Social Engineering and What To Do About It Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe Moderator: Greg Masters, Managing Editor, SC Magazine
Security decisions are based on risk, not just threats and vulnerabilities. The roadmap aims to mitigate top risks. Heavily based on policy and user education. “Onion security” – multiple protections at each layer. Achieve “essential”, then worry about “excellent”. Be a “how team” instead of a “no team”. Our Approach to Security
Social engineering in person See anything wrong?
Social engineering in person
Types of social engineering –In person –Phone – –Websites –…the list doesn’t end there… Social Engineering
It’s an old-fashioned manipulation of people. The goal is to obtain sensitive information about a company (password, financials, customer info, etc.) Organizations are too focused on technological security controls, but often the weakest link is people! What is Social Engineering? Gartner 2002
Social engineering is not as glamorous as it sounds and requires lots of groundwork 1. Information gathering 2. Idle chit-chat 3. Assuming different personas 4. Getting what you want. It can be very easy or very hard and yields largest rewards. What is Social Engineering? (cont.) Gartner 2002
Four categories of attacks: Direct request –Usually the least likely to succeed 2. Contrived situation –Additional factors the victim must consider 3. Walking the walk, talking the talk –Service person, employee, carry clipboard 4. Personal persuasion –Make victim believe she is in control Types of Social Engineering Attacks
Bold impersonation –Impersonate another employee. Learn the lingo –Sound like an employee, using company jargon and dropping names of other employees. Fragmentation –Gather info one piece at a time across multiple conversations. Avoid detection –Different callers –Different phone numbers Building Blocks
Diffusion of Responsibility ("The VP says you won’t bear any responsibility…") - Drop names of other employees involved in the decision-making process, or claim another authorized the action. Chance for Ingratiation ("Look at what you might get out of this!”) - Compliance with the request enhances their chances of receiving benefit in return. Trust Relationships ("He’s a good guy, I think I can trust him”) - Developing a trust relationship with the intended victim, then exploits that trust Moral Duty (“You must help me! Aren’t you so mad about this?”) - Encouraging the target to act out of a sense of moral duty or moral outrage. Psychological Tricks (due to Steve Riley)
Guilt/Fear (“What, you don’t want to help me?”) - Most individuals attempt to avoid feeling guilt if possible. Identification (“You and I are really two of a kind, huh?”) - The more the target is able to identify with the social engineer, the more likely the request is to be granted Desire to Be Helpful (“Would you help me here, please?”) - Exploits include asking someone to hold a door, or with help logging on to an account Cooperation ("Let’s work together. We can do so much.”) - The less conflict with the target the better. Psychological Tricks (cont.)
Social Engineering’s goal is to influence the victim to reveal sensitive information! Caldini’s Six Principles of Influence
Six elements to influence in social engineering: 1. Authority = “Wearing uniform, …” “People highly responsive without question to those with authority”. 2. Scarcity = “Sense of urgency” 3. Similarity = “People are comfortable with those similar to themselves”. “Same problems at work, same interests, political frustrations, etc.” 4. Reciprocation = “Something for something” “But you agreed!” 5. Commitment = “What people do today they will likely do tomorrow” 6. Social proof = “He knows William’s cell, so he must be important” Caldini’s Six Principles of Influence
Social engineer tricks you into asking him for help. Sabotage –Create a paper jam on a printer. Advertising –Leave a business card, advertising attacker’s services to fix PCs. Assisting –Attacker assists a victim with the solution. Reverse Social Engineering
From: Alan Davis To: Cheryl Hines Cheryl, I just called Bob on his cell phone to ask if he could send me a copy of the press release that is to go later today. He was picking up his daughter Jennifer from school and he asked me to reach out to you. Can you please send me a copy right away? It’s a little urgent, as you can imagine. Bob was enjoying his lunch with coworkers in a Thai place next to the office. He casually mentioned that today a press release for Acme will be issued, and that he’ll be taking off early to pick up his daughter Jen from school. At 2:15 pm, his secretary Cheryl received an followed up by a frantic call from Alan. Since Bob was away, she promptly sent him the release. Real Example. Names have been changed.
Yet another example. Is your organization safe?
Yes, hi – Gilt Customer Support? This is Aleksandr Yampolskiy. I am on vacation in Dominican and I can’t log in to Gilt site. Could you reset my password? Sure, my is and address is 135 East 50 th Street, NY, Thank you so much! Yet another example.
All people are naturally helpful and especially Customer Support… since their job is to help! Generally not trained to question validity of each call. That makes them prime targets for social engineering. Customer Support
You must have at least 1.5 points to verify the identity of a customer if they have previously placed an order. You must have at least 1 point if no orders were placed. Do not provide information unrelated to the user’s account (users calling regarding spending habits of children, spouse, etc. cannot be discussed). Password resets can be requested over the phone, but first verify the identity, then send the password by . Customer Identification
Recognize when the situation comes. Don’t be afraid to say “NO!” Incident response policy. Defenses
Spear phishing. Targeted which appears to be coming from your colleague or a friend. Nigerian scam aka 419 scam. Forward money in hopes of financial gain. PDF, JPEG, EXE attachments with greeting cards, images, documents. Social Engineering by Lovebug virus
Security Awareness Usage: What do suspicious s look like?
Security Awareness Usage: What do suspicious s look like?
Security Awareness Usage: What do suspicious s look like? Original Response 1 Response 2
Some advice to stay safe: 1. Don’t assume that is legit even if you get it from a colleague or a friend. 2. Companies, like PayPal, always address their customers by their username in s, so if an addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. 3. Be cautious about posting your address on public web sites. 4. Disguise your address when you post it to a newsgroup, chat room, bulletin board 5. Use multiple addresses for different purposes. E.g. use one to correspond with friends, colleagues and another for public forums. 6. Do not reply to spam 7. If you have a website or blog use an encoded, address on the site. 8. Use your common judgment or ask Stay Safe - Phishing
Social engineering via websites
Many of these viruses spread through social sites (a user is 10x more likely to open them than via ) Malware has many shapes and forms
A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09. Shortly thereafter, a site video.report-cnn.com hosting the tape appeared. Fake Youtube videos LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below. click
Spear Phishing – a highly targeted phishing attack Disguised as a legitimate communication Giltcorp.com is not owned or operated by Gilt Social Engineering
Incident response policy, outlining steps to take if a phishing website resembling Gilt is detected. Buy similar-sounding domains. Block these sites at firewall level. Education. Test your users if they fall for it! Preventing social engineering on the web
Any questions?