A Social engineer began working hard at three o’clock on a Friday as your newly hired employee’s phone rings. The caller ID display reads “Helpdesk” and an internal phone number. The employee answers the phone and is greeted by an enthusiastic and upbeat master of social engineering young lady identifying herself as Karen, a help desk analyst. She informs the rookie that a server migration is going to take place over the weekend, so he will need to let her remotely connect to his computer and update the machine. Otherwise, he might lose important files. She mentions you by name, saying you’d like to have this done before the end of the day.
Eager to please and not wanting to be a bother, he follows Karen’s instructions and allows her to remotely control his computer. She opens up the command prompt and starts entering commands. He’s not really tech savvy, so the commands are gibberish to him. “Sorry if this is taking a while,” she says. “I hurt my hand on a skiing trip.” The employee remarks that he and his spouse just got back from a ski trip to the Poconos, and they make some small talk about his vacation. After finishing the updates, Karen offers to follow up with him in a week if anything is out of order. “If there’s any glitch, don’t worry. I’ll take care of it. You won’t get in trouble.”
Several months later, a shady company based overseas starts selling a product that is completely identical to one your company has been developing. Clearly, your intellectual property was stolen. Not only have you been robbed of the potential revenue the product could have earned you, the time and energy invested on developing the product has been wasted. You were sure that you had taken every precaution to prevent this exact situation. How could this have happened?
Anatomy of a Social Engineering Attack
The rookie never spoke with anyone from the company’s helpdesk. “Karen” is a very charismatic type of criminal called a social engineer. Rather than relying on exploiting flaws in technology, she exploits flaws in human psychology. She targets specific people and uses a plausible story to trick them into giving her access. This is called pretexting, and it is incredibly difficult to thwart. How did she do it?
First, Karen researched your company. Using her social engineering skills she discovered a supervisor’s name (yours) and the internal number for the helpdesk listed on a company webpage. She possess software that spoofs phone numbers, making caller ID show whichever name and number she chose. Karen didn’t want to call just anyone; she had to be sure whoever she spoke with would be susceptible to pretexting. She reviewed your company’s activity on LinkedIn and deduced who your recent hires were. From that, she went on social media and found one publicly listed profile of a man who just went on a skiing trip with his wife. With that, she had everything she needed to pretext him.
When Karen called the rookie, she took advantage of several psychological phenomena that are endemic to the human race:
Acquiescence/Acceptance – The rookie is in a new situation and has been rapidly exposed to a lot of information. He is still learning the names of his co-workers, and is not familiar with all the policies and procedures. Rather than expend the cognitive effort to discern whether or not something odd is going on, he chooses to simply accept the reality that has been presented to him.
Risk v. Reward – Karen traps her target in a situation that will result in something bad happening if he does not immediately comply with her. “I need to do this right now, or you will lose important files.” “The boss needs this done today.” This triggers a sense of urgency that overrides his skepticism.
Desire to Be Liked – Everyone wants to be popular and well-liked, so we are naturally inclined to be helpful to others. The rookie doesn’t want to be an obstacle, so he chooses to help Karen with her “updates.”
Deceptive Rapport – By mentioning hurting her hand on a skiing trip and making small talk, Karen accomplishes three things: First, she is taking the rookie’s mind off what she’s doing. He’s less likely to notice he’s being played. Second, she is causing him to feel sympathy for her injury. This makes him more inclined to help her. Third, he identifies with her when she mentions skiing. This causes him to feel a connection with her. All of this builds rapport, which increases the rookie’s trust in Karen.
Displacement of Responsibility – Karen assures him that she will take care of anything that might go wrong as a result of her actions. Absolving the rookie of any responsibility helps eliminate any hesitation to cooperate on his end. It also neutralizes any lingering concerns he might have about the consequences of their interaction.
Having successfully conned the rookie and achieved access to his computer, she installed a stealthy backdoor to his machine. This allowed her to connect back to the network later undetected. Over the course of the next several weeks she patiently and quietly moved through the network until she found her prize: your intellectual property. Once she stole that, she covered her tracks and left. She then sold your product to a bidder on the Darknet.
Focus on People, Not Programs
Older cybersecurity models depict the network as a castle with a moat around it, sometimes with a menacing Trojan horse standing outside for good measure. This model serves as a tool for explaining difficult technical concepts like firewalls and authentication mechanisms. But it often overlooks the human element in cybersecurity. It places a lot of emphasis on defensive tools and gadgets, but pays little mind to those who wield them. People are the perimeter, especially when it comes to social engineering. Large investments in sophisticated defense systems will go to waste if your employees lack the knowledge and commitment to build a secure workplace and understand how social engineering works.
Managers are often reluctant to provide social engineering training to employees. Aside from the cost of training, there is the added cost of production loss as the employees train instead of working. However, training employees to recognize and respond to social engineering threats is dollar for dollar the best investment you can make towards hardening your company’s security posture. Training will help ensure that your company is conforming to HIPAA, PCI DSS, and other compliance standards. Training is also the only preventative measure that will thwart pretexting.
A difficult question arises: Should an employee who falls for a pretexting attack be fired? The answer will depend on a myriad of factors, but it might be best to err on the side of mercy. Disciplinary action may be warranted if there is a reasonable expectation that an employee be able to detect social engineering threats. But firing someone who falls victim to a scam could incentivize other employees to cover up mistakes rather than discuss them. That would only weaken your security posture. Also, consider the example in this article with Karen. Without any awareness or training, are you confident that you would recognize something odd was going on?
Author: Louis Papa
Silent Storm Security Contributor | Security Engineer