As I stepped into the crowded conference hall at the Mandalay Bay hotel in Las Vegas, I felt a wave of familiarity wash over me. Hundreds of faces, familiar and unfamiliar, produced an excited din in anticipation. At the front of the hall on a small stage sat the equivalent of a telephone booth, soundproofed with a direct connection to the speaker array engineered for the hall.
This was the DEFCON Social Engineering village as of 2019, back before it was reigned in due to pandemic restrictions. Unlike most of the other villages, one of the main events of the Social Engineering village can’t be held online because of communication laws surrounding recording. It’s taken so seriously that spectators checking their phones, no matter how briefly, are asked to leave.
The Social Engineering Capture the Flag (SECTF) competition works a little differently than other hacking competitions. Participants aim to collect data from multinational companies, gaining points as they uncover IP addresses, names, phone numbers, passwords, router SSIDs, and other pieces of information that raise both a mix of extreme concern and giddy excitement from the average security professional.
The catch to the SECTF competition is in its methodology. While others may boot up their pentesting virtual machines to rip through vulnerabilities, these social engineers use nothing more than a pretext, some improvisation, a touch of luck, and the power of their colloquially dubbed ‘Google-Fu’. These expert navigators then pick up the phone, poking and prodding at human insecurities to gain information that most wouldn’t think probable.
Most of those unlucky souls contacted by the SECTF competitors are quickly swindled out of vital pieces of information, tallied into points faster than a pinball score. Some might find this an opportunity to experience schadenfreude at others’ demise.
But to those who know the world of social engineering best, it’s a sobering reminder: it can happen to anyone.
What is social engineering?
Social engineering is not used exclusively by hackers, nor those in the broader field of information technology. Every human being who interacts with others uses social engineering to some degree. It is the art of analyzing a conversation, its participants, and the data being offered to gain the maximum possible value from that interaction. It is most easily seen in conversations about monetary transactions, but its framework can be seen even in conversations between friends and family.
Desires and goals drive humanity. Even our subconscious pushes for those goals in everyday conversation. To a hacker, those goals are malicious: obtain enough data to gain a foothold in a network, then use that foothold to cause damage or retrieve data. All that they need to do is find an easy avenue to that data. The most common social engineering techniques in information security (according to Kevin Mitnick) are as follows:
Phishing: The art of roping one in by ‘fishing’ for clicks. This is a fraudulent communication aimed at looking legitimate to a relatively wide range of users. Communication like this are geared towards gaining access to a user’s system or gaining information from a user that can be used in an attack later. Though there are types of phishing attacks that vary in range and method (spearphishing and vishing are two such examples), phishing attacks tend to look like your standard junk email. Don’t be fooled, however: these attacks can become very complex and look highly legitimate.
Vishing/Smishing: Voice-based and SMS-based phishing attacks can be even more convincing than standard phishing simply due to the level of familiarity in communication via these methods. You may be familiar with common vishing scams through ‘extended car warranty’ calls. This method of information gathering is the primary method used in the DEFCON Social Engineering CTF.
Pretexting: Pretexting is the act of using a fictional scenario to gain the trust, respect, or fear of a victim. Pretexts like being the IRS, a confused customer, a possible relationship partner, or a technical support agent offer sensible reasons for the victim to provide information to the attacker and form the illusion of a relationship. Pretexts are some of the most useful tools an attacker has at their disposal due to their versatility and the natural human desire to form relationships.
Baiting: Some phishing attacks use ‘baiting’ as a method to get others to click. Baiting attacks use natural greed or desire as a motivation for victims to fall into their set trap. Examples of this technique include promised gift cards, extravagant vacations, free electronics, or offers for jobs that sound too good to be true. A famous example is the ‘Nigerian Prince’ scam, in which the attacker baits victims by promising a payout… that is, if the victims can pay a smaller amount first.
Tailgating/Piggybacking: Digital attacks don’t always start with a digital ingress point. In fact, accessing unauthorized locations is a perfect way to gain a wealth of information on a target. Following another person through a doorway without their knowledge is known as ‘tailgating’, while doing so with their knowledge (such as someone holding the door open for you) is known as ‘piggybacking’. It may seem like a kind thing to do, but it is a major security risk to have someone entering a building on your credentials.
Quid Pro Quo: Creating the feeling of obligation is one of the best ways to force a reaction from a victim. After performing an action (or promising to perform an action) in the guise of proving good intentions, an attacker may then request information in return: hence the meaning of ‘quid pro quo’ in Latin, ‘something for something’. This could be requesting sensitive information in order to fix an existing problem or giving a victim a helpful tip or fake information to develop a bond.
Why should I care?
According to the 2020 FBI Internet Crime Report (IC3), the top reported victim count out of all incidents was attributed to Phishing/Vishing/Smishing/Pharming with 241,342 victims from the sample size. That’s up from the 2019 number, 114,702, as an over 50% increase from the previous year. Many other forms of fraud and other social engineering were close behind.
In the DEFCON 27 SECTF, companies within the alcohol, tobacco, and firearm industries were targeted for social engineering. In the official SECTF report, massive amounts of data were discovered through simple phone calls, including websites blocked by the company, computer models, browsers used and schedule information. All of these data points are valuable when considering possible holes through which an attacker could strike. A well-prepared contestant could gain massive amounts of data on the victim in a short amount of time given that they do proper research.
How can I defend against it?
Social engineering is made or broken by those that the IT industry as a whole underestimates: end users. Properly educated and respected end users understand the value of the knowledge they hold and are good at sniffing out attempts at that knowledge. However, the majority of social engineering’s strength comes from researching existing data that is openly available before ever coming into contact with a target.
Automating against social engineering can therefore be done by targeting information that either is already or will possibly become openly available. At LogicHub, we mitigate these risks by scanning for new instances of data that are publicly available from private document stores like Google Docs, Dropbox, or OneDrive. We also use automation to look at suspicious exfiltration by employees or contractors, something that can prevent an active social engineering attack from executing successfully.
In situations involving email phishing, we can employ the use of email reputation databases to create a machine learning model, therefore automatically creating a baseline for acceptable versus unacceptable behavior based on the exact environment where the automation is to be deployed.
Remember: preventative measures against phishing go a long way. With the cost of data breaches going up year over year (an average of 4.24 million this year, according to IBM’s 2021 Data Breach Report), a small sum invested into security measures means a giant savings in the long run.