Spy of the month icon

Social Engineering Phishing

The Art of Intrusion Book CoverWhy would we present Social Engineering and Phishing as the topic for a Spy of the Month? The Spy of the Month is not always about people who have committed espionage; it is also about techniques spies use to steal information or enlist someone's cooperation.

Social engineering (a.k.a. people hacking) is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. In short, social engineering is essentially a con game.

Kevin Mitnick, a convicted hacker turned author, relates that "social engineering is using manipulation, influence, and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting a target to visit a Web site, which exploits a technical flaw and allows the hacker to take over the computer."

Social engineering is one of the easiest ways for an outsider to get information from an organization since it requires little to no technical expertise. In fact, everyone knows how to do it; we just do not realize when we do it. How about when you made your voice sound raspy when you called in sick? Maybe you have acted ignorant or helpless to get someone else to do something for you? What about the time you acted as if you knew someone or something just because you wanted to continue the conversation or not be embarrassed? These are benign examples of social engineering, but what about the person who has malicious intent? Consider this example:

"...this is Mike at the Help Desk. We noticed in the password security log that your password is too short. You need you to change your password to "mynewpassword123." Let me step you through changing your password.... Hopefully that fixed the problem. We will call you back if your name is still on the security log. Thank you."

Would you have fallen for this malicious social engineering act?

Many espionage cases involve the use of trusted employees (insiders) to steal sensitive and classified information. The insider will attempt to con other employees (you guessed it - using social engineering) to gain the information for which they do not already have access. The insider is typically well-established and can operate unchallenged within the organization because of the tendency for employees to trust their coworkers and explain away suspicious behaviors.

Hackers Polite ApproachOne of the easiest and less risky methods of collecting intelligence from an organization is through cyber means. Foreign intelligence services search the Internet for open-source information and are also believed to enlist the cooperation of computer hackers to probe for weaknesses in computer networks to find vulnerabilities that can be exploited.

One way to exploit human and technical weaknesses is to send emails containing attachments to unwary recipients to covertly install keystroke logging and other surreptitious intelligence collection programs that steal files and other data. These email messages use a form of social engineering (albeit not face-to-face) in an attempt to convince you that the email is legitimate. They fake the sender's name and organization to make you believe that it came from a legitimate organization. These fraudulent emails, commonly called phish (like fish but with a "ph" after the hacker penchant to replace the "f" character with "ph"), are sent from a perpetrator intent on doing harm. Some phishing emails are after passwords, credit card numbers, and other financial information in order to commit fraud. But the more sinister (in our opinion) phishing emails are after U.S. defense information and other secrets. Mcafee, a leading antivirus company, reports that "an estimated 120 countries are leveraging the Internet for political, military, and economic espionage activities. They are well-funded, well-organized, and are using sophisticated technology and social engineering." The Internet is not a safe place.

Text Box: Case in point: in October 2007, there was a successful coordinated phishing attack against the Oak Ridge and Los Alamos National Laboratories that used the ruse of a technical conference to convince recipients to open the email and read the attachment.  The attachment covertly installed software to infiltrate the system and remove data. Fortunately, the penetration was discovered and neutralized.  The attack was attributed to Internet addresses in China although the U.S. Government is careful not to attribute the attack to the Peopleâ??s Republic of China or to the Peopleâ??s Liberation Army.
 

Since social engineering is used to craft phishing emails, it is often difficult to separate malicious email from legitimate email. It is easy to fake the sender of the email message to make it appear to come from another government agency or organization with which we normally do business. Here are some possible methods to validate suspicious email:

  1. Check the MIME attachment and read between the lines to see where the email really came from. Contact Counterintelligence or Cyber Security for assistance.
  2. Check with Cyber Security to see who else might have received the suspicious email. Phishers will send out hundreds of emails to multiple recipients. Chances are you are not the only one receiving the suspect email.
  3. Email the sender a request to resend the email. If the message was legitimate, he or she would receive and comply with your request to resend. Email from a phisher would not be resent since the sender email address was faked in the original message.

The bottom line is to treat all communications from unknown persons as suspect social engineering attempts. Be polite, but verify.

Sources:

http://blogs.technet.com/matthewms/archive/2007/07/18/kevin-mitnick-presents-at-infragard-general-meeting.aspx

http://www.securityfocus.com/infocus/1527

http://www.channelregister.co.uk/2007/12/07/national_labs_breached/

http://www.mcafee.com/us/research/criminology_report/default.html