Network Security

Volume 2010, Issue 11, November 2010, Pages 1114

Feature

Social engineering today: psychology, strategies and tricks

Steve Gold (Freelance journalist)

http://dx.doi.org/10.1016/S1353-4858(10)70135-5, How to Cite or Link Using DOI
Permissions & Reprints

Much has been written about hackers and their methodologies over the years from a technology
perspective, but very little at least in the past decade has been penned about the
psychology of hacking. Social engineering techniques have been used by hackers since preInternet days. But the extent to which they are exploited by themselves or as part of malwarebased or other technology-based attacks is still under-appreciated. Perhaps this is because
the attacker almost never comes face-to-face with the victim. But while the techniques are old,
the latest technology is giving it a new lease of life.
Steve Gold
Figure options
Social engineering was popularised if you can use that term by the infamous early hacker
and phone phreaker, Kevin Mitnick. He claims to have gained unauthorised access to his first
computer system in 1979 when, aged 16, a friend gave him the phone number for the Ark, a
computer system that DEC used for software development. Using social engineering
techniques, Mitnick broke into DEC's computer network and copied the firm's software. In 1988,
he was sentenced to 12 months in prison for that crime and on his release, was placed on
probation for a further three years.
Near the end of his three-year probation, Mitnick used his skills to hack into the Pacific Bell
voicemail systems, an attack that led to a warrant for his arrest. He then went on the run for two
and half years. During this time, Mitnick is said to have used a variety of social engineering
techniques to gain unauthorised access to dozens of computer systems across North America
and Europe, as well as cloning analogue cellular phones to access online systems for free.

New technology
That was, of course, 25 years ago and in the intervening period, digital technology has
progressed immensely, creating 2G and 3G cellular networks, as well as broadband services
running at many megabits per second. All of this allows access to the Internet from most places
on the planet, giving rise to a new hacker methodology technology-assisted social
engineering.
Not that the traditional social engineering techniques are obsolete. One of the most effective
demonstrations of this attack vector is carried out at the DEFCON computer security
convention, which takes place each summer in Las Vegas.
Known as Capture the Flag, the contest involves attendees being given the task of hacking
systems using nothing but a telephone. In one of the DEFCON 2010 contests, contestants were
asked to call up employees of specified major companies and persuade them to visit a specific
web page, which would then extract details of the web browser and operating system they were
using.
The important feature of the 2010 Capture the Flag competition was that entrants were required
to use their best social engineering skills, but in an entirely legal manner, which meant they
were not allowed to ask for passwords, threaten the target or make the target feel at risk. In
addition, the entrants could not impersonate law enforcement officials, nor could they pretend to
be an authority figure. And they were given just 20 minutes to carry out the exploit. The fact that
they were all successful (other than one whose phone call was not answered) is proof of the
power of social engineering methods.

Hybrid attack
The DEFCON exercise was based on techniques little changed since Mitnick's illegal exploits.
But his true successors, the hackers of today, are using a hybrid approach combining social
networking techniques and hacking methodologies to gain unauthorised access to computer
systems and allied data they should not be able to reach.
Today's hackers are arming themselves with technology such as the Zeus worm malware that
first appeared in 2007 and using a variety of psychological and lateral interactions to gain
access to people's data, says Uri Rivner, head of new technologies, identity protection and
verification with security solutions provider RSA Security.

In a presentation at the RSA Europe security conference in London recently, Rivner revealed
how, through the use of extensible code (ActiveX plus Javascript), hackers are breathing new
life in the Zeus trojan and extracting users credentials in several new ways.
Kevin Mitnick.
Figure options
Zeus is a pervasive piece of malware, spread using a variety of methods, including phishing,
spammed email and website hacking. Once infected, the user's system is then remotely
controlled as part of a botnet. Zeus is thought to control several million PCs worldwide at any
given time, through the use of many hundreds of Command & Control (C&C) servers.

Monitoring data
According to Rivner, while hackers are tapping Zeus to gain parallel access to Internet users
online banking sessions, they are also injecting social engineering-driven HTML scripts into
users online sessions, as well as monitoring all IP-driven data flowing to and from the users
computers. This means, he explains, that users emails and web interactions are all being
harvested by the C&C servers, for automated data combing. The process of data harvesting is
highly automated and carried out on a large scale.
When I first came into this business I had an image of a young hacker like Matthew Broderick
(in the movie War Games) but the reality is that it's not like that at all, he says.
In the dark ecosystem, Rivner says that there are low-level data harvesters and mules and
then there are cashers, who understand how the cybercrime operates.
Harvesters don't know much. Mules only receive the money for a commission, he says, adding
that he recently posed as a buyer of stolen credentials on a carder chatroom and interacted with
a seller of card data plus allied user credentials. Today's credential fraudsters and that
typically means a data fraudster possessing payment card and associated data typically
operate on a 50% commission basis, which means they take 50% of the money that derives
from their customers card fraud activities.

Dishonour among thieves

BabB, who was later arrested and charged by the FBI, used social engineering techniques to

sell his illegal card data to fellow criminals, even going to the extent of commissioning a cartoon
showing how good he was at his job and how he could general steady streams of fraudulent
income for his clients. At his peak, BabB operated Carders Planet, a leading carder forum,
which bought and sold users bank card credentials on a massive scale, raking in commission
from criminals to whom he sold his data.
One fraud we know involved pre-paid salary/wage cards in the US and, via an Atlanta
processor, his gang successfully withdrew a total of $9m from 2,100 ATMs across the US in just
12 hours, says Rivner, adding that the fraud centred on just 44 accounts, with cash withdrawals
taking place in 280 cities.
Since the arrest of BabB a few years ago, Rivner says that law enforcement officials now
understand a lot more about the psychology of criminal hackers and their modus operandi. In
addition, they have passed that knowledge on to the banks, which are now able to monitor for
non-standard behaviour on their card networks.

Extending Zeus functionality

The concept of behaviour is key here. Much of the social engineering that goes on today is
automated and is about either getting Internet users to do things they wouldn't otherwise do, or
convincing them that all is well when, in fact, they are being duped.
For example, in a typical Zeus-hacked online banking session, an infected user logs into an ebanking session and, within an instant, the Zeus code under automated control of the C&C
botnet server initiates an online transfer to a mule account, while at the same time presenting
the user with a false image of the account balance and other transactions on the computer
screen. In this way, while the money is being sucked out of the bank account, the user thinks
that everything is OK, even to the extent of logging off from what appears to be a successful
online bank account session.
But it gets worse, Rivner says, as hackers are using a mix of social engineering and extensible
code to interact with the victim, in order to extract even more information from them such as
where they work, what their family circumstances are, and their phone contact numbers. By the
time the botnet has harvested the portfolio of data, the user thinks that the bank's records have
been updated. The reality is that the user has been suckered into giving up more data than they
would ever normally hand over online, and it's data that can be used to hack the victim's life
even more, using fraudulent loan and card account applications.

We've seen instances of hackers collating data on users that includes their Tesco grocery
purchases, their emails, their web interactions and even their blood groups, says Rivner.
These are what RSA calls lifegrabbers: they collate data, and request extra information through
HTML web browser insertion. The bad news, says Rivner, is that RSA's research shows that
80% of Fortune 500 companies are infected with malware. Which means these firms are
spending a lot of money on IT defences that don't work.
In 1980 it was the network. In 2010 it's the person, says Rivner, adding that hackers use any
and all means to collate data on their victims. But the good news, he told his audience, is that
banks are developing more and more advanced defences, and are applying intelligent analysis
of IP accesses and numbers. They are monitoring, monitoring, monitoring all the time, he says.

Hacking the cellphone

Rivner's jaw-dropping presentation at RSA Europe was complemented by Zane Lackey, a senior
security consultant with iSEC Partners, who showed how, by hacking the data headers of SMS
and MMS transmissions on cellular networks, all manner of social engineering-driven hacks are
possible.
While the SMS (text message) system is enshrined in the GSM standard, on which most digital
cellular networks are based, the MMS (image messaging) system is not built into the standard,
for the simple reason that MMS technology is actually a technical kludge.
According to Lackey, because an MMS message is actually a mobile Internet call routine built
into an SMS data string, it is possible to fool a user's phone into polling a third-party (hacker's)
server for the MMS payload content, rather than the mobile phone company's systems.
This is possible, he told his RSA Europe audience, because MMSs are transmitted on a storeand-forward basis between cellular networks, with data hopping back and forth in batches.
Because the SMS transmission system uses cellular control signal channels, they cannot be
turned off. And since SMSs are so fundamental to cellular, Lackey says, they can be subverted
by hackers.
The hacking process is technically quite simple and involves the generation of false headers in
the UDP code that forms the data stream flowing across a GSM network's control channels.
Although users only view a maximum of 168 characters on their mobile phone screens, Lackey

says that the control header information the UDP data header varies, depending on what
function the text message has, including voicemail notifications, mobile phone system settings
and the like. And because cellular carriers exchange UDP-based data streams between each
other to generate SMS or MMS-based content on users mobiles, it is possible to buy a simple
PCMCIA GSM data card for a laptop, and drive the card to generate spurious UDP-based data
streams.
Lackey showed how the inter-carrier GSM data stream can be subverted to cause a WBXMLbased message to appear on recipients mobile phones, asking them to log into what looks like
their mobile banking screen, requesting that they update their details. You can probably guess
what they were really logging into. Because most mobile phone users do not question a mobile
phone request like this which is a context-driven social engineering and technology hack
they go ahead and enter their credentials.
The good news is that Lackey, whose company advises cellcos on how to better defend their
networks, has only tried out his UDP header subversions to perform what he calls pub tricks.
However, his RSA Europe demo showed how technology and context-based social engineering
can fool users into giving away their mobile banking credentials.

Social engineering defences

So why do people fall for social engineering tricks? According to Mike Jones, security product
director with Symantec, it all comes down to the context in which the technique is applied.
We're seeing a lot of activity in the heavily targeted area of phishing, such as the role in which a
given request for information is presented, he says.
In one instance, a senior lawyer received an email that requested information in the context of a
tax law change, and he passed the email on to a subordinate, who then passed it further down
the food chain through several levels and eventually on to a relatively junior member of staff.
Each time the email was forwarded, says Jones, it gained added authority from each sender,
meaning that the eventual recipient did not think twice about doing as the email requested.
Mick Jones, Symantec.
Figure options
So what is the solution to this technology-assisted form of social engineering?

Jones says the solution here and in many other cases is to integrate the network security
layer with the data infrastructure layer, so that an automated IT security system, which is
monitoring for unusual activity on the company network, can step in.
The process is called just-in-time security, Jones explains. In this instance the member of staff
would get an automated call from the IT security system asking him or her to consider the
security implications of forwarding data to an external email address.
And, adds Jones, the process can be stepped up a notch each time the member of staff tries to
circumvent the security system, finally saying that a manager will be notified of the possible
security procedure breach.
This form of behavioural modification really does work, says the Symantec product director, and
means that even the most clever social engineering technology attack vectors can be
countered, but without interfering with the actual business process. This form of security
protection, says Jones, is important because, unlike traditional user education, it does not
require hours and hours of indoctrination training to make users understand what they should
not do in a context-driven social engineering hack.
It doesn't take much in the way of time, and doesn't stop the normal business workflow, says
Jones. It's also highly automated and stops an attack quite literally as it happens.

Resources

Mitnick and Simon, 2003

Mitnick Kevin, Simon William

The Art of Deception: Controlling the Human Element of SecurityJohn Wiley &
Sons (2003) ISBN 978-0764542800.

Mitnick and Simon, 2005

Mitnick Kevin, Simon William

The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers,
Intruders, And DeceiversJohn Wiley & Sons (2005) ISBN 978-0764569593.

Vitae
About the author
Steve Gold has been a business journalist and technology writer for 26 years. A qualified
accountant and former auditor, he has specialised in IT security, business matters, the Internet

and communications for most of that time. He is technical editor of Infosecurity and lectures
regularly on criminal psychology and cybercrime.
Copyright 2010 Elsevier Ltd. All rights reserved.