In popular culture, hackers are frequently portrayed doing complicated “tech stuff”, with keyboards and dark screens, to get what they want. In reality, they have more in common with traditional con artists. In fact, most “hacks” aren’t technical in nature. Instead, hackers use types of cons known in the IT security world as social engineering. Social engineering is the psychological manipulation of a person with the object of getting them to divulge valuable information or give the attacker access to their secure systems. What might this look like?
Piggybacking (also called tailgating) is when an attacker accesses a secure area simply by following someone else. Access codes are RFID cards aren’t much good when the kind but unwitting insider allows access to the attacker.
Example: Your employee arrives at the office to see a guy armed with a clipboard, hard hat, and reflective vest. “Would you mind?”
If fish are baited by worms, then modern office workers are baited with USB drives. When baiting, attackers leave USB sticks where their targets can reach them. When said USB sticks are plugged into a vulnerable computer, they run malware and infect as much as possible. Whenever security researchers test this, around 90% of the USB sticks they leave out get plugged in and around half eventually “make contact” with the researchers.
Example: Mail arrives consisting of a document labelled “2017 employee performance reviews” and a tempting USB stick. What could be the harm in plugging it in?
Quid pro Quo
A quid pro quo is something for something. Attackers will call random numbers at a company, saying they are tech support returning their call. Given the prevalence of IT problems at any given company, they will eventually come upon someone waiting for a call back from IT. The attacker then “helps” the employee, who unwittingly lets the attackers into the company.
Example: “Sure, I can help you with that. First hold down control, alt, and delete at the same time. Now a screen should pop up with several buttons. Select change password . . .”
Social Media Hunting
It’s very easy for an attacker to check out their target’s social media activities and choose to impersonate one of their victim’s friends on, say, Facebook. After creating a fake account, they can attempt to gather information from their target. If their target happens to be a high-level executive, this is called whale hunting.
Example: “Hey everyone, I messed up my login information and got locked out of my old Facebook account, so be sure to contact me on this one instead . . .”
Get ‘Em Drunk
Want information from someone? Get them drunk. A savvy social engineer knows that they can get all kinds of information from their target if they get their target drunk. The very savvy social engineer goes to the bar beforehand, pays the bartender in advance, makes sure that he and his victim are always promptly topped up, and that he won’t get actual alcohol in his drink.
Example: This sounds like a bad movie plot, we know. But it works in the real world. Just ask the Canadian Border Service Agency. In 2012, Chinese embassy officials wanted to pump CBSA employees for information. So they got them all drunk. It ended up being a serious national security problem.