By presenting real world examples which enforce and demonstrate the definitions and concepts explained, you will be able to get a better understanding of the threat social engineering plays in everyday life.
Playing the Part
When many ask, “What do you do for a living?” The discussion about social engineering comes up. For many it seems like it would impossible to gain physical access to a facility. Most people don’t realize how easy it is to gain physical access to most facilities by ‘playing the part’ or ‘looking as though you belong’.
In this framework, we examine how a social engineer will spend a little time investigating their target and obtaining information such as what time employees show up for work, what type of dress attire do the employees wear, and what type of physical controls (such as badge access, cipher locks, or keys) are being used to control entry doors. In addition, the social engineer may look through windows to find empty offices, research floor plans, or may conduct recon activities through publicly available entrances by asking to use the restrooms available at the target’s facilities.
Once this information is gathered, the social engineer may show up when employees arrive. The social engineer will dress in a similar attire as the employees. The social engineer will make up a similar visitor tag or use ‘blank’ access cards to mimic the activities of authorized employees or visitors. The social engineer will follow an employee up to the door and ‘piggy-back’ their way into the facility. This open office can now be used as a ‘base’ to conduct other operations such as setting up a wireless router or connecting a laptop to an open network port. (As a note, once the perimeter has been broken, employees passing by will not normally question the social engineer. It is assumed that the physical control did its job and the social engineer is an authenticated individual.)
If the social engineer does a good job in ‘playing the part’, in most cases, the employees will not confront or ask the social engineer anything when letting them into the building. If an employee does question the social engineer, the social engineer can utilize the name of the employee gathered earlier in a cover story such as being a ‘temp’ employee working with the <named employee> or being an authoritative figure (such as an auditor) if the previous information gathering activity lends itself to such a cover story. The social engineer can use the made up ‘visitor tag’ or ‘blank badge’ as props to assist in their cover story. This usually works well in the middle of the week since the social engineer can tell the employee that <named employee> gave him/her these props the day before and to use them for the present day to gain access to the facility. In the case of a badge or fob, the cover story can be that there must be something ‘broken’ with the system when the badge or fob doesn’t work. The social engineer will have to get this fixed as soon as possible. Normally the employee will attempt to help by using their own badge or fob to allow the social engineer into the facility.
As a special note, it is usually the case that a social engineer may have better luck with ‘piggy-backing’ an employee of the opposite sex. There could be numerous reasons for this, but it seems that it is less likely that the employees will confront or question a social engineer that looks like they belong or are ‘playing the part’ especially if they are of the opposite sex. Seppo Heikkinen states in his article “Social engineering in the world of emerging communication technologies”:
- “We tend to like people who like us or, as the saying goes, “it never hurts to be friendly”. Expressing liking or similar interests might be enough to view the other person favorably and feel sympathy. This can then blur the judgment of the victim and open an avenue for social engineering attacks. A bit of flattery will further increase the possibility of the victim taking a mental shortcut especially if this is coming from a person of opposite sex. Similarly, a worker might feel that if the password is not shared with a supposed colleague within some reasonable request, they would be giving a statement of mistrust, which might be viewed as insulting, thus compromising the social relationships. The same could happen even with the token based authentication mechanisms.”
Using this knowledge can help when piggybacking or trying to gain physical access. In the following sections we discuss some of the avenues a social engineer may take to play the part.