Social engineering is what powers phishing emails, and malicious websites that are dressed up to look like safe, popular websites. During a discussion with Chris Hadnagy, Chief Human Hacker at Social-Engineer Inc., I asked him how to spot these scams. His advice echoes what we've often told readers: always be suspicious.
More than A con
From my discussion with Hadnagy, it's clear that some of what we call social engineering are the same tricks that people have used influence decisions for years. The fast food industry, for example, famously explored what colours would encourage people to eat faster. Phony spiritualists from the 19th century up to the present day use a tactic called "cold reading" to trick victims into revealing information about themselves.
But there's more to social engineering than cheap tricks, as demonstrated by the Social Engineering Capture the Flag Competition held at Def Con. Here, contestants earn points for information they glean from researching companies and from contacting those companies directly. Hadnagy said that the best scoring contestants also did the most research, which demonstrates how useful it is to know your targets.
Unfortunately, now is a great time to be a social engineer doing research, or open source information gathering. Hadnagy explained that companies and individuals post a lot of information on social media, much of which can be used in social engineering attacks.
One of the best social engineering tactics is to keep you from thinking critically, usually by targeting emotion. Hadnagy said that one attack that nearly fooled him claimed to be an Amazon shipping email. "It was something personal, something that affected my life, and something that was important to me," he said.
In this particular attack, Hadnagy received an email saying that one of his important Amazon orders was delayed due to a declined credit card number. In the days leading up to a major conference, Hadnagy said that he was overworked and clicked the link in the email — instead of visiting Amazon directly. The page he was taken to was well crafted, but thankfully he noticed the ".ru" domain before entering any personal information.
While it was simple, this tactic was very effective. "I'm the guy that, because of what I do, phished over 190,000 people in the last few months," said Hadnagy, referring to his consulting work. "I almost fell for this attack."
Another advantage of appealing to emotion is that it doesn't require the kind of research the best social engineers employed. "What we'll see is that [attackers] pick things that are important to the masses." Hadnagy explained that this includes UPS shipping, Amazon orders, and PayPal transfers.
Mass appeal also works well for broadcasting en-masse, another frequent tactic. "They send these to millions of people at a time, so they don't care if they get 100 per cent," said Hadnagy. "10 per cent is still thousands of compromised accounts."
Many of the tactics used to spot phishing emails are true for social engineering as well. Anything that sounds too good to be true — or too bad to be true — probably isn't true. Tactics like hovering over links to see the full URL, manually entering web addresses, and avoiding links that arrive out of the blue are all sound tactics.
But the live calling portion of the Capture the Flag competition highlights another facet of social engineering: institutional trust. This year, many of the contestants posed as coworkers or vendors, which gave the employees at the target companies an immediate reason to trust them. Sometimes, it pays to ask questions when someone claiming to be the CEO of your company calls you personally.
Hadnagy has made a career explaining social engineering, but he's not concerned if attackers are picking up his tricks. "The bad guys aren't looking for the data on how to do this," he told SecurityWatch. "They already know how. The problem is that the good guys don't."
Through his work, Hadnagy believes he can teach both corporations and regular people how to think critically about their daily interactions, and how to respond in worst case scenarios. Hadnagy explained it this way: "Instead of arming the bad guys, it arms the good guys."