Tales of a Professional Social Engineer
05.18.05
When Jim Stickley robs banks, government offices, and other allegedly secure locations, he doesn't go in like Edward G. Robinson with a Tommy gun. Instead, he gets you to trust him while he steals your confidential information and other assets. His specialty is what's known as social engineering.
Stickley's firm, Trace Security Inc., is hired by organizations to test the security of their offices by challenging it. Faceless National Bank will hire him to see if the Podunk branch is paying attention to security policy. The bank may even say, "Go in and try to steal these specific corporate account records."
If you got an e-mail that seemed to be from your boss or from headquarters telling you to expect a visitor —an exterminator, for example—you'd let the visitor in the door, right? But that introductory e-mail isn't hard to fake. Consider one way it might be done:
The names of the branch's employees may be available on the Internet, or you could walk in and look at the names on the desks and badges. Names at headquarters are often posted online. The social engineering team sends innocuous probe e-mails to some of these people in a variety of styles, like [email protected] or [email protected], to determine what everyone's address is.
Then the team registers a one-off domain name like facelessnationa1.com (notice the "1" at the end instead of an "l"). When an e-mail from the regional VP @facelessnationa1.com says that an exterminator is coming, people are likely not to notice. In fact, the "from" address of the message can actually say facelessnational .com with an "l," since that's easy to spoof, and it probably wouldn't be caught.
Once the team's inside, saying that they must "set traps," the proper procedure should be to escort them everywhere they go. When they crouch down near the back of a computer, look at what they are doing, because if it's Stickley he's probably installing a data-thieving dongle that he'll retrieve when he comes back to "check the traps." Other favorite scams involve posing as an air- conditioning tech or a fire marshal.
Stickley does leave glue traps, but he installs more pests than he'll ever take away. And don't leave him alone in the computer center, because he'll take the server backup tapes, the grand prize of such expeditions, since they contain much sensitive data—and it's likely to be unencrypted.
This scheme is reminiscent of Ocean's Eleven and requires the attacker to be a great liar and cool under pressure. And such attackers always carry an authorization letter from someone in charge, for the rare cases when they arouse suspicion. That usually happens because someone is assiduous at following procedure, a trait often unappreciated or ridiculed. If you were in charge, would you have someone follow the exterminator around?
Large financial institutions like banks usually have internal security groups that stage situations like this, but they don't often get as creative as Trace Security.
Stickley also uses the more common remote forms of social engineering of the Kevin Mitnick variety. Your firm's "development group" might call to ask you, for test purposes, to sign in to their new Web site at dev-facelessnational.com. If you do, they'll have your log-in info. (Two-factor authentication is useful in such cases, but it's still not universal.)
Stickley also sends users e-greeting cards that attempt to use Microsoft Windows vulnerabilities to install malware that gives him a back door to the system.
You don't want to worry about threats like Stickley while you're trying to get your job done, but alas, human failings are at the heart of most security breaches. The moral is that it can happen to you. Don't be complacent because you're in a big company that has policies and even a budget for security. Don't think that because you're in a small company you can fly under the radar. The Internet has made it too easy to attack anyone, and even small banks have money in them.
Larry Seltzer, a frequent contributor to PC Magazine, writes the Security Watch newsletter for pcmag.com.
Keep yourself safe! Subscribe to our Security Watch newsletter and get up-to-date info on the latest threats delivered to your inbox automatically: