Social Engineering
The number one biggest vulnerability at any company or organization will always be the human beings that work there.
Social engineering is the art of manipulating human psychology and using deception to get people to do what you want them to do.
In other words, it's the art of bullshitting, and just generally being a liar-liar-pants-on-fire.
You might have heard the trope that a high-vis vest and a clipboard can get you almost anywhere; that's one example of social engineering.
The following video clip shows you a terrifying example of social engineering in action. The clip is nine years old, but the technique still works today.
Social engineering is a very difficult vulnerability to patch, because humans will always be human, and human psychology gets patched at the rate of societal change and evolution.
If you've worked for a large corporation, chances are you've gone through training about social engineering before. And those types of training lessons are better than nothing, but they don't do much to stop a skilled social engineer from getting people to do what they want.
As a teenager, I briefly ran with a rough crowd online. They were a bad influence on me, but they taught me a lot about social engineering. We were menaces over the phone, and to this day I feel bad about some of the things we did.
I'd like to share the story of one such phone call, one of the less-evil ones, to show how easy social engineering can be. I was probably fifteen or sixteen when I made this call.
War Stories: Customer Feedback
The phone rang three times before the call was answered.
"Hi, this is StoreMart, how can I help you?" the employee asked.
"Hey! This is Ted from the corporate office. How are you doing today?" I replied.
"I'm good, I'm good," the employee replied, "You said you're from corporate?"
"Yes! We're doing a thing today where we call random stores and survey customers in the store for feedback. Are there any customers in the store right now?" I asked.
"Umm...yeah, there's a couple of people here right now. What is this, again?" the employee asked, confused.
"We're calling around to different StoreMart stores and talking to customers, to get an idea of how they feel about our selection of products, and whether or not there's anything they expected us to sell, that we don't, that kind of stuff. So all I'd need from you is to put one of the customers on the phone, and I'll quickly do the survey and get out of your hair," I replied, with a slight chuckle on the last part.
"Umm...okay, one second," the employee replied. He set the phone down, and I could hear him loudly ask, "Does anyone want to talk to corporate? They're doing some kind of survey."
Moments later, a customer came on the line, and I asked them some really bland, basic corporate feedback questions. At the end of it, I happily told her that since she completed the survey, she could have one free item from the store.
"Any item? I can have it for free?" she asked.
"Any singular item that's under $10, you can have for free." I replied.
She stayed on the cordless phone as she picked out the drink she chose, and brought it to the counter where the employee was standing.
"The corporate person said I could have this for free," I heard her tell the employee.
The employee's voice came back on the phone a moment later, and said, "Did you tell her that she could have this drink for free?"
"Yep! For completing the survey, she's allowed one free item, as long as it's under $10. Did she pick out something more expensive than that?" I asked.
"No, no, it's four bucks," he replied, then spoke away from the phone towards the customer, "Alright, yeah, you can take it."
I thanked the employee for his time, informed him that I'd leave a positive note in my system about him, and we ended the call.
As far as I know, this specific exploit still works today.
The people I was hanging out with made hundreds of similar calls, I personally only did a few. I regret having any part in it, but you can get convenience store employees to do a lot more than give things out for free, if they believe you're from corporate. And it doesn't take much to get them to believe that.
They don't personally know anyone from corporate, and their job would be at risk if they declined to follow corporate's instructions. They might feel suspicious, but then swallow that suspicion, because interrogating someone from corporate and wasting their time could cost them their ability to pay rent at the end of the month.
That example is essentially just a prank phone call, but even more sophisticated, higher profile social engineering attacks exploit the exact same trust and fear of authority.
Companies that put a high value on security are far more likely to verify the identity of someone who's contacting them, but at a very large company with multiple branches and offices, how many people from one branch's sales team would be able to recognize the voices of everyone from the Legal department at HQ over the phone?
If I introduce myself as a real employee from the Legal department, and give the real employee number of that person, and reference one of the holiday parties, and bring up an anecdote regarding someone else who verifiably works at the company, it's going to be believable that I really am from the Legal department. And no one wants to be on the bad side of the Legal department, lawyers are scary.
How a Social Engineering Attack Works
There's no official step-by-step framework for doing a social engineering attack, and if you research it online, different people will list different steps, and different blog posts call those steps different things. This is how I break it down in my own mind; there's no singular correct process for lying to someone and having them believe you.
1. Reconnaissance
The first stage is to learn as much as you possibly can about your target. Using Google, you'd research as much information as you can across company websites, social media profiles of employees, blog posts, and so on.
During this stage, you learn things about the structure of the organization, what vendors they use, what their company email addresses look like, or even what their security badges to get into the building look like.
This is also the step where you choose your target carefully (and who you're going to impersonate), such as someone who just got hired, who doesn't know everyone at the company or all of the procedures yet.
Or, in general, whoever is most likely to be able to give you access to the thing you're trying to access. IT staff who can reset passwords, executive assistants with access to their boss's calendar and email, etc.
In the case of my prank phone call, it would just be looking up the phone number of the store you're trying to terrorize.
You need to do enough research during the recon phase to be able to "talk the talk" of whoever you're pretending to be. If there's any lingo pertaining to that field that might get thrown at you, you need to understand what it means, or else it'll be extremely obvious that you don't actually work there.
2. Pretexting
Pretexting is the stage where you first reach out and make contact with your target. You use the information you got during recon to spin a believable tale that builds trust.
E.g. "Hi, I'm from the corporate office, and today we're doing customer surveys."
Or "Hey, I just started working here a few days ago, and I'm locked out of my account. Can you help me?"
Some other things that fall into this category:
- Phishing emails.
- Fake delivery notifications.
- Walking into a building with a high-vis vest and clipboard.
If you fail to establish a trustworthy enough premise, your target's guard will be up, and any additional attempts at social engineering will be much more likely to fail.
I know that, at one point, "StoreMart" started to tell their employees that corporate won't call to do customer surveys. However, I also know that the prank still worked a lot of times after that.
3. Exploitation
This is the stage where you actually get your target to do something. This is the stage where IT actually resets the password, or plugs in a malicious USB drive you sprinkled in the parking lot, or gives a customer a free drink, or shares a multi-factor authentication code, etc.
It's also the stage where things are most likely to go bad (pretexting comes in a close second), because it's the step where the person is most likely to pause and second-guess what they're about to do.
If there's any holes whatsoever in your story, or you just fail to make it believable enough, the IT staff will realize that you might not actually be a new hire that needs their password reset.
4. Disengagement
Also known as "covering your ass". If you hang up too abruptly after IT resets the password for you, they're going to be suspicious and start holding a magnifying glass up to your story.
In the case of my story, I thanked the employee for their time, as someone from corporate would if the scenario were real, and told them I'd leave a positive note to butter them up a little.
It's also generally considered to include any action you take to keep being able to access the information/systems you wanted afterward, like setting up email forwarding, or creating a new account for yourself that you can log into later.
Importance of Knowing This
I decided to teach this concept first, because it doesn't require any technical knowledge to understand. I think it's important to understand how social engineering works, because it's one of the hardest attacks to defend against, and being able to spot it is extremely useful even in social situations.
Additionally, a lot of software-level exploits are fundamentally social engineering attacks (and follow similar steps), except they happen against a computer rather than a human.
A lot of software exploits are the result of you tricking the computer into believing you're someone you're not, to get it to give you access to things it's not supposed to.
I don't recommend ever trying to do a social engineering attack yourself (without permission), and I'm not responsible for it if you're dumb enough to try to.
I give everyone in my Discord permission to try to social engineer me in some way over the coming months, if you can think of a way to do it. Hopefully I'll catch you in the act, but if I don't, please do let me know afterwards, so I can give you props for it.
I'd like to think of myself as a careful paranoid person who wouldn't be so easily fooled, but I imagine that many victims of social engineering attacks have also felt that way.