Join Date: Oct 2002
Classic Social Engineering Attacks
This is a paper I was required to write for an Information Security
class. I think it actually turned out quite well, so I thought I'd post
it here for everyone's benifit.
Classic Social Engineering Attacks
The art of social engineering is the method by which human weaknesses
in an information security system are exploited. Although not usually
effective at gaining complete access to a system, it can be the easiest
way to gain initial entry, a point from where privevges can be
escalated and further information can be obtained.
The main strength of this this form of attack is that it can be used to
gain entry into any system, anywhere, and at any time, regardless of
the operating system or secondary software running on that system, and
regardless of the capability of your IT security staff.
Humans are, by far, the weakest link in any information security
system. This paper will attempt to examine classic social engineering
attacks form the viewpoint of an attacker attempting to extract
information from a both commercial organizations and consumers alike. A
skilled attacker is aware not only of the weaknesses inherent in both
your harware and software, but also the weakest link in the human
security of that system. He/she will attaempt to explot the weakest
link in your human security systems, targeting inexperinced users, new
hires, help desks, and longtime executives alike. No target is safe
from this form of attack. It is unpredictable at best and a major flaw
at worst. No information security regimen is complete without a
thorough understanding of the risks that social engineering pose to an
orgainization's information security assets.
I will list five types of information in this paper. These will be
username / password, credi, name and address, procedural information,
and finally, methods used to discover PIN (Personal Identification
Number) codes used with bank cards. I will attempt to provide several
techniques which may be used to obtain each of theses types of
information. Problems and resistance will be presented to each attack
method, as will possible solutions. This list is by no means complete.
Because social engineering attacks rely primarily on human weaknesses
in an information system, this paper will focus primarily on human
attacks and shy away from attacks which are electronically based.
Username / Password Information
Several techniques could be used to gain password and username
information. This information could be invaluable during the initial
penetration into an orgainization's information systems. This
information must be treated as highly classified. In no case shoud
anyone, anywhere, for any reason, at any time give out their password.
Following is a list of several classic techniques used to gain this
type of information.
With this technique, the attacker would call an employee of a large
corporation on the phone, impersonating a system administrator, and
explain that there is a problem with their account. The attacker asks
the employee to log out their workstation and log in again. The
employee emphasizes the fact that there does not seem to be any problem
with his/her account. After several attempts like this, the attacker
begins to sound frustrated and asks the employee for their password to
check the problem for themselves. Some random keys are pressed, and the
attacker a few minutes later informs the employee that the problem has
The most common problem encountered in
this attack is that of education. Responsible organizations train their
employees in this type of attack, teaching them to never hand out
passwords or usernames.
When encountering this problem, the attackers in most cases would
simply admit that they are wrong, and try again with another employee.
Another solution would be to plead ignorance and nievity and beg
for an exception in this one case. The attacker attempts to have the
victim sympathize with the attacker by greatly exaggerating the
severity of the problem and the time required to work around this
The attacker may launch a secondary attack, claiming that a person
of high importance in the organization has authorized this release of
information. This may be combined with the threat of disciplinary
action in the case that these directions are not followed, or with the
offer of some kind of reward for a job well done in aiding the
Other problems would include that encountered when the attacker
makes the mistake or has the unfortunate luck of actually contacting a
member of high ranking in this organization. This would render further
impersonation attacks impossible
This could be solved by assuming the identity of some distant,
overseas, or obscure department head who is unaware of these policies.
This could also be solved by claiming a wrong number has been
called (oops... sorry... I pressed the wrong speed dial button)
Another back out strategy would be to impersonate a security
auditor and compliment the individual on their “impeccable information
In this attack, the attacker would enter the premises of a workplace
under the assumed identity of a service worker, contract worker, or
consultant. This type of attack is most successful in mid-sized
businesses, as larger corporation tend to have policies in place to
prevent this type of attack. The attacker might wear a uniform to add
to his/her authenticity. After gaining access to the building, the
attacker roams freely, trying to look like he/she is doing something
important so as not to look suspicious. A clipboard is a great help in
this matter as it gives the appearance of evaluating something, thus
justifying the intense study of the building required to gain this
information. Default usernames and passwords might be obtained if they
are left in plain view. Generally, accounts used by several employees
are easily learned with this technique. For example, a group
administrator account common to all IT staff might be left in plain
sight in the IT department, or procedures for resetting a password
might be posted on a bulletin board.
The most obvious opposition to this attack would be that of a failed identity verification.
This problem might easily be solved by the production of false
identification, which would look similar to that which a valid guest
Additionally, the attacker could place the person challenging
him/her in the position of facing a possible reprimand for denying
entry onto the premises, claiming that this visit is extremely
important to the organization.
The attacker could also attempt to gain empathy from the
challenger, claiming that an abnormally long drive was required to
arrive at this location.
Failing the above, the attacker can usually just leave under the
false pretense of going back to get the proper identification, a ploy
commonly used by minors attempting to but alcohol.
Another possible problem would be encountered when the information
or security desk is aware of all scheduled appointments. Obviously an
attack does not classify as a scheduled appointment
Not much can be done in this case except to claim that the wrong
address was given to the attacker, or that he/she is supposed to be at
another office building owned by the same company.
In rare instances, calling the security/information desk employee
incompetent might work. Not wishing to appear foolish for not recording
a scheduled appointment, the guard or receptionist might allow the
attacker in to avoid embarrassment.
This attack relies heavily on the tenet that users use passwords that
are easily remembered by them, and that therefore they must have some
personal meaning to them. An attacker might rummage through the garbage
of company employees to find out information which may be used to form
a password, or he/she may search the garbage of a business to find
passwords which have been written down and discarded. Default or
backdoor passwords might be contained in product documentation
discarded when updates are installed, however these default passwords
Guards and local police pose the most significant threat here.
However, they are in most cases easily dealt with.
Upon encountering a guard or police officer, the attacker simply
claims to be rummaging for free stuff in the garbage. This is not too
uncommon. Assuming the identity of a street beggar or vagrant would
greatly aid in the believability of this excuse.
A sentry could be established to watch for the above threats and
alert the attacker to them. The attacker could then leave the scene
without being discovered.
Other problems would include individuals who would regularly visit
the dumpster, such as janitors and city garbage collectors.
They can easily be dealt with using the same methods described above.
Finally, one more problem would include the garbage truck. This
could easily kill the attacker during the execution of this attack.
This is easily solved be being aware of the garbage collection
schedule, and attacking at a time not normally used by city garbage
This attack relies on the fact that in a corporate environment,
employees are generally not aggressive in the manner which which they
question the intentions of other employees. It is seldom questioned
when a user is within eyesight of another employee entering a username
/ password combination. The attacked employee does not wish to create a
dispute, and therefore assumes that the attacker's intentions are
benign. This type of attack may also rely in the In Person attack
One potential problem, and certainly the most obvious one, would
be the victim noticing the attack and challenging the attacker. This
could lead to the discovery of the attacker if the attack were to be
Solutions include simply claiming not to be memorizing the
password, or not even looking in that direction.
The attacker may in turn challenge the victim, claiming both
ignorance of the attack and insult at the accusation. This can be
reinforced by explaining the company penalties for false accusation of
The attacker may also state that he/she always watches users enter
passwords, and that this is a bad habit. The attacker then apologizes
profusely for the intrusion and leaves with one more memorized password.
This is an electronically based attack. In this attack, the attacker
presents the victim with a form with which he/she is to enter a
username and password combination. Several techniques may be used to
accomplish this. The victim may be led to a web page which appears to
be that of his/her ISP, email provider, financial institution, or some
other service requiring a username and password. A malformed URL is
placed in the address bar to make the victim believe that he/she is
actually visiting the site which this appears to be. Recent
vulnerabilities discovered in Microsoft's Internet Explorer make this
attack even more dangerous. Another technique would be to flood the
victim with useless data, rendering them unable to send or receive
additional traffic (more commonly known as a denial-of-service attack).
A dialog is then presented informing the victim that their Internet
connection has been dropped and requiring a username and password to
log in again. Once a username and password is entered, the denial of
service attack is terminated, giving the victim the impression that
this was merely a temporary problem.
One minor problem which may be encountered would be finding this
method ineffective. As ever more users become Internet wise, many are
also becoming wise to the more common attacks floating around the web.
In this case, a more effective and believable web page would be
required to convince the victim of its authenticity. The page might be
copied directly from the page the attacker is attempting to mimic.
The major problem with this attack would be that of being reported and caught by authorities.
This threat can be mitigated through the use of anonymous proxy
servers to hide both the true source of the attack and the eventual
destination of the information. The information might even be
stegonographically encoded and posted to public forums for the attacker
to download, creating a much larger pool of suspects to investigate.
However, once this attack's source is discovered, you're S.O.L.,
buddy, so be careful not to be discovered. Make the attack quick,
decisive, and specific in its search for information and stop it before
it is discovered and traced.
This information is not only useful in the theft of products orderd
with stoled credit card numbers. It is the gateway to an individual's
credit history, which in today's world, basically defines an individual
as far as banks are concerned. This information should also be treated
as highly confidential, and only givem to credit companies and banks,
and then only when necessary. The diffuclty lies in determinig who is a
valid recipient of this information and who is not. I will attempt to
explain some more common methods used to extract this information from
In this attack, the attacker calls the victim on the telephone,
impersonating his or her credit card provider. The attacker explains
that several items have recently been charged to the victim's credit
card which are outside their normal spending habits and a flag has been
set off in their computer system. When the victim explains that he/she
did not make these purchases, the attacker informs this person that the
card can be placed on hold as soon as some personal information is
verified, asking for their credit card number and expiration date. The
information gained from an attack such as this is not simply limited to
credit information. In the process of pretending to validate the
victim's identity, information such as the victim's mother's maiden
name, their social security number, date of birth, and address can be
obtained, to name a few. An attack like this could be a precursor to a
full fledged identity theft.
The victim might easily recognize this as an attack and refuse to give the desired information.
This problem could be avoided in advance if the attacker was armed
with personal knowledge of the victim at a level of which only a credit
company would be aware. This information could be used to convince the
victim that the attacker is indeed an employee of the credit company.
Another solution would be to create a false contract, claiming the
victim had previously signed it, and should he/she fail to aid the
credit company in their investigation or solution to this problem, any
and all further charged will be the victim's responsibility under the
terms of their contract. Faced with a possible charge of several
thousand, or even tens of thousands of dollars, the victim may concede,
believing that not giving this information is a greater risk.
In a worst case scenario, the victim may report this attack to authorities.
There is no defense against this, save for recognizing the victim
as a potential threat to the attacker and not requesting this
information to begin with. This could be accomplished by an initial
conversation with the victim, in which the attacker “feels out” the
victim's susceptibility to attack.
The only other known defense against this would be to route
telephone calls through numerous switches and looped lines in an
attempt to hide the source of the attack.
This is a very simple attack. The victim places his/her garbage on the
side of the road for curbside collection. When the attacker, who has
been watching from some distance away, sees the victim leave for work
that day, he/she quickly takes the garbage to another location to look
through it. If credit card bills have been discarded insecurely, this
information will be easy to find. In fact, any information the victim
throws out could be obtained by the attacker, including bank account
numbers, name, address, and date of birth information, and even more
sensitive information such as driving and criminal records and social
security numbers could be obtained if the attacker gets lucky.
This attack may be discovered if it is carried out too frequently
The solution to this is to carefully select the target of this
attack after previous investigation. City officials and local police
forces may recognize this attack and arrest the attacker before
completion. This attack should not be a general intelligence gathering
exercise, but rather a specific, directed attack against a particular
Other than that mentioned above, this is a relatively safe attack
when planned properly, as it carries with it a low risk and a high
This attack is very similar to the website attack described above. The
attacker presents the web page which looks identical to the web page of
the attacker's financial institution. This could be done via an email,
or if the victim's computer has been previously compromised, bookmarks
could be replaced as well. What the victim believes to be the login
page of his/her financial institution is actually an information spider
belonging to the attacker. Once the attacker has the information he/she
is looking for, the request is forwarded back to the financial
institution, a process which may be invisible to the victim.
The number one problem with this type of attack is the risk of prosecution if discovered.
This attack could also be directed at a specific individual, thus
greatly reducing the number of reports in the case it is discovered.
Other solutions to this problem are common to all attacks of this
type, whatever the information target may be. The source of the website
should be hidden through the use of multiple proxy services, and
possible through the use of public Internet access such as a library or
local college as well.
One other major problem with this attack is the fact that many
Internet users are aware of its possibility in advance and will
recognize this as an attack and not a legitimate website.
Recent vulnerabilities discovered in Microsoft's Internet Explorer
make this attack much more easily done than before. The URL in the
address bar can be completely altered through the use of the proper
code placed as a Java applet inside a web page or email. This would
greatly enhance the believability of this attack.
The only other solutions known at this time are a better
constructed imitation web page which would be more believable and
generate more results.
Name & Address Information
While not specifically sensitive information (it is, in most cases,
listed in public telephone directories), this attack may be a precursor
to another attack which is described here. The attacker may only have
an unlisted telephone number, or may only know the victim from an on
line persona. This information may well be required to carry out
further attacks against an individual. However, most name & address
attacks are fishing expeditions, designed to seek out and find
Several types of people and/or organizations might be impersonated to
gain this information. For example, the attacker might call the victim
pretending to be conducting an anonymous research survey over the
telephone. In some cases, address information is required in order to
hold surveyors accountable and prove that the information is not random
The victim may be annoyed with the attacker's telephone call and simply refuse to participate in the survey.
In this case, some reward, such as a timeshare in Florida or 10
dollars off a meal for two at a local restaurant, may provide the
necessary incentive to convince the victim to participate in the survey.
There is very little risk involved in this attack if proper
precautions are taken. Do not initiate this call from a personal
telephone. If this must be done, hide the source number through the use
of call privacy features available from many telephone companies.
Although the call may still be traced, it will appear normal to the
victim (many survey companies hide their number with this feature) and
not arouse suspicion. In the case that the victim simply refuses to
give out the desired information, simply hang up and try another one of
the many techniques discussed in this paper.
In this attack, the attacker assumes the role of an individual
conducting a survey. Classic examples include surveys conducted in
shopping malls or on sidewalks where it is nearly impossible to verify
the identity of the surveyor. In a single day, sensitive information
could be gathered on hundreds of potential victims through the use of
carefully crafted surveys such as marketing research. The attacker may
even offer a free gift or some small monetary incentive to appear
This attack is very similar to the previously mentioned attack,
and carries with it similar problems and potential solutions. Its main
difference is that this attack is conducted in person, while the
previous attack is conducted over the telephone. The most common
problem is that of the victim refusing to participate.
As in the previous attack, this may be solved by an incentive such
as entry into a contest, a timeshare in a tropical location, or a
monetary reward for participation.
Should the victim refuse to participate, no blackout strategy is
required. Simply wait for another opportunity to acquire this
This attack carries more risk than the previous attack, as
security guards may question the validity and/or authenticity of this
One solution is simply to not remain in the same place for too
long, and therefore not stay long enough to be noticed.
Another solution would be to obtain permission to conduct the
survey in advance under a false pretense. This would also add
believability to the attack if the victim were to question the
authorization for this survey.
Should the attacker be questioned by security, a good solution
would be to claim ignorance, apologize for the breach of policy, and
leave. In most cases this will be believable.
Although often ignored, this type of strategic information is primarily
useful as initial intelligence for a larger operation. It may be
research into disaster recovery procedures to determine when a company
is most vulnerable after a disaster, the attacker may be looking for a
method to create a new account on company computer systems, or he/she
may be seeking a method with which to change passwords of already valid
Dumpster Diving can be an invaluable source of information in regards
to company policies and procedures. When new policies are published,
old ones are discarded. While the information obtained may be several
months out of date, policies ans procedures to not tend to change very
much from one document to the next. Calendars can be obtained showing
times and locations of past and future meeting, and vacation schedules
can be found, which in turn may be used to help orchestrate further
attacks. I myself have recovered operations manuals such as terrorist
procedures for public train lines and logical diagrams of telephone
This attack method has been discussed previously, so there is no
need to repeat the same problems and solutions. I will simply summarize
them here. The main problems with this attack are being discovered by
passerby's during the execution.
This is in most cases easily solved by playing dumb. The attacker
simply claims to be looking for something else. In most cases, this
problem is simply too small for local police to bother dealing with
once they have moved the offender away from this location.
In this attack, the attacker assumes the identity of a new employee,
unaware of company policies and procedures. He/she is taking advantage
of a senior employee's willingness to help and their misplaced trust
that this attacker is in fact a new employee. Computer password change
policies can be obtained, organizational structure, new hire handbooks,
and sometimes even false identification can be obtained using this
While this attack method has been discussed before, the solutions
here are quite different, since the information sought is of an
entirely different nature. The potential problems remain largely the
same. For example, company policies may prevent this information from
being given over telephones.
This might be solved by feigning worry about your job performance
as a new hire. This could generate empathy from the victim and increase
their willingness to help.
In general, any problems encountered can easily be averted by
claiming ignorance. In every case, when a problem is encountered, more
information can be obtained, if only to learn more about the target
company's information security policies.
It may be the case that all employees are given orientation
seminars to familiarize them with the company, and this information is
not given out personally, over the phone or otherwise.
It may be beneficial in this case to complain that you are unable
to attend this orientation meeting, and that the information given
there is of vital importance to you. Better result still can be
obtained be feigning worry about your performance as a new employee.
This also provides an exit strategy if desired at this point. The
attacker can simply agree that he/she will wait for this meeting for
Third Party Authorization
In this case, the attacker assumes the identity either of a person of
authority in an organization, or that of someone acting on that
authority. The attacker then attempts some kind of attack, knowing full
well that what he/she is proposing will violate some company policy
somewhere. When informed of this mistake, the attacker asks for more
information on this policy. In this attack, the attacker is not even
directly requesting information, and at the same time is providing an
ego boost to those correcting him/her, which acts as another incentive
with which to obtain this information. This attack is most successful
when the third party the attacker is impersonating or whose authority
they will be acting on is on vacation and unable to verify this
The victim may know the person the attacker is attempting to
impersonate and recognize this attack as an impersonation, challenging
the identity of the attacker.
This can be solved by threatening disciplinary action to the
victim. The attacker assumes the role of being embarrassed by this
mistake without directly admitting it. This will provide the victim
with the opportunity to earn “brownie points” with those in command by
helping them to cover up their mistakes.
Conversely, this might also be solved by offering a reward for the
timely help of the victim. The victim may easily be swayed by the
opinion of those above them and easily convinced to help them.
A back-out strategy would be to end the conversation with the
victim, informing them that you will be discussing the matter
personally in a fer minutes and will be there shortly.
In the case where the attacker is only assuming the authority of a
high ranking individual, the victim may have received conflicting
instructions from another person.
Again, the threat of disciplinary action may work in this case.
Also, claiming that the attacker's requests are more urgent may
convince the victim to service the wishes of the attacker before those
of the other party.
If all else fails, the attacker can claim to ask another
individual in the company for further authorization, and that he/she
will call back shortly.
This type of attack is primarily lucrative to petty thieves, as it
offers an instant return on the risk assumed by the attacker. Its
limited information gathering capacity renders it unsuitable for more
advanced attack methodologies.
There is no great explanation needed here. The attacker simply watches
the victim enter their PIN code at an automated teller machine, public
telephone, or point of sale. All that is required is some method of
obtaining a card with which that PIN code is effective. This can be
accomplished through three primary methods – 1) The attacker works with
a partner at a point of sale who secretly scans and saves the PIN card
information for later reproduction. 2) The attacker calls the financial
institution of the victim and requests a new card. He/she then waits
for it to arrive in the mail and steals it from the victim's mailbox.
3) The attacker knocks the victim unconscious with a large trout and
takes the card by force.
The victim may realize their actions are being monitored and
refuse to enter their PIN code until the attacker leaves.
Not much can be done in this case. However, there is very little
risk involved unless the victim notifies authorities of this attack.
Therefore, this attack should be carried out in remote locations
outside of normal business hours to minimize the chance of being
Another solution to finding PIN codes would be to wipe the number
pad on the ATM clean before waiting for the victim to arrive. The
attacker can then determine which buttons were pressed, and now only
needs to determine in which order.
In a worst case scenario, this attack may be witnessed by local police or bank security.
In this case, the attacker could easily claim innocence and remind
the police and/or security the dangers a false accusation carries. It
may also be helpful to assume the role of a victim and attempt to gain
some level of empathy from these authorities.
This is not generally a method that can be applied to other information
types. In this attack, the attacker does not assume any identity.
He/she is simple a friendly stranger willing to help. It does, however,
require the aid of an accomplice. The accomplice in this attack would
secretly disable the point of sale equipment before the purchase is
made. This of course would cause problems when the victim attempts to
pay for the merchandise. After several failed attempts, the attacker
offers to help the victim, however requires the PIN code of the victim.
The accomplice has now had several opportunities to scan the card for
later reproduction, and the attacker now knows the PIN code. This
attack stands out from other forms of social engineering attacks as it
does not require the assumption of a false identity. It is extremely
effective in attacking the elderly, the young, or other technologically
challenged individuals. I felt the need to include this attack as I
have personally been privy to the PIN codes and bank cards of strangers
in an attempt to help them. It surprised me greatly that anyone would
willingly give out this information.
There are two possible problems in this attack. The first is that
of the victim refusing to give confidential information.
This might be solved by the accomplice, who might illicit a
greater level of trust from the victim, offering the same services.
Failing the above, not much can be done in this case. However,
there is very little risk at this point, so a back-out strategy is not
The second problem is that of discovery from authorities.
To avoid this problem, victims must be chosen very carefully
before they are exploited. Choosing too knowledgeable a victim may
easily lead to your discovery.
This can usually be determined by a simple conversation with the
victim and through the use of profiling. Elderly persons are more
likely to fall victim to this attack, as are the young and
inexperienced. Generally, backing out before asking the victim for this
information will provide the best method of avoiding detection.
This attack is very similar to those seeking to gain credit
information, however it differs in one aspect; most financial
institutions keep their customers' PIN codes and their on line banking
passwords separate. This attack therefore requires very careful
selection of one's victims in order to be successful. It may rely on
attacks previously discussed in this paper whose sole purpose was to
fish for vulnerable targets who willingly and easily reveal information
without the presence of proper credentials. The victim is presented
with some type of web page which informs them that the bank is having a
problem with their access card. The page then requires the victim to
“log in” to the access card system to verify their identity and rectify
the problem. This information is then relayed to the attacker.
As stated, most banks keep PIN information and on line banking
passwords separate. A form coming from the bank asking for this
information would appear suspicious to many people.
This might be solved by careful obfuscation of the URL, making it
appear to be one of the victim's financial institution.
This would also be made more believable if it were a follow-up to
an initial email, with the source address forged to be that of the
victim's financial institution. This would provide a controlled
environment in which to execute the attack while at the same time
providing a more believable illusion of authenticity.
As with all scams of this type, there is always the risk of getting caught by authorities.
To mitigate this risk, the website should not be posted from a
computer which the attacker owns. Multiple proxy servers should be used
to forward traffic through numerous servers in order to better hide the
true source of the information.
The ultimate destination of this information can be hidden by
stegonagraphically hiding it and posting it to public forums,
newsgroups, and websites. At this time there is no reliable means of
detecting stegonagraphically encoded information, and this will at the
same time greatly increase the number of suspects to investigate.
Other problems, and their solutions, are quite similar to those
explained in previous website attacks. Only those unique to gathering
PIN information have been enumerated here.
In conclusion, we can see that the methods used to attack the human
weaknesses in your information security system, whether that system be
your personal methods or your company's coporate methods of protecting
that information, are as numerous and diverse as the technological
methods used to attack your hardware and software.
Nobody is safe from this attack, regardless of whether or not the use a
computer, and regardless of whether they are responsible for
information security in your organization. Remember that any method
used to attack an individual can be used to attack an individual at
What can be seen from a brief discussion of this topic is a weakness
that will always exist. This weakness cannot be patched with software
downloads. It cannot be solved with firewalls, encryption, VPN's, or
armed guards watching your fileservers. Whether online or not, all of
your information assets are at risk because of this threat.
As long as your corporate and personal knowledge exists within the realm of human memory, you are at risk.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError