There were some disturbing results from a capture-the-flag-style contest held at this summer's DefCon security conference. The CTF exercise--called "How Strong Is Your Schmooze?"--was an attempt to raise awareness about social engineering, or human manipulation in order to commit a crime. It challenged contestants to attempt to breach (in an ethical and legal way) information about target companies that could be used for a hypothetical attack.
Also read about basic social engineering tactics and ploys and how to prevent them
Contestants made 140 phone calls to employees at target companies seeking information. Almost all gave the callers the information they were looking for; only five employees did not. And 90% of targeted employees opened up a URL sent to them by contestants--even though they really didn't know the person who had sent it. The numbers reveal social engineering is a huge problem for all organizations, said Chris Hadnagy, who organized the contest.
Hadnagy, also co-founder of social-engineer.org and author of Social Engineering: The Art of Human Hacking, noted a quick glance at the news each month will show it's often the human element that leads to a security breach, and 2010 was no exception. Here are four successful social engineering attacks that took place last year.
An important chapter of the Wikileaks' saga that got so much attention in 2010 involves social engineering, according to Hadnagy. That's because the leaks to Wikileaks founder Julian Assange started with a sneaky ploy to gather government information.
U.S. Army soldier Bradley Manning was serving an assignment as a support battalion with the 2nd Brigade Combat Team, 10th Mountain Division, based at Contingency Operating Station Hammer, Iraq. Manning is accused of passing classified information to Assange; including video of a July 2007 helicopter airstrike in Baghdad, a video of the Granai airstrike, and several diplomatic cables. Manning obtained the material through his access to the Secret Internet Protocol Router Network used by the U.S. Department of Defense and Department of State to transmit classified information.
Former hacker Adrian Lamo was the person who reported Manning to authorities. Lamo told officials Manning said he had downloaded material from SIPRNet onto CD-RWs. He allegedly managed to fool colleagues into thinking he was listening to music, rather than stealing classified information, because the CDs were labeled 'Lady Gaga' and initially were loaded with tunes. They therefore seemed legitimate and passed any inspection that took place on his way into the office.
"I would come in with music on a CD-RW labeled with something like Lady Gaga... erase the music... then write a compressed split file," Manning wrote in an online chat with Lamo. "Noone suspected a thing. (I) listened and lip-synched to Lady Gaga's Telephone while 'exfiltrating' possibly the largest data spillage in America history."
"He played on the trust of the people inspecting him going in and out," noted Hadnagy. "And he had to keep his cool. I imagine if you are downloading classified government information that could get you a court martial you have got to have nerves of steel." (Full chat transcripts are posted on Wired.com.)
The fallout from the leaks, and the resulting press coverage, also used social engineering to snare interested computer users, said Hadnagy.
Hadnagy said in the ruse was easy because those who wanted to see the pdf were probably expecting a sizable document, and would not have thought anything was amiss because the malware was large and took some time to load.
Google made headlines at the beginning of 2010 by revealing some of its services had been breached by politically-motivated Chinese hackers. Their goal, according to Google officials, was to access the Gmail accounts of Chinese human-rights activists. Several other companies were also targeted, including Yahoo, Adobe Systems and Symantec.
The hackers managed to accomplish their infiltration in part by carrying out a lengthy reconnaissance of Google employees. By using information they found in several places, including social networks, they were able to send what looked like legitimate messages to employees that appeared to be coming from a contact or friend. Employees then clicked on links contained within the trusted message, and spyware was installed on the machine.
"These attackers really went all out," said Hadnagy. "It must have taken a considerable amount of time to do this kind of information gathering and reconnaissance to get to the point where they could interact with targeted employees in a way that would allow them to elicit this kind of information"
Hadnagy says the incident highlights the security dilemma posed by social networks, which are now considered a vital part of the marketing strategy for many organizations.
"So many companies use social media to transmit their marketing message to the world. But in another sense they outline their whole company structure. And if a social engineer wants to use that, it's out there and easily accessible. That is what these Chinese hackers used and it's what made this attack successful."
Amazon receipt generator
Businesses that use Amazon.com to sell their products were the target of a late-2010 scam in which a fake Amazon receipt was generated for non-existent orders. Researchers with GFI Software discovered the program at the beginning of December, warning Amazon that cyber thieves were using these receipts in an attempt to report lost orders for refunds or for new products.
"The free program available online allows scammers to create an HTML 'receipt' for phantom Amazon.com purchases. By capturing a screenshot of the fake receipt, these cyber criminals are able to email unsuspecting sellers claiming they are missing items," said Christopher Boyd, senior threat researcher for GFI Software, in a post.
Hadnagy said criminals often use the holidays as a time to steal and make fraudulent charges on stolen accounts, because it is more difficult to detect.
"They'll make small charges, because people are spending a lot during this time and might not notice a $100 or $200 charge."
'Get the dislike button!' 'Win a free iPad!' There is a new deceptive tactic every day on Facebook that attempts to con users into clicking on malicious links, or filling out scam surveys.
"These play on our curiosity," said Hadnagy. "Even the savviest user will sometimes click. Even I do sometimes out of pure curiosity. I want to figure out how they are getting away with this stuff."
But taking the risk because you think there may be the teensiest chance that you might actually win an iPad, or see a life-changing Justin Bieber video, will likely get you into trouble. Common results include malware installation, or a survey that either generates commission money for the scammer, or asks you for details that are stored in a database and are used later for identity theft.
While the tricks may change from month to month, the end game is likely always going to remain, said Hadnagy. Expect to see plenty more social engineering scams on Facebook in 2011.
This story, "Social engineering attacks: Highlights from 2010" was originally published by CSO.