The following interview with Social Engineering expert Sharon Conheady from First Defence Information Security Ltd was conducted during the security conference Deepsec which took place in Vienna at the end of November. The interview was conducted by Andreas Proschofsky
derStandard.at: What are the current trends in regards to Social Engineering, what are the most common techniques used nowadays?
Sharon Conheady: I think the face of Social Engineering has changed over the past three or four years, largely due to the prevalence of social networking now and people publishing so much information about themselves online. First of all social networks give Social Engineers a huge, huge attack surface, you can now target thousands of people with your attacks, this was far more restricted before. Secondly people publish so much information that can be used in attacks against them. Whether it's your name and birthday to your favorite pizza or if you plan to give up smoking, where your office is, what's going on at work, if you like your boss or not. All this can used by social engineers in attacks against you.
derStandard.at: So social networks not only give you more information but also more targets?
Sharon Conheady: Yes, absolutely. And they are built on trust - which is what social engineers exploit.
derStandard.at: And besides social networks...?
Sharon Conheady: We got Phishing become huge in the last few years, now we got Vishing, were instead of receiving a vicious email you get a message that tells you to call someone back - with a suspicious telephone number attached. Vishing can also involve the fraudsters leaving a voice mail message on your phone saying something like "this is your bank please call us" or which tries to trick you to go to a fake website. Another recent attack form is Smishing which are attacks over SMS, seemingly coming from your bank.
I've seen people become more and more suspicious about what happens on their computer screen, but if it comes in over your fax machine or your mobile phone people are more likely to believe it.
derStandard.at: What's the success rate of people applying social engineering techniques to achieve a goal?
Sharon Conheady: Well I can only talk about my own experience and in more than 90 percent of the time we are successful in getting into companies or enlisting sensitive information.
I think it's very difficult to put a number on it in the real world, because very often people don't recognize that they have been attacked. All they see is the technical attack, but they don't see the social engineering part that allowed the technical attack to be successful.
derStandard.at: What does your work typically consist of?
Sharon Conheady: Well that's all types of either social engineering testing or training courses that I perform. So for instance in the testing we might run a program of phishing attacks to see how your employees respond to that or if there is any improvement on a month-to-month basis. Or it could be to get information over the telephone, try to trick your call center staff to give out sensitive information. Also it could be trying to get physical access to a data center or a building.
derStandard.at: Could you give as an example what this would look like?
Sharon Conheady: Sure. I did a physical social engineering exercise lately when I was working for a large international organization which is based in Europe. I was claiming to come in from the US office and used the name of someone who really works there. I arrived early in the morning at the reception and they were confused as they didn't expect me, so they rang the US office. But obviously as it was in the middle of the night there, nobody picked up the phone. And in all that confusion in the end they just told me to get up there and take a meeting room.
derStandard.at: That's it?
Sharon Conheady: That was it. Often it is actually incredibly simple.
For an e-mail attack I did I spent a lot of time doing my research on the organization and I found on the website that some people had recently been taking part in a marathon for charity. So I pretended to represent the people who organized the marathon and I sent out the results and wrote "Congratulations to John and Jack who came in in superb time, to see the results please see the attachment". The attachment had a proof-of-concept trojan in it and so could have compromised the company if this were a real attack.
If you are trying to compromise a call center mumble attacks are increasingly prevalent. Mumble attacks are very cruel attacks where the caller pretends to be calling on behalf of someone who is speech impaired. And if the call center agent asks to talk directly to the speech impaired person, the social engineer will just imitate that. So that's very embarrassing but sometimes the call center agent will just bypass security restrictions because he can't really hear what's going on. And there are documented cases of this being successful.
derStandard.at: You are actually talking about two different classes of attacks, the mass-scams which try to get to as many people as possible and the very targeted and specific attacks against a certain person or organization. Is there a trend in which gets more important?
Sharon Conheady: I'm definitely seeing a trend. We'll always have the mass social engineering attacks cause you will always have someone who falls for it. But: We're seeing more and more targeted social engineering attacks, so rather than just getting a blanket phishing email, we get a phishing email that is targeted towards one individual and contains information that is personal to that individual. So you are much more likely to fall for the attack. And it's gotten easier and easier frequently as the social networks are used to identify individuals.
derStandard.at: Who are the targets of such specific attacks?
Sharon Conheady: It happens against corporates, but it also increasingly happens against individuals - I mean identity theft is a huge problem at the moment.
derStandard.at: Who would you target inside a company to get access to sensitive information?
Sharon Conheady: Well for any attack you have to do loads and loads of research, so 90 percent of my time is spent in researching an attack path that is most likely to work and identify who these people are. I'd say people that are frequently targeted by social engineers over the phone are call center agents and IT help desks - anybody with access to really sensitive information. If you are physically going in somewhere the first line is the security staff and the receptionist. But these days it really could be anyone from you C-Level executives through to the people working in your canteen.
derStandard.at: Do you have any examples of such attacks actually being carried out?
Sharon Conheady: Sure. There was a company were the attackers identified a number of staffers who had a social networking account. So they hijacked the account of one of them and found out that a company pick-nick was coming up. They did a little bit of analysis and found out that five of his colleagues seemed to be close friends, cause there was very regular communication between all of them. So the company pick-nick took place and the attackers sent out a message from this guys account saying that he took some photos of the pick-nick and attached them. So as those guys thought it would come from their friend, they clicked on the attachment and opened it, which resulted in a keylogger being installed. So one lady had her usernames an password for the corporate login compromised which the attackers took advantage of. And they spent two weeks working their way through the corporate network. During that time they took control of two servers.
They were eventually caught because one of the guys who was sent the photos approached his friend and asked "Hey those photos you sent didn't render" and he answered "Which photos?". So they reported it to the IT-team, which found suspicious traffic and they recognized that they had been compromised.
derStandard.at: Social Engineering has been getting more public interest in the last few years, but is it really a new phenomenon?
Sharon Conheady: Social Engineering has been around as long as mankind has been around, it's just that in the last 20 or so years that it has been applied to information technology. So social engineering moves with the times, every new technology that comes out - fraudsters and criminals will find a way to exploit it. Some of the Advance-fee fraud scam started through the postal system, they moved on to telex and fax machines and in the last 10 or so years the moved to emails, and now we see them on social networks all the time. So instead of coming in from a random stranger in Nigeria, some of those attacks are now seemingly coming from some of your friends - and they are very difficult to defend against, cause everybody wants to help a friend in need.
derStandard.at: Could you give some examples of social engineering being applied before the information technology age?
Sharon Conheady: Sure. The Advance-fee fraud scam is a good example again. A few hundred years ago, during the time of the Spanish Armada there was a scam that targeted the British aristocracy. So the scam artist would pretend to be from Spain and he would have a beautiful Spanish lady on his arm. He would approach a member of the aristocracy and say the Spanish lady's father has been imprisoned in Spain and he needs some money to bribe the prison guards to let this guy escape. And when he escapes he will reimburse you and give you loads of money and in addition you'll marry his beautiful daughter. And that frequently worked, people gave away their money and never saw the beautiful lady again.
And then in the late 18th century there was a guy called Eugène François Vidocq who started out as a criminal but then went on to be the founder of the modern day police force. And he documented his memoirs of the time he spent in prison and different types of crimes that were popular at that time in France. And one of the crimes he documents is "The Letter from Jerusalem" where criminals would send letters to aristocrats telling them that they were an assistant to a marquis or someone else with loads of money. And they would say that the marquis has lost a cascade of jewels and that he needed a bit of money to recruit people to help them look for the jewels. And once he'll find the jewels he would share them with you. And Vidocq in his memoirs says that 20 out of 100 letters were successful.
The success rate is not quite as high today but you still get some pretty interesting statistics.
derStandard.at: Given that those attacks are strikingly similar to what is still in use nowadays, do people just not learn from such incidents?
Sharon Conheady: I think people are learning, it's just the world is now a much bigger place, so we have a lot more people to target. So the same scams work over and over again. That particular scam is that people always want to cut a good deal, especially if they don't have do much for it, they are greedy.
There are loads and loads examples for this. For instance in the 1920s there was a guy called Victor Lustig who pretended to represent the government in their plans to dismantle the Eiffel Tower selling it as scrap metal. Again that's a deal that looks to good to be true, but he was actually very successful with that and managed to sell the Eiffel Tower. And the people who were scammed were too embarrassed to go to the police. By the way: This year in the UK a jobless lorry driver was put in prison cause he tried to sell the Ritz Hotel in London for 250 Million punds.
derStandard.at: Did he get far?
Sharon Conheady: Yeah, he got pretty far, pretending to be a close friend of the owners he collected an advance of one Million pounds.
derStandard.at: If you would try to get into my email account, how would you start?
Sharon Conheady: First of all I'd start with researching as much information as possible about you. I'd check if you are on LinkedIn, if you use different social networks. I might then try to send an phishing email based on the information that I've found. If you publish which bars or clubs you hang around I might target you there.
Sharon Conheady: Yeah, maybe. Maybe I'd steal your bag if it has got your phone in it. I might target your friends and take over one of their accounts so that I can impersonate them. I might break into your house and your office and see if you have your password written down somewhere. There are lots of ways...
(Andreas Proschofsky, derStandard.at, 30.01.11)