This One's For All the Marbles

There are many types of attackers in the computer security area, ranging from light to very heavy in degree of seriousness of the threat they pose to computer users and organizations. The purpose of the attacks also varies from simply accepting the challenge of gaining access to a supposedly 'locked' system to disruption and destruction of systems to theft of money and intellectual property.

Just as technological advances are made, advances in social engineering schemes are also being made through trial and error. Even in the web's short life, many schemes have had time to go through several generations and evolve into serious strains. Two recent, particularly damaging schemes, phishing and email blackmail, have become very effective at luring in unsuspecting computer users.

By definition, phishing involves "The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." In this case, there are two potential victims - the recipient of the email and the company the attacker is claiming to represent.

Email blackmail involves sending an email to a target claiming to already have control of that user's computer and threatening to place child pornography or other incriminating material on the computer and then alert the authorities unless a payment is made to the attacker. Even if the threat is not believed entirely, the requested payment is usually small enough as to be seen as less of a burden than potential search and seizure of a person's computer by police. Email blackmail inside companies creatively turns organizational security policies on their heads by using a person’s fear of being caught and fired for corporate internet and computer usage infractions to extort money from them. It is usually easier to pay some money to the blackmailer than to become the object of suspicion and rumors among management and colleagues - even if the computer is found to be clean.

Delivering the Attack

Among computer schemes, phishing and email blackmail have been uncommonly successful. The success of the two schemes is directly correlated with their skill in psychologically pushing the right buttons on their targets. These schemes both use the medium of email, but social engineering attacks can be executed using all kinds of media, from physically showing up in an organization, to using the telephone, online methods, and even dumpster diving.

Phone attacks are the most popular form of non-computer-related methods of gaining unauthorized access or information. For phone attacks, an attack's chances of success are made greater the more the caller can appear legitimate. There are many ways to gain the information necessary to make the crucial phone call, some simple and legal, like reading a company's website for names, titles, and phone numbers, and some illegal like dumpster diving, or calling other people in the company in a circle in order to learn progressively more and more. Even the smallest bit of information may give an attacker enough 'clout' to pull off a successful phone attack. Once confident that a call can be made, there is no limit to how creative an attacker can be on the phone, and even senior people who should know better are often taken in.

An online example of social engineering would be sending an offer form to the target person requesting they visit a website and sign-up to receive a free gift. Online the user is required to create a membership account and create a password for it. Attackers know that there is a good chance that the password created will be the same password the target uses for many other online accounts they possess. If the attacker is lucky, and the user unlucky, the password the user chooses for the new account will be golden - it will be the same password used for their bank account, office computer, and various personal email accounts. Once access is gained to one person's systems, a flood of confidential information is released potentially valuable for attacks on others.

Son, Let Me Show You How It's Done

Attackers have enormous patience. They will often take a long time to get close to the target so as to gain the target's confidence and hopefully become intimate. The attacker will use every psychological trick in the book to create the right mindset in the target to comply with later requests he might have.

Phone attacks may include:

• Impersonation ("I'm from MIS and..."),

• Ingratiation ("I'm coming to you with this because everyone says how capable you are."),

• Diffusion of responsibility ("Mr. Jones, SVP in engineering, is asking for this...")

• Threatened ostracizing ("You're the only one who's info I don't seem to have..." or "You're the last person on my list."),

• Seeming helplessness ("I've got to get this done and really need your help."),

or just being very friendly.

On the other hand, email phishing attacks rely on the use of trademarks and images that the target is already familiar with or already trusts. This puts the phishing attack one step ahead of the game. In fact, people who have had their personal information compromised may never even know it. Others may find out there has been a breach, but they may not be able to track it back to where it occurred, still believing the phishing interaction to have been legitimate.

Attackers who thrive on social engineering thrive on understanding what people need, want, and will do. Some emails literally beg to be opened. The Love Bug virus was released by targeting the psychological need of its recipients to be loved.