Social engineering is the art of hacking people. People are essentially good and are willing to help; social engineering exploits that. It’s a great skill to have in the world of red teaming and information security, and while it’s not a new thing we’ve been hearing a lot about it lately: in the RSA, Lockheed Martin and other attacks recently the technique used was something the infosec world likes to call spearhead or phishing attacks. Essentially a form of social engineering via email or phone in which you convince an unsuspected target to open a document (that has been weaponized with a piece of malware) or by redirecting them to a malicious website where another piece of code is waiting for them.
As part of my red teams services I often find myself using this to gain some information or to get the first step into my client’s network or computers or to physically enter an office or server room. It’s not so hard, however sometimes I have to deal with people that had a bit of security awareness and that’s when it gets interesting.
In one case I spent an hour trying to convince the assistant of a CEO I was targeting (by request of the IT security manager that hired me) to open a PDF that contained important information that I needed the CEO to consider. It was important to me that she open it while I was on the phone because I needed to verify that I had a connection to their network via the code I embedded on the PDF. She wouldn’t have it. She kept on saying that she would open it later when she was free. Not good. Eventually she got tired of me (I was using every trick in the book to convince her!) and she said: “Fine! I’ll open it.”
Of course since Murphy is present everywhere the exploit I put on the PDF didn’t work. The PDF itself had some interesting information that was relevant to my cover (together with a website I set for this job) so I was still on the game. She mentioned that this would be interesting to the CEO and that she would email me later with his opinion. That was good. I mean, my code failed for some reason (I later found that they had a firewall that was blocking all non SSL HTTP communication out so I fixed that), but I still had another chance to get some code in. I prepare the website with some nasty javascript that would download a piece of code to the AA’s computer and give me a backdoor there. The next morning I received an email from her and I replied with a link to my website, something that would definitely interest the CEO. By noon I was looking at the contents of the AA’s hard drive and by the end of the day I was root on several servers on the network.
Sometimes all it takes it good social skills, some language command and good coding to hack into someone’s network. No exploits needed. That’s the beauty of social engineering.
Be aware of it. It’s not hard to detect when someone is trying to exploit your mind.
If you are interested in this try reading The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick. It’s a fantastic book and it’s always relevant.