In Depth: How social engineering works

Social engineering means different things to different people.

If you are a conman in a street corner, social engineering is a way to get money from unsuspecting players and stealing goods.

If you're in a pub, is a way to ensure that you come first served basis. If you are a magician, may form the basis of an operation. If you are a seller, is a way to get more sales.

But if you're a hacker, that social engineering is much more: it gives you the ability to get what you want from people. You can not give you passwords, credit cards, including access to secure areas.

Many other cyber attacks requires an element of social engineering and the techniques used are so advanced in other areas of online crime. In their hearts is the basic human tendency to trust authority, and that confidence is often very high price as more and more people are discovering.

Microsoft is calling

There is a new social engineering attack making the rounds, which is designed to get you to give away all the details required for using your credit card. Interestingly, it exploits the use of your computer at all, just pretending that there is a problem with it.

The attack begins with an unexpected phone call, and is a great way to learn about how devious social engineering attacks can be and arm yourself against it and similar approaches.

All successful social engineering hacks start with a process called pretexting. This creates a believable reason for the attacker by making initial contact. Fear and greed are major human factors motivating, so the excuse is usually carefully designed to set the scene, giving the person who attacked the feeling that we have either inadvertently done something terribly wrong, or is at risk for losing something worthwhile.

The new scam starts with a call supposedly from your ISP or even the same Microsoft. Obviously the cold light of day that Microsoft is not ready to start asking individual users at home, and not necessarily know who those users, but a carefully crafted excuse to call can make everything seem innocent and quite reasonable.

Simply calling a random number from the phonebook and insisting you are from Microsoft, is not enough to make the fraud work, however. The call must be set in a believable context. This is achieved by playing a recording of a busy office in the background while the call is made. The victim of course assumes that noise is really, perhaps a large call center, which lends an air of the state of authenticity.

The caller should also appear to be in authority. The caller explains that Microsoft has had complaints that the victim's computer is sending spam, or maybe worse. He could still give some examples and ask the victim to report truthfully if he or she has no knowledge of what is happening. The fear that a statement like this can create in the minds of those not well versed in online safety can be enough to gain full compliance with whatever instructions follow.

fear factor

After ramping up the fear of accidentally doing something wrong, phrases attacker's instructions to sound like an easy way out of the situation. He says it does not matter because it can solve the problem almost immediately.

With the permission of the victim can access the annoying computer and remove the supposed malware, further explaining that to keep things legal, I had to call to obtain permission from the victim. In a situation like this, the naive computer user is more likely to accept this seemingly simple and formal way out of a sticky situation. For an attacker, however, this certification mark indicates that the victim is under the influence.

To further cement the belief in the authenticity of the call, and to deepen its control, the attacker can ask the victim to open a command prompt, displays the computer's IP address using the command ipconfig, and to call to confirm that the right computer to access before proceeding. The fact that the IP address is local to the ISP of the victim and can not be seen from the wider Internet also shows the attacker that the victim is both ignorant and compliant.

There are then several minutes of apparent typing as the attacker claims to be access to the victim's computer, possibly uploading anti-malware software to clean the system and confirming that everything is okay. The attacker then gets the real purpose of the call: the end.

He explains that the victim, unfortunately, will have to bear the cost for the service you just provided. After all, the user would leave the PC to get into such a miserable situation. It's nothing expensive, just a few pounds at the time the engineer. However, he explains, the victim can make a saving on this bill, paying now, over the phone. All you need is a credit card. You can guess the rest.

The victim believes that the computer has been determined, and that Microsoft is great for this purpose - until the last bill of the next credit card. The assumption of trust in the person requesting the information, created with attention to detail on the side of the aggressor, coupled with ignorance of the realities of online life, make it a social engineering attack that we're sure to see many more in the coming years.

Indeed, one of the characteristics of the information age is how malicious activity evolves and develops over time. Old Hacks never die, just evolve, and social engineering is no exception.

Call for help

Some social engineering attacks need not be so well designed, carefully targeted soon. In Japan, a highly successful form of attack is becoming big business cynically targeting elderly victims with a blunt demand.

It begins when the victim receives a frantic phone call. "I am! I'm in trouble and will have to transfer money quickly," is the type of call no parent or grandparent ever wants to receive. For an elderly relative, can be frightening.

As with the offensive phone Microsoft, the attacker provides an immediate way out of trouble. Transfer of several thousand yen to a service or wire transfer bank account and everything will go well.

Despite the bold simplicity of the «Hey, I am!" Attack gains in popularity each year. According to Symantec, the Japanese National Police Agency recorded 20,000 cases in 2008 - up from 17,930 in 2007. In some areas, police officers, even and assigned to the site to warn people about the problem.

The Japan Times first reported the problem back in 2003. In that year alone, 2,768 victims parted with 2.26 billion Yen (about £17 million).

Social engineering is a type of oil that lubricates the wheels of many online scams, phishing on Ebay from drawbacks. With a situation to appear as a genuine and urgent as possible, such techniques can be used to get what you want, and this extends to gain physical access to areas where you might otherwise be barred.

The key is to appear like you're supposed to be there by preying on the case of others.

Direct access

The simplest method is just to tailgate someone. So, have someone hold an otherwise safe door open while you follow them through it on the pretext of having left your security to go through.

A classic method of carrying out this attack is to find out where the company goes smokers to indulge in their habit. Just hanging around holding a lit cigarette (no need to breathe if you do not smoke) may be enough to establish you as someone who has the right to be there.

When someone makes a move to return to the building, just patting your pockets, uttering an expletive and asking if they let you is usually enough to gain access. The lesson here is to never leave anyone in a building that is not personally known to you.

Give and take

Another social engineering attack, called the return (Latin for "something for something") can provide direct access to the systems, the passwords of a company and other information - as long as the attacker appeared to give something in return.

A very popular form of this attack is common in the U.S.. The attacker, having discovered the range of direct dial numbers for the target company, will ask each of them in random order under the pretext that the department and return a call to the help desk.

The idea is that eventually he would stumble on someone who really need help with an IT problem. The victim is more than happy to do what the caller says in return for consideration immediately fix - including disabling antivirus protection, then download and install malware on their computers under the guise of creating software patches.

Eradication of social engineering from legitimate callers is simple. The golden rule is: if you hear it looks very good and convenient to be true, it usually is. If you are in any doubt that we are dealing with a legitimate caller, especially if you take the call unexpectedly and the person at the other end is demanding a high level of personal detail, not angry or abusive, especially if you have caller ID and the visitor has withheld the number.

A better idea would be to say that you are busy, ask for a phone number and say they will call at a time convenient for you. If the person at the other end making a legitimate investigation, he or she will be more than willing to give you information and a number of problems as a reference. If the visitor makes excuses, or to insist on the required information listed immediately know that it is possible to speak of a social engineer.

In cases like this, state your suspicions calmly and clearly, then wait quietly for an answer. It is likely that the line will freeze the scammer realizes that the game ended.