Social engineering (security)
Encyclopedia
Social engineering is commonly understood to mean the art of manipulating
people into performing actions or divulging confidential information. The people who need to hide their crimes say it is similar to a confidence trick
or simple fraud
, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker
never comes face-to-face with the global criminals/victims.
Accusers say "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick
. Global criminals name the term as associated with the social sciences, but its usage has caught on among computer professionals.
) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. An elaborate lie
, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth, Social Security Number
, last bill amount) to establish legitimacy in the mind of the target.
This technique can be used to trick a business into disclosing customer information as well as by private investigator
s to obtain telephone records, utility records, banking records and other information directly from company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, clergy, insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner".
With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else".
The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load.
Another variation of diversion theft is stationing a security van outside a bank on a Friday evening. Smartly dressed guards use the line "Night safe's out of order, Sir". By this method shopkeepers etc. are gulled into depositing their takings into the van. They do of course obtain a receipt but later this turns out to be worthless. A similar technique was used many years ago to steal a Steinway
grand piano from a radio studio in London. "Come to overhaul the piano, guv" was the chat line.
if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card
's PIN
.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay
claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
(IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
Phone phishing is also called vishing
.
In this attack
, the attacker leaves a malware
infected floppy disk
, CD ROM, or USB flash drive
in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available from the target's web site, and write "Executive Salary Summary Q2 2010" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware
on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network
.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
sters or fraud
sters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud.
A very recent type of social engineering techniques include spoofing or cracking IDs of people having popular e-mail IDs such as Yahoo!
, GMail
, Hotmail
, etc. Among the many motivations for deception are:
Then they must tell their employees which information is sensitive.
Employees must be trained to verify the identity of a person who request sensitive information.
If that person's identity cannot be verified, then the employee must be trained to politely refuse the request.
Security must be tested periodically, and these tests must be unannounced.
popularized the term "social engineering", pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. He claims it was the single most effective method in his arsenal.
in the 1990s using social engineering, voice impersonation, and Braille-display computers
.
hacker, computer security consultant, and writer for Phrack Magazine, Archangel
(nicknamed "The Greatest Social Engineer of All Time") has demonstrated social engineering techniques to gain everything from passwords to pizza to automobiles to airline tickets.
, David Bannon, Peter Foster
, and Steven Jay Russell
approved a Senate sponsored bill making the pretexting of telephone records a federal felony
with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed by president George W. Bush on January 12, 2007.
is a U.S. Federal
law
that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission
(FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in part:
"Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."
The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of his or her bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses.
While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the United States Senate
, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them.
(R-Kalamazoo
, Michigan
), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?" Illinois
became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida
-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida
and Missouri
quickly followed Madigan's lead, filing suit on 24 January and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker - First Data Solutions, Inc.
Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists on January 13. U.S. Senator Charles Schumer
(D-New York
) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony
criminal
penalties for stealing and selling the records of mobile phone
, landline
, and Voice over Internet Protocol (VoIP) subscribers.
, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation company to delve into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members. Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed.
Psychological manipulation
Psychological manipulation is a type of social influence that aims to change the perception or behavior of others through underhanded, deceptive, or even abusive tactics. By advancing the interests of the manipulator, often at the other's expense, such methods could be considered exploitative,...
people into performing actions or divulging confidential information. The people who need to hide their crimes say it is similar to a confidence trick
Confidence trick
A confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...
or simple fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
never comes face-to-face with the global criminals/victims.
Accusers say "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick
Kevin Mitnick
Kevin David Mitnick is a computer security consultant, author, and hacker. In the late 20th century, he was convicted of various computer- and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.-Personal life:Mitnick grew up in...
. Global criminals name the term as associated with the social sciences, but its usage has caught on among computer professionals.
Social engineering techniques and terms
All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:Pretexting
Pretexting is the act of creating and using an invented scenario (the pretextPretext
A pretext is an excuse to do something or say something. Pretexts may be based on a half-truth or developed in the context of a misleading fabrication. Pretexts have been used to conceal the true purpose or rationale behind actions and words....
) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. An elaborate lie
Lie
For other uses, see Lie A lie is a type of deception in the form of an untruthful statement, especially with the intention to deceive others....
, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth, Social Security Number
Social Security number
In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...
, last bill amount) to establish legitimacy in the mind of the target.
This technique can be used to trick a business into disclosing customer information as well as by private investigator
Private investigator
A private investigator , private detective or inquiry agent, is a person who can be hired by individuals or groups to undertake investigatory law services. Private detectives/investigators often work for attorneys in civil cases. Many work for insurance companies to investigate suspicious claims...
s to obtain telephone records, utility records, banking records and other information directly from company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, clergy, insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
Diversion theft
Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London.In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner".
With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else".
The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load.
Another variation of diversion theft is stationing a security van outside a bank on a Friday evening. Smartly dressed guards use the line "Night safe's out of order, Sir". By this method shopkeepers etc. are gulled into depositing their takings into the van. They do of course obtain a receipt but later this turns out to be worthless. A similar technique was used many years ago to steal a Steinway
Steinway & Sons
Steinway & Sons, also known as Steinway , is an American and German manufacturer of handmade pianos, founded 1853 in Manhattan in New York City by German immigrant Heinrich Engelhard Steinweg...
grand piano from a radio studio in London. "Come to overhaul the piano, guv" was the chat line.
Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequenceLoss aversion
In economics and decision theory, loss aversion refers to people's tendency to strongly prefer avoiding losses to acquiring gains. Some studies suggest that losses are twice as powerful, psychologically, as gains....
if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card
ATM card
An ATM card is a card issued by a bank, credit union or building society that can be used at an ATM for deposits, withdrawals, account information, and other types of transactions, often through interbank networks.Some ATM cards can also be used:* at a branch, as identification for in-person...
's PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay
EBay
eBay Inc. is an American internet consumer-to-consumer corporation that manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide...
claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
IVR or phone phishing
This technique uses a rogue Interactive voice responseInteractive voice response
Interactive voice response is a technology that allows a computer to interact with humans through the use of voice and DTMF keypad inputs....
(IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
Phone phishing is also called vishing
Vishing
Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP , to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and...
.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.In this attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
, the attacker leaves a malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
infected floppy disk
Floppy disk
A floppy disk is a disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles...
, CD ROM, or USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available from the target's web site, and write "Executive Salary Summary Q2 2010" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
Quid pro quo
Quid pro quo means something for something:- An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malwareMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
.
- In a 2003 information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
survey, 90% of office workers gave researchers what they claimed was their passwordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
in answer to a survey question in exchange for a cheap penPenA pen is a device used to apply ink to a surface, usually paper, for writing or drawing. Historically, reed pens, quill pens, and dip pens were used, with a nib of some sort to be dipped in the ink. Ruling pens allow precise adjustment of line width, and still find a few specialized uses, but...
. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.
Other types
Common confidence trickConfidence trick
A confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...
sters or fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
sters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud.
A very recent type of social engineering techniques include spoofing or cracking IDs of people having popular e-mail IDs such as Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
, GMail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
, Hotmail
Hotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
, etc. Among the many motivations for deception are:
- PhishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
credit-card account numbers and their passwords. - Cracking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
- Cracking websites of companies or organizations and destroying their reputation.
- Computer virus hoaxVirus hoaxA computer virus hoax is a message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know.-Identification:...
es
Countermeasures
Organizations must decide which information is sensitive.Then they must tell their employees which information is sensitive.
Employees must be trained to verify the identity of a person who request sensitive information.
If that person's identity cannot be verified, then the employee must be trained to politely refuse the request.
Security must be tested periodically, and these tests must be unannounced.
California police departments investigating red light violations
More than 30 California police departments mail out fake red light camera "tickets," also called "Snitch Tickets," in an effort to bluff registered owners into revealing the identity of the person who was driving the vehicle at the time of the alleged violation. Because these "tickets" have not been filed at court, they carry no legal weight and (in the US) the registered owner has the right to remain silent and is under no obligation to respond in any manner. In California, a genuine ticket will bear the name and address of the local branch of the Superior Court and direct the recipient to contact that Court, while a fake "ticket" generated by the police will not.Kevin Mitnick
Reformed computer criminal and later security consultant Kevin MitnickKevin Mitnick
Kevin David Mitnick is a computer security consultant, author, and hacker. In the late 20th century, he was convicted of various computer- and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.-Personal life:Mitnick grew up in...
popularized the term "social engineering", pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. He claims it was the single most effective method in his arsenal.
Badir Brothers
Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set up an extensive phone and computer fraud scheme in IsraelIsrael
The State of Israel is a parliamentary republic located in the Middle East, along the eastern shore of the Mediterranean Sea...
in the 1990s using social engineering, voice impersonation, and Braille-display computers
Refreshable Braille display
A refreshable Braille display or Braille terminal is an electro-mechanical device for displaying Braille characters, usually by means of raising dots through holes in a flat surface. Blind computer users, who cannot use a normal computer monitor, use it to read text output...
.
Christopher Hadnagy
Security consultant, published author, and founder of the first official Social Engineering Framework. Involved in formalizing Social Engineering concepts to better define the various threats it poses.Archangel
The white hatWhite hat
The term "white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems...
hacker, computer security consultant, and writer for Phrack Magazine, Archangel
P.H.I.R.M.
The PHIRM was an early hacking group which was founded in the early 1980s. First going by the name of "KILOBAUD", the firm was reorganized in 1985 to reflect a favorite television show of the time "Airwolf". By the mid 1980s The PHIRM was sysopping hundreds of boards...
(nicknamed "The Greatest Social Engineer of All Time") has demonstrated social engineering techniques to gain everything from passwords to pizza to automobiles to airline tickets.
Steve Stasiukonis
Security Consultant for Secure Network Technologies. Inventor of the USB thumb drive test where USB sticks contained exploits to test if employees would run them from within their business environments. This attack is now one of the most popular social engineering techniques in existence and is used to test the human element of security around the world.Mike Ridpath
Security consultant for IOActive, published author, and speaker. Emphasizes techniques and tactics for social engineering cold calling. Became notable after his talks where he would play recorded calls and explain his thought process on what he was doing to get root/admin through the phone.Others
Other social engineers include Frank AbagnaleFrank Abagnale
Frank William Abagnale, Jr. is an American security consultant known for his history as a former confidence trickster, check forger, impostor, and escape artist...
, David Bannon, Peter Foster
Peter Foster
Peter Clarence Foster is an Australian who has been convicted and jailed on three continents for offences involving weight loss products and property transactions....
, and Steven Jay Russell
Steven Jay Russell
Steven Jay Russell is a U.S. con artist and impostor, known for escaping from prison multiple times. He has received numerous nicknames, including "Houdini" and "King Con." A film about his life and crimes was produced in 2009, named I Love You Phillip Morris, starring Jim Carrey as Steven Jay...
Pretexting of telephone records
In December 2006, United States CongressUnited States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
approved a Senate sponsored bill making the pretexting of telephone records a federal felony
Felony
A felony is a serious crime in the common law countries. The term originates from English common law where felonies were originally crimes which involved the confiscation of a convicted person's land and goods; other crimes were called misdemeanors...
with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed by president George W. Bush on January 12, 2007.
Federal legislation
The 1999 "GLBA"Gramm-Leach-Bliley Act
The Gramm–Leach–Bliley Act , also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress...
is a U.S. Federal
Federal government of the United States
The federal government of the United States is the national government of the constitutional republic of fifty states that is the United States of America. The federal government comprises three distinct branches of government: a legislative, an executive and a judiciary. These branches and...
law
Law
Law is a system of rules and guidelines which are enforced through social institutions to govern behavior, wherever possible. It shapes politics, economics and society in numerous ways and serves as a social mediator of relations between people. Contract law regulates everything from buying a bus...
that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
(FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in part:
"Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."
The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of his or her bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses.
While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the United States Senate
United States Senate
The United States Senate is the upper house of the bicameral legislature of the United States, and together with the United States House of Representatives comprises the United States Congress. The composition and powers of the Senate are established in Article One of the U.S. Constitution. Each...
, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them.
1st Source Information Specialists
U.S. Rep. Fred UptonFred Upton
Frederick Stephen Upton is the U.S. Representative for , serving since 1987. He is a member of the Republican Party and Chairman of the Committee on Energy and Commerce. The district, based in Kalamazoo, stretches along the Michigan-Indiana border in the southwestern part of the state.-Early life,...
(R-Kalamazoo
Kalamazoo, Michigan
The area on which the modern city stands was once home to Native Americans of the Hopewell culture, who migrated into the area sometime before the first millennium. Evidence of their early residency remains in the form of a small mound in downtown's Bronson Park. The Hopewell civilization began to...
, Michigan
Michigan
Michigan is a U.S. state located in the Great Lakes Region of the United States of America. The name Michigan is the French form of the Ojibwa word mishigamaa, meaning "large water" or "large lake"....
), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?" Illinois
Illinois
Illinois is the fifth-most populous state of the United States of America, and is often noted for being a microcosm of the entire country. With Chicago in the northeast, small industrial cities and great agricultural productivity in central and northern Illinois, and natural resources like coal,...
became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida
Florida
Florida is a state in the southeastern United States, located on the nation's Atlantic and Gulf coasts. It is bordered to the west by the Gulf of Mexico, to the north by Alabama and Georgia and to the east by the Atlantic Ocean. With a population of 18,801,310 as measured by the 2010 census, it...
-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida
Florida
Florida is a state in the southeastern United States, located on the nation's Atlantic and Gulf coasts. It is bordered to the west by the Gulf of Mexico, to the north by Alabama and Georgia and to the east by the Atlantic Ocean. With a population of 18,801,310 as measured by the 2010 census, it...
and Missouri
Missouri
Missouri is a US state located in the Midwestern United States, bordered by Iowa, Illinois, Kentucky, Tennessee, Arkansas, Oklahoma, Kansas and Nebraska. With a 2010 population of 5,988,927, Missouri is the 18th most populous state in the nation and the fifth most populous in the Midwest. It...
quickly followed Madigan's lead, filing suit on 24 January and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker - First Data Solutions, Inc.
Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists on January 13. U.S. Senator Charles Schumer
Charles Schumer
Charles Ellis "Chuck" Schumer is the senior United States Senator from New York and a member of the Democratic Party. First elected in 1998, he defeated three-term Republican incumbent Al D'Amato by a margin of 55%–44%. He was easily re-elected in 2004 by a margin of 71%–24% and in 2010 by a...
(D-New York
New York
New York is a state in the Northeastern region of the United States. It is the nation's third most populous state. New York is bordered by New Jersey and Pennsylvania to the south, and by Connecticut, Massachusetts and Vermont to the east...
) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony
Felony
A felony is a serious crime in the common law countries. The term originates from English common law where felonies were originally crimes which involved the confiscation of a convicted person's land and goods; other crimes were called misdemeanors...
criminal
Criminal law
Criminal law, is the body of law that relates to crime. It might be defined as the body of rules that defines conduct that is not allowed because it is held to threaten, harm or endanger the safety and welfare of people, and that sets out the punishment to be imposed on people who do not obey...
penalties for stealing and selling the records of mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...
, landline
Landline
A landline was originally an overland telegraph wire, as opposed to an undersea cable. Currently, landline refers to a telephone line which travels through a solid medium, either metal wire or optical fibre, as distinguished from a mobile cellular line, where transmission is via radio waves...
, and Voice over Internet Protocol (VoIP) subscribers.
Hewlett Packard
Patricia DunnPatricia C. Dunn
Patricia Cecile Dunn , aka Patricia Cecile Dunn-Jahnke, is the former non-executive chairman of the board of Hewlett-Packard , a position she held from February 2005 until September 22, 2006, when she resigned her position. On October 4, 2006 Bill Lockyer, the California attorney general, charged...
, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation company to delve into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members. Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed.
In popular culture
- In the film HackersHackers (film)Hackers is a 1995 American thriller film directed by Iain Softley and starring Angelina Jolie, Jonny Lee Miller, Renoly Santiago, Matthew Lillard, Lorraine Bracco and Fisher Stevens...
, the protagonistProtagonistA protagonist is the main character of a literary, theatrical, cinematic, or musical narrative, around whom the events of the narrative's plot revolve and with whom the audience is intended to most identify...
used pretexting when he asked a security guard for the telephone number to a TV station's modem while posing as an important executive. - In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain confidential information is one of the methods used by the killer, Phate, to get close to his victims.
- In the movie Live Free or Die HardLive Free or Die HardLive Free or Die Hard , is a 2007 American action film, and the fourth installment in the Die Hard series. The film was directed by Len Wiseman and stars Bruce Willis as John McClane. The name was adapted from the state motto of New Hampshire, "Live Free or Die"...
, Justin LongJustin LongJustin Jacob Long is an American film and television actor. He is best known for his roles in the Hollywood films Galaxy Quest, Jeepers Creepers, Dodgeball, Live Free or Die Hard, He's Just Not That into You, Drag Me to Hell, and Youth in Revolt, and his personification of a Mac in Apple's "Get a...
is seen pretexting that his father is dying from a heart attack to have a On-Star AssistOnStarOnStar Corporation is a subsidiary of General Motors that provides subscription-based communications, in-vehicle security, hands free calling, turn-by-turn navigation, and remote diagnostics systems throughout the United States, Canada and China. A similar service is known as ChevyStar in Latin...
representative start what will become a stolen car. - In the movie SneakersSneakers (film)Sneakers is a 1992 caper film directed by Phil Alden Robinson, written by Robinson, Walter F. Parkes, and Lawrence Lasker and starring Robert Redford, Dan Aykroyd, Ben Kingsley, Mary McDonnell, River Phoenix, Sidney Poitier and David Strathairn...
, one of the characters poses as a low level security guard's superior in order to convince him that a security breach is just a false alarm. - In the movie The Thomas Crown AffairThe Thomas Crown Affair (1999 film)The Thomas Crown Affair is a 1999 American heist film directed by John McTiernan. The film, starring Pierce Brosnan, Rene Russo and Denis Leary, is a remake of the 1968 film of the same name....
, one of the characters poses over the telephone as a museum guard's superior in order to move the guard away from his post. - In the James BondJames BondJames Bond, code name 007, is a fictional character created in 1953 by writer Ian Fleming, who featured him in twelve novels and two short story collections. There have been a six other authors who wrote authorised Bond novels or novelizations after Fleming's death in 1964: Kingsley Amis,...
movie Diamonds Are ForeverDiamonds Are Forever (film)Diamonds Are Forever is the seventh spy film in the Eon Productions James Bond series, and the sixth and final Eon Productions film to star Sean Connery as the fictional MI6 agent James Bond. The film is based on Ian Fleming's 1956 novel of the same name, and is the second of four James Bond films...
, Bond is seen gaining entry to the Whyte laboratory with a then-state-of-the-art card-access lock system by "tailgatingPiggybacking (security)In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. The act may be legal or illegal, authorized or unauthorized, depending on the circumstances...
". He merely waits for an employee to come to open the door, then posing himself as a rookie at the lab, fakes inserting a non-existent card while the door is unlocked for him by the employee. - In the television show Rockford Files, The character Jim Rockford used pretexting often in his private investigation work.
See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Confidence trickConfidence trickA confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...
- Countermeasure (computer)Countermeasure (computer)In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
- Certified Social Engineering Prevention Specialist (CSEPS)
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Media prankMedia prankA media prank is a type of media event, perpetrated by staged speeches, activities, or press releases, designed to trick legitimate journalists into publishing erroneous or misleading articles. The term may also refer to such stories if planted by fake journalists, as well as the false story...
s, which often use similar tactics (though usually not for criminal purposes) - Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
- PhishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
- Physical information securityPhysical Information SecurityPhysical information security is concerned with physically protecting data and means to access that data . Many individuals and companies place importance in protecting their information from a software and/or network perspective, but fewer devote resources to protecting data physically...
- Piggybacking (security)Piggybacking (security)In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. The act may be legal or illegal, authorized or unauthorized, depending on the circumstances...
- SMiShingSMiShingIn computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMs phISHING". SMS is the technology used for text messages on cell phones....
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- VishingVishingVishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP , to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
Further reading
- Ƥιяαтɛ. (1990). Baa Baa Hackforums Published by Ƥιяαтɛ ISBN 0-553-26350-1
- Harley, David. 1998 Re-Floating the Titanic: Dealing with Social Engineering Attacks EICAR Conference.
- Laribee, Lena. June 2006 Development of methodical social engineering taxonomy project Master's Thesis, Naval Postgraduate School.
- Leyden, John. April 18, 2003. Office workers give away passwords for a cheap pen. The RegisterThe RegisterThe Register is a British technology news and opinion website. It was founded by John Lettice, Mike Magee and Ross Alderson in 1994 as a newsletter called "Chip Connection", initially as an email service...
. Retrieved 2004-09-09. - Long, JohnnyJohnny LongJohnny Long, otherwise known as "j0hnny" or "j0hnnyhax", is a renowned computer security expert, author, and public speaker in the United States....
. (2008). No Tech Hacking - A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing Published by Syngress Publishing Inc. ISBN 978-1-59749-215-7 - Mann, Ian. (2008). Hacking the Human: Social Engineering Techniques and Security Countermeasures Published by Gower Publishing Ltd. ISBN 0-566-08773-1 or ISBN 978-0-566-08773-8
- Mitnick, KevinKevin MitnickKevin David Mitnick is a computer security consultant, author, and hacker. In the late 20th century, he was convicted of various computer- and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.-Personal life:Mitnick grew up in...
, Kasperavičius, Alexis. (2004). CSEPS Course Workbook. Mitnick Security Publishing. - Mitnick, KevinKevin MitnickKevin David Mitnick is a computer security consultant, author, and hacker. In the late 20th century, he was convicted of various computer- and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.-Personal life:Mitnick grew up in...
, Simon, William L., Wozniak, Steve,. (2002). The Art of Deception: Controlling the Human Element of Security Published by Wiley. ISBN 0-471-23712-4 or ISBN 0-7645-4280-X - Hadnagy, Christopher, (2011) Social Engineering: The Art of Human Hacking Published by Wiley. ISBN: 0-470-63953-9
External links
- Socialware.ru - The biggest RUnet community devoted to social engineering.
- http://the.feds.arewatching.us - The Archangel Website
- Social Engineering Fundamentals - Securityfocus.com. Retrieved on August 3, 2009.
- Social Engineering, the USB Way - DarkReading.com. Retrieved on July 7, 2006.
- Should Social Engineering be a part of Penetration Testing? - Darknet.org.uk. Retrieved on August 3, 2009.
- "Protecting Consumers' Phone Records", Electronic Privacy Information CenterElectronic Privacy Information CenterElectronic Privacy Information Center is a public interest research group in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values in the information age...
US Committee on Commerce, Science, and Transportation . Retrieved on February 8, 2006. - Plotkin, Hal. Memo to the Press: Pretexting is Already Illegal. Retrieved on September 9, 2006.
- Striptease for passwords - MSNBC.MSN.com. Retrieved on November 1, 2007.
- Social-Engineer.org - social-engineer.org. Retrieved on September 16, 2009.
- http://www.jocktoday.com/2010/02/08/social-engineering-manipulating-caller-id/ - Social Engineering: Manipulating Caller-Id
- Overview of Social Engineering Threats -Presented for Parents & Teachers