In the middle of the 2016 U.S. Presidential election campaign Hillary Clinton learned to her detriment how painful the consequences of social engineering can be. Her campaign manager John Podesta received an e-mail telling him he needed to change the password of his Google account. It was genuine, an IT employee told him. But he was wrong. The link led to a bogus Google login page that passed the valid password on to hackers. They gained access to thousands of Podesta’s e-mails and passed them on to Wikileaks for publication, which caused Hillary Clinton’s image an enormous amount of damage.
Phishing, or faking e-mails and websites to access confidential data, is probably the best-known method used in social engineering. Social engineering is the art of deception aimed towards getting people to divulge sensitive information or do certain things – often as the first stage in a cyberattack. The attack does not target the IT systems; it targets their users. According to the German digital business association Bitkom one company out of five in Germany was the victim of a social engineering attack between the beginning of 2015 and the beginning of 2017. Globally, one in three companies was on the receiving end of one between Summer 2015 and Summer 2017, according to the British market research company Loudhouse.
Winning SECTF call at DEF CON 25
Chris Kirsch and Chris Hadnagy reenact the winning call from the Social Engineering Capture the Flag contest (SECTF) at DEF CON 25 (2017).
CEO Trick Instead of Long-lost Relative Trick
Hackers use psychological tricks, telling their victims heart-rending stories, putting them under time pressure or intimidating them with authoritarian behavior. As communication channels they use not only e-mail but also faxes, personal conversations or phone calls (vishing). Security specialist Chris Kirsch demonstrated an example of a successful telephone attack in a video, reconstructing a phone call with a genuine company, which won him a social engineering competition at the 2015 DEF CON hacker conference.
In the summer of 2017 the German Federal Office for Information Security (BSI) issued an explicit warning against criminals claiming to be company executives and instructing employees to transfer large sums of money to foreign bank accounts. Damage totaling around EUR 75 million was said to have been done to the German economy in this way in 2016. Victims of this kind of CEO fraud using fake e-mails included automotive supplier Leoni and messaging app provider Snapchat. At Snapchat, for example, a payroll clerk divulged the latest salary list in response to a phishing mail purporting to be from the CEO.
Facebook a Data Source for Human Hacking
The more detail the attacker has unearthed about his victim(s) beforehand, the greater the likelihood that the hack will be a success. For example, in two studies German security researchers sent e-mails with similar contents and a link to students in 2014 and 2017. The only difference was the salutation. Fifty-six percent of the recipients of personalized e-mails clicked on the link; only 20 percent who received non-personalized e-mails clicked on it. Thanks to social media like Facebook and Twitter, social engineering attacks can be targeted much more easily and more precisely today than in the past.
Social engineering also works without personal contact between hacker and victim, however. By USB stick, for example. When, in an April 2015 test, researchers around the Google security expert Elie Bursztein dropped 300 USB flash drives on the campus of the University of Illinois Urbana-Champaign, 48 percent of them were picked up and the files on them opened. Hackers can also search trash cans (a practice known as dumpster diving) for sensitive data like written-down passwords or shadow employees with special access authorizations: This practice is called tailgating or piggybacking and unauthorized persons can sneak onto corporate premises this way.
Technical IT security is not much use when company employees fail to recognize social engineering attacks, so the most important countermeasure is to hold employee training sessions, at which typical hacker tricks are explained and the way to behave in these situations is practiced. One-off sessions are no help, the BSI warns, recommending regular refresher courses. Yet in 2017, according to Loudhouse, only one in two companies around the world had security issues on the further training agenda.
Social penetration tests are one way to test the success of awareness training. An authorized person takes on the role of a social engineer and tests how far he can get using hackers’ methods. The disadvantage is that employees who are tricked may feel embarrassed. Social engineering measures are, of course, a part of the security concept that companies must submit and implement for ISO 27001 certification on the basis of BSI IT baseline protection.
In the end, it must be made clear that although employees can pose a security risk, they are also a bulwark against cyberattacks. According to Bitkom, most often companies are made aware of hacker attacks by tips from their workforce.