might be hiring someone with malicious intent. Once you are on the inside you become way more trusted, even if you are a lowly clerk. Social engineering a co-worker is usually a piece of cake given the assumed trust you'll have as a fellow employee.
5) Reading body language – An experienced SE will read and respond to their mark's body language. In the eyes of the master SE, Chris Nickerson, body language, used effectively, is one of the most powerful connections you can make to a person. Breathing when they breath, smile at the right times, recognize and adapt to their emotions, be friendly and polite but not to much so, if they appear nervous make them comfortable, if they are comfortable then exploit them, etc. etc.
Reading body language, if done well, can be your ticket to the crown jewels in a corporation. It makes people WANT to help you and feel good about doing so, an act of kindness on their part. And not only will they want to help you but they won't go back later and analyze what they did "Hey now that I think about it, why did I let that guy into the datacenter today?" Instead they will dwell the on the help and goodwill they provided for you.
6) Ok I have to add a sixth one because it is so incredibly effective, probably more so than any of the previous techniques. Wait for it…..SEX! Women manipulating men to do their bidding is just a part of being a guy. A guy trying to resist the manipulation of a great looking girl that is flirting, dressing sexy, acting promiscuous, acting interested in you, blah, blah, blah is about as easy as trying to hold your breath for 10 minutes. ? Bottom line is if your mark is a man and the SE is a woman, the SE's chances of success just shot up. Hey all's fair, why not use biology in your favor.
So the last part is how do you defend against social engineering attacks? The best defense you have against the human risk (to social engineering) is personnel training and awareness programs. Sure that sounds boring and you'd much rather buy a widget or two that you get to have in your security toolbelt, but no widget will be as effective.
I'd like to hear your favorite social engineering techniques or any good stories of SE you'd care to share. Huge thanks goes out to the guys in 303 for contributing content, insights and filling my head with awe-inspiring social engineering war stories!
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.