Network SecurityVolume 2010, Issue 11, November 2010, Pages 1114FeatureSocial engineering today: psychology, strategies and tricks Steve Gold (Freelance journalist) http://dx.doi.org/10.1016/S1353-4858(10)70135-5, How to Cite or Link Using DOI Permissions & Reprints

Much has been written about hackers and their methodologies over the years from a technology perspective, but very little at least in the past decade has been penned about the psychology of hacking. Social engineering techniques have been used by hackers since pre-Internet days. But the extent to which they are exploited by themselves or as part of malware-based or other technology-based attacks is still under-appreciated. Perhaps this is because the attacker almost never comes face-to-face with the victim. But while the techniques are old, the latest technology is giving it a new lease of life.Steve GoldFigure optionsSocial engineering was popularised if you can use that term by the infamous early hacker and phone phreaker, Kevin Mitnick. He claims to have gained unauthorised access to his first computer system in 1979 when, aged 16, a friend gave him the phone number for the Ark, a computer system that DEC used for software development. Using social engineering techniques, Mitnick broke into DEC's computer network and copied the firm's software. In 1988, he was sentenced to 12 months in prison for that crime and on his release, was placed on probation for a further three years.Near the end of his three-year probation, Mitnick used his skills to hack into the Pacific Bell voicemail systems, an attack that led to a warrant for his arrest. He then went on the run for two and half years. During this time, Mitnick is said to have used a variety of social engineering techniques to gain unauthorised access to dozens of computer systems across North America and Europe, as well as cloning analogue cellular phones to access online systems for free.New technologyThat was, of course, 25 years ago and in the intervening period, digital technology has progressed immensely, creating 2G and 3G cellular networks, as well as broadband services running at many megabits per second. All of this allows access to the Internet from most places on the planet, giving rise to a new hacker methodology technology-assisted social engineering.Not that the traditional social engineering techniques are obsolete. One of the most effective demonstrations of this attack vector is carried out at the DEFCON computer security convention, which takes place each summer in Las Vegas.Known as Capture the Flag, the contest involves attendees being given the task of hacking systems using nothing but a telephone. In one of the DEFCON 2010 contests, contestants were asked to call up employees of specified major companies and persuade them to visit a specific web page, which would then extract details of the web browser and operating system they were using.The important feature of the 2010 Capture the Flag competition was that entrants were required to use their best social engineering skills, but in an entirely legal manner, which meant they were not allowed to ask for passwords, threaten the target or make the target feel at risk. In addition, the entrants could not impersonate law enforcement officials, nor could they pretend to be an authority figure. And they were given just 20 minutes to carry out the exploit. The fact that they were all successful (other than one whose phone call was not answered) is proof of the power of social engineering methods.Hybrid attackThe DEFCON exercise was based on techniques little changed since Mitnick's illegal exploits. But his true successors, the hackers of today, are using a hybrid approach combining social networking techniques and hacking methodologies to gain unauthorised access to computer systems and allied data they should not be able to reach.Today's hackers are arming themselves with technology such as the Zeus worm malware that first appeared in 2007 and using a variety of psychological and lateral interactions to gain access to people's data, says Uri Rivner, head of new technologies, identity protection and verification with security solutions provider RSA Security.In a presentation at the RSA Europe security conference in London recently, Rivner revealed how, through the use of extensible code (ActiveX plus Javascript), hackers are breathing new life in the Zeus trojan and extracting users credentials in several new ways.Kevin Mitnick.Figure optionsZeus is a pervasive piece of malware, spread using a variety of methods, including phishing, spammed email and website hacking. Once infected, the user's system is then remotely controlled as part of a botnet. Zeus is thought to control several million PCs worldwide at any given time, through the use of many hundreds of Command & Control (C&C) servers.Monitoring dataAccording to Rivner, while hackers are tapping Zeus to gain parallel access to Internet users online banking sessions, they are also injecting social engineering-driven HTML scripts into users online sessions, as well as monitoring all IP-driven data flowing to and from the users computers. This means, he explains, that users emails and web interactions are all being harvested by the C&C servers, for automated data combing. The process of data harvesting is highly automated and carried out on a large scale.When I first came into this business I had an image of a young hacker like Matthew Broderick (in the movie War Games) but the reality is that it's not like that at all, he says.In the dark ecosystem, Rivner says that there are low-level data harvesters and mules and then there are cashers, who understand how the cybercrime operates.Harvesters don't know much. Mules only receive the money for a commission, he says, adding that he recently posed as a buyer of stolen credentials on a carder chatroom and interacted with a seller of card data plus allied user credentials. Today's credential fraudsters and that typically means a data fraudster possessing payment card and associated data typically operate on a 50% commission basis, which means they take 50% of the money that derives from their customers card fraud activities.Dishonour among thievesBabB, who was later arrested and charged by the FBI, used social engineering techniques to sell his illegal card data to fellow criminals, even going to the extent of commissioning a cartoon showing how good he was at his job and how he could general steady streams of fraudulent income for his clients. At his peak, BabB operated Carders Planet, a leading carder forum, which bought and sold users bank card credentials on a massive scale, raking in commission from criminals to whom he sold his data.One fraud we know involved pre-paid salary/wage cards in the US and, via an Atlanta processor, his gang successfully withdrew a total of $9m from 2,100 ATMs across the US in just 12 hours, says Rivner, adding that the fraud centred on just 44 accounts, with cash withdrawals taking place in 280 cities.Since the arrest of BabB a few years ago, Rivner says that law enforcement officials now understand a lot more about the psychology of criminal hackers and their modus operandi. In addition, they have passed that knowledge on to the banks, which are now able to monitor for non-standard behaviour on their card networks.Extending Zeus functionalityThe concept of behaviour is key here. Much of the social engineering that goes on today is automated and is about either getting Internet users to do things they wouldn't otherwise do, or convincing them that all is well when, in fact, they are being duped.For example, in a typical Zeus-hacked online banking session, an infected user logs into an e-banking session and, within an instant, the Zeus code under automated control of the C&C botnet server initiates an online transfer to a mule account, while at the same time presenting the user with a false image of the account balance and other transactions on the computer screen. In this way, while the money is being sucked out of the bank account, the user thinks that everything is OK, even to the extent of logging off from what appears to be a successful online bank account session.But it gets worse, Rivner says, as hackers are using a mix of social engineering and extensible code to interact with the victim, in order to extract even more information from them such as where they work, what their family circumstances are, and their phone contact numbers. By the time the botnet has harvested the portfolio of data, the user thinks that the bank's records have been updated. The reality is that the user has been suckered into giving up more data than they would ever normally hand over online, and it's data that can be used to hack the victim's life even more, using fraudulent loan and card account applications.We've seen instances of hackers collating data on users that includes their Tesco grocery purchases, their emails, their web interactions and even their blood groups, says Rivner.These are what RSA calls lifegrabbers: they collate data, and request extra information through HTML web browser insertion. The bad news, says Rivner, is that RSA's research shows that 80% of Fortune 500 companies are infected with malware. Which means these firms are spending a lot of money on IT defences that don't work.In 1980 it was the network. In 2010 it's the person, says Rivner, adding that hackers use any and all means to collate data on their victims. But the good news, he told his audience, is that banks are developing more and more advanced defences, and are applying intelligent analysis of IP accesses and numbers. They are monitoring, monitoring, monitoring all the time, he says.Hacking the cellphoneRivner's jaw-dropping presentation at RSA Europe was complemented by Zane Lackey, a senior security consultant with iSEC Partners, who showed how, by hacking the data headers of SMS and MMS transmissions on cellular networks, all manner of social engineering-driven hacks are possible.While the SMS (text message) system is enshrined in the GSM standard, on which most digital cellular networks are based, the MMS (image messaging) system is not built into the standard, for the simple reason that MMS technology is actually a technical kludge.According to Lackey, because an MMS message is actually a mobile Internet call routine built into an SMS data string, it is possible to fool a user's phone into polling a third-party (hacker's) server for the MMS payload content, rather than the mobile phone company's systems.This is possible, he told his RSA Europe audience, because MMSs are transmitted on a store-and-forward basis between cellular networks, with data hopping back and forth in batches. Because the SMS transmission system uses cellular control signal channels, they cannot be turned off. And since SMSs are so fundamental to cellular, Lackey says, they can be subverted by hackers.The hacking process is technically quite simple and involves the generation of false headers in the UDP code that forms the data stream flowing across a GSM network's control channels. Although users only view a maximum of 168 characters on their mobile phone screens, Lackey says that the control header information the UDP data header varies, depending on what function the text message has, including voicemail notifications, mobile phone system settings and the like. And because cellular carriers exchange UDP-based data streams between each other to generate SMS or MMS-based content on users mobiles, it is possible to buy a simple PCMCIA GSM data card for a laptop, and drive the card to generate spurious UDP-based data streams.Lackey showed how the inter-carrier GSM data stream can be subverted to cause a WBXML-based message to appear on recipients mobile phones, asking them to log into what looks like their mobile banking screen, requesting that they update their details. You can probably guess what they were really logging into. Because most mobile phone users do not question a mobile phone request like this which is a context-driven social engineering and technology hack they go ahead and enter their credentials.The good news is that Lackey, whose company advises cellcos on how to better defend their networks, has only tried out his UDP header subversions to perform what he calls pub tricks. However, his RSA Europe demo showed how technology and context-based social engineering can fool users into giving away their mobile banking credentials.Social engineering defencesSo why do people fall for social engineering tricks? According to Mike Jones, security product director with Symantec, it all comes down to the context in which the technique is applied.We're seeing a lot of activity in the heavily targeted area of phishing, such as the role in which a given request for information is presented, he says.In one instance, a senior lawyer received an email that requested information in the context of a tax law change, and he passed the email on to a subordinate, who then passed it further down the food chain through several levels and eventually on to a relatively junior member of staff. Each time the email was forwarded, says Jones, it gained added authority from each sender, meaning that the eventual recipient did not think twice about doing as the email requested.Mick Jones, Symantec.Figure optionsSo what is the solution to this technology-assisted form of social engineering?Jones says the solution here and in many other cases is to integrate the network security layer with the data infrastructure layer, so that an automated IT security system, which is monitoring for unusual activity on the company network, can step in.The process is called just-in-time security, Jones explains. In this instance the member of staff would get an automated call from the IT security system asking him or her to consider the security implications of forwarding data to an external email address.And, adds Jones, the process can be stepped up a notch each time the member of staff tries to circumvent the security system, finally saying that a manager will be notified of the possible security procedure breach.This form of behavioural modification really does work, says the Symantec product director, and means that even the most clever social engineering technology attack vectors can be countered, but without interfering with the actual business process. This form of security protection, says Jones, is important because, unlike traditional user education, it does not require hours and hours of indoctrination training to make users understand what they should not do in a context-driven social engineering hack.It doesn't take much in the way of time, and doesn't stop the normal business workflow, says Jones. It's also highly automated and stops an attack quite literally as it happens.Resources Mitnick and Simon, 2003 Mitnick Kevin, Simon William The Art of Deception: Controlling the Human Element of SecurityJohn Wiley & Sons (2003) ISBN 978-0764542800. Mitnick and Simon, 2005 Mitnick Kevin, Simon William The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers, Intruders, And DeceiversJohn Wiley & Sons (2005) ISBN 978-0764569593.VitaeAbout the authorSteve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.Copyright 2010 Elsevier Ltd. All rights reserved.