Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Social Engineers Show Off Their Tricks

Experts in deception shared tricks of the trade and showed their skills at Black Hat and DEF CON 2018.

It's not every day you hear or see social engineers in action – well, knowingly, anyway – but that's exactly what the crowd did at Black Hat and DEF CON 2018 held last week in Las Vegas.

Traditional methods of social engineering and phishing attacks are mostly well-understood and remain successful, explained Matt Wixey, technical research leader for PwC's UK cybersecurity practice. Still, attackers are finding new and more advanced ways to manipulate their victims.

Wixey detailed their efforts in a Black Hat presentation on Remote Online Social Engineering (ROSE), his name for long-term campaigns in which actors leverage false personae and highly detailed reconnaissance to compromise target networks. By building a relationship with their targets, attackers can persuade employees to send data and assist in corporate hacking.

Why go to the trouble of social engineering when simple phishing attacks are just as effective?

"A big reason would be to bypass technical controls, and bypass the effects of user education and awareness," Wixey explained. Social engineers want to do more than slip past firewalls. They must also deceive a human's threshold for which behavior is suspicious and which isn't.

"Because [an attack] is designed to target a specific individual, it can be designed specifically to bypass that person's filters," he continued. We all have different standards for what constitutes phishy behavior, all of which vary depending on personality, upbringing, and other factors.

Getting to Know the Victim

A ROSE attack starts with an in-depth analysis of the target: their online activity, how they communicate, responses to good and bad news, linguistic styles, and their motivations for taking particular actions. They learn where they went to school, where they previously worked and which roles they held, interests and hobbies, names of family members and friends.

The attacker can use this information to craft a profile before reaching out to the target. Their fake profile may include similar interests, a shared educational background, or another trait to facilitate an opening for conversation. Their profile photo may not be stolen but may be altered or concealed behind a paywall from a private source to conceal the attacker's identity, he said.

They may keep up this charade for a while to build credibility and, over time, they may automatically post content and/or alter their fake profile to reflect changes in employment, interests, styles, and politics. When working toward direct contact, the attacker may "like" content from their target's friends or related to their interests to make themselves known.

Finally, they go in for the hook. An attacker can ping their victim with a request for help or proposal for a business relationship. All the while, they'll use their earlier research to inform their conversation and pursue more frequent contact to build rapport and trust.

Social engineers rely on several techniques to make their interactions more believable, said Wixey. Lies often include more negative emotions and fewer sensory details. Liars often use cognitive details and keep things simple so there are fewer details to recall in the future.

"Liars may ask more questions, perhaps in an attempt to shift the focus from them onto the person they're trying to device," Wixey added.

Dial-in Deception: Capture the Flag 2018

In his presentation, Wixey referenced a study stating people lie in 14% of emails, 27% of face-to-face interaction, and 37% of calls. We saw the final stat live during DEF CON's Social Engineering Capture the Flag competition, in which competitors call corporate targets and use social engineering tactics to get its employees to provide different pieces of data ("flags").

Participants are assigned target organizations a few weeks before DEF CON and prepare by collecting open-source intelligence on the company, its employees, and other characteristics. They prepare a game plan: who their fake persona is, why they're calling, and how they might leverage social engineering techniques to persuade the target to hand over information.

This year's winner, Whitney Maxwell, directly called employees at service centers for the company she was assigned to target. She was doing an audit, she explained, and she just needed the answers to a couple of questions. By using techniques to establish legitimacy with the employee – saying they have the same name for example – she got some key data.

One conversation yielded information including the company's version of Windows (XP), whether they used wireless Internet, building security, type of computer and desk phone, and whether they used Outlook and Adobe. She confirmed the center's location and, in one instance, was able to convince an employee to enter a bit.ly URL into the browser.

"If you can do that over the phone, you can compromise a whole network," said Chris Hadnagy, president and CEO of Social-Engineer, Inc. and organizer of the DEF CON event.

Challenges in Defense

Much of the time it's difficult to tell when the person on the other end of a phone call, email, or social media message is malicious. Wixey pointed to a few techniques businesses can use to stay safe as cybercriminals get stealthier.

To limit the amount of available information online, he advises setting a Google alert for your full name so you know when a specific term (your name, for example) appears in a Google search result. Conduct reverse image searches on new contact requests and research the people who want to join your network. If you're unsure about someone, check their account for early auto-posting and inconsistencies.

If a stranger pings you with a question or collaboration opportunity, second-guess their motives. Why might they ask you to do this, and how might they benefit? If they contact your corporate email address, how did they find it? Do they avoid face-to-face or video interaction?

"We lie all the time," said Wixey. "Everyone lies to each other, all day, every day." The challenge for businesses is determining where the malicious intent is.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfig...
PUBLISHED: 2021-04-21
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any...
PUBLISHED: 2021-04-21
The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.
PUBLISHED: 2021-04-21
An issue was discovered in retdec v3.3. In function canSplitFunctionOn() of ir_modifications.cpp, there is a possible out of bounds read due to a heap buffer overflow. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution.
PUBLISHED: 2021-04-21
An issue was discovered in Bento4 through v1.6.0-637. A NULL pointer dereference exists in the function AP4_StszAtom::GetSampleSize() located in Ap4StszAtom.cpp. It allows an attacker to cause Denial of Service.