Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both during penetration testing and as part of real-world attacks. This note explores how attackers are using social engineering to compromise computer defenses. Starting in the Physical World We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet:
Other social engineering attacks in the physical world have been effective as part of penetration testing or research:
Malware Installation Tricks Attackers increasingly rely on social engineering tactics to trick victims into installing malicious software. There are numerous variations of the approaches seen in the wild, including the following:
Targeted Attack Tricks Attackers may profile victims to include the person or company-specific social engineering elements in the intrusion campaign:
How else are Internet attackers using social engineering? If you have real-world stories to share, please send us a note. Liked this? Post it to Twitter! -- Lenny Lenny Zeltser - Security Consulting |
Lenny 216 Posts Oct 27th 2009 |
Thread locked Subscribe |
Oct 27th 2009 1 decade ago |
It is in part because of this that I predict the demise of the Internet in the form that it currently exists. It is a huge time vampire to disinfect a machine, and the average person doesn't have the time nor the knowledge to deal with it. They can take their PC into a shop where they will just reinstall the OS, or buy a new PC, and then they will go back and start doing the same old stupid things they were doing before until they get infected again.
It is easy for security experts to point their fingers and say what people should be doing, but the vast majority of people on the Internet are far from experts in anything related to security. In some cases you have children using the Internet as a plaything of some sort, and they are especially susceptible to these sorts of social engineering attacks. |
Eric 43 Posts |
Quote |
Oct 27th 2009 1 decade ago |
Jack makes good points.
Microsoft has been slowly adding in security to the OS. They've got the firewall on by default. They've got Windows Defender which runs by default. Now they are adding the option for anti-virus. By the next revision of Windows, it will probably be on by default. That should help mitigate many of the issues for regular end-users who don't care about security software and expect everything to "just work". |
Jasey 93 Posts |
Quote |
Oct 27th 2009 1 decade ago |
Despite the topic being social engineering the comments are still focused on this as a technical problem that can be solved via education. Users do not need to be security experts to not get owned. You don't need to be a police officer to not get scammed by a run of the mill con artist. You don't need to be an expert negotiator to not get ripped off by a salesman.
The problem isn't education, and it isn't technical, it's purely social. People are far too trusting. They will continue to get burned again and again until they learn a very non-technical lesson about life and human nature. Some people jump online and start installing any random third party software that catches their eye while posting all of their personal details to social networking sites. Other people never associate their online activity with their real name or introduce third party software to their machine. It's a question of character, not education. "There's a sucker born every minute." |
Jasey 22 Posts |
Quote |
Oct 27th 2009 1 decade ago |
Steve, many people *would* be scammed by a run of the mill con artist. The problem is that while in the real world most of us aren't put in a situation where a random stranger is trying to convince us to do something, but we are bombarded with it in the digital world.
It *is* something that can be solved by education. If only by way of metaphor, like "consider each pop-up ad on a website to be the digital equivalent of a pan handler: they just want your money for some less than noble purpose and they are willing to tell you whatever you need to hear to get it from you." We already pile metaphor on top of malicious software with viruses, worms, trojans, logic bombs, etc. They create an association between the real world and the digital world. Ask someone is a computer virus is a good thing or a bad thing, and, with no other knowledge, they can say "that is bad, I don't want that." Spam should be called what it is "Junk E-mail". That should get the point across. Nobody but a Monty Python fan would have any idea what "spam" was and even then, it doesn't imply maliciousness. Before I worked in computer security, I was pretty trusting. I am now paranoid and so is my wife. That's something I learned. For example, our DVR missed the first episode of this season's Dancing With the Stars. My wife checked Hulu (not available) and then went to ABC's website. They required you to download and install some custom player to watch full episodes. My wife wouldn't install it. Why? Because she's *learned* to be more selective about third party software. My employer recently put up signs and has a little flash ad on our Intranet to help people remember to lock their systems "CTRL + ALT + DEL when you leave your seat." It's short and catchy and we see it a couple times a day. It is effective because it buries itself meme-like in the back of your brain and you remember. If security training could be more like that, it would make more of an impact. We have to treat it like teaching kindergartners learning the alphabet. It is a foreign concept to normal users, so it must be broken down into tiny, easy to memorize, chunks. I don't have an answer, I don't have a "hooked on phonics" for security. But someone should. |
Jasey 93 Posts |
Quote |
Oct 27th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!