Social engineers typically use one or more psychology-based principles to increase the effectiveness of their attacks. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a good understanding of these principles and different social engineering tactics.
For example, can you answer this question?
Q. Bart is in a break area outside the office. He told Lisa that he forgot his badge inside and asked Lisa to let him follow her when she goes back inside. Which of the following does this describe?
A. Spear phishing
B. Whaling
C. Mantrap
D. Tailgating
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Authority
Many people have grown up to respect authority and are more likely to comply when a person of authority says to do so. As an example, volunteers participating in the Milgram experiment continued to send shocks to unseen subjects even though they could hear them scream in pain, simply because a man in a lab coat told them to continue. They weren’t actually sending shocks and the screams were fake, but everything seemed real to the volunteers. Psychologists have repeated these experiments and have seen similar results. Using authority is most effective with impersonation, whaling, and vishing attacks:
• Impersonation. Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus (a form of ransomware) attempts to impersonate a law enforcement agency. Other times, social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
• Whaling. Executives respect authorities such as legal entities. As an example, attackers singled out as many as 20,000 senior corporate executives in a fine-tuned phishing attack. The emails looked like official subpoenas requiring the recipient to appear before a federal grand jury and included the executive’s full name and other details, such as their company name and phone number. The emails also included a link for more details about the subpoena. If the executives clicked the link, it took them to a web site that indicated they needed a browser add-on to read the document. If they approved this install, they actually installed a keylogger and malware. The keylogger recorded all their keystrokes to a file, and the malware gave the attackers remote access to the executives’ systems.
• Vishing. Some attackers use the phone to impersonate authority figures. An example of vishing is just a regular phone call from a criminal. A popular ploy is a call from a company claiming to be “Credit Services” and offering to give you lower credit card rates. They play around with caller ID and have it display anything they want. A common ploy is to display a number similar to yours, making them appear local. They often announce, “This is your second and final notice,” trying to evoke a sense of urgency.
Familiarity
If you like someone, you are more likely to do what the person asks. This is why so many big companies hire well-liked celebrities. And, it’s also why they fire them when they become embroiled in a scandal that affects their credibility.
Some social engineers attempt to build rapport with the victim to build a relationship before launching the attack. This principle is most effective with shoulder surfing and tailgating attacks:
• Shoulder surfing. People are more likely to accept someone looking over their shoulder when they are familiar with the other person, or they like them. In contrast, if you don’t know or don’t like someone, you are more likely to recognize a shoulder surfing attack and stop it immediately.
• Tailgating. People are much more likely to allow someone to tailgate behind them if they know the person or like the person. Some social engineers use a simple, disarming smile to get the other person to like them.
Trust
In addition to familiarity, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it. Vishing attacks often use this method.
As an example, someone identifying himself as a security expert once called me. He said he was working for some company with “Secure” in its name, and they noticed that my computer was sending out errors. He stressed a couple of times that they deploy and support Windows systems. The company name and their experience was an attempt to start building trust.
He then guided me through the process of opening Event Viewer and viewing some errors on my system. He asked me to describe what I saw and eventually said, “Oh my God!” with the voice of a well-seasoned actor. He explained that this indicated my computer was seriously infected. In reality, the errors were trivial.
After seriously explaining how much trouble I was in with my computer, he then added a smile to his voice and said, “But this is your lucky day. I’m going to help you.” He offered to guide me through the process of fixing my computer before the malware damaged it permanently.
All of this was to build trust. At this point, he went in for the kill. He had me open up the Run window and type in a web site address and asked me to click OK. This is where I stopped. I didn’t click OK.
I tried to get him to answer some questions, but he was evasive. Eventually, I heard a click. My “lucky day” experience with this social engineering criminal was over.
The link probably would have taken me to a malicious web site ready with a drive-by download. Possibly the attacker was going to guide me through the process of installing malware on my system. If my system objected with an error, I’m betting he would have been ready with a soothing voice saying “That’s normal. Just click OK. Trust me.” He spent a lot of time with me. I suspect that they’ve been quite successful with this ruse with many other people.
Q. Bart is in a break area outside the office. He told Lisa that he forgot his badge inside and asked Lisa to let him follow her when she goes back inside. Which of the following does this describe?
A. Spear phishing
B. Whaling
C. Mantrap
D. Tailgating
Answer is D. Tailgating is the practice of following closely behind someone else without using credentials.
In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in by tailgating.
Spear phishing and whaling are two types of phishing with email.
Mantraps prevent tailgating.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on social engineering.