When hackers breach even the most complicated security systems, they often do so with minimal use of a computer. Often enough, the Internet is used more as a treasure trove of information, which is then used against you or your organization through deception or redirection through other channels, such as on the phone, via e-mail or text messages, or in person.
In one of 2015’s most sensational hacking stories, a teenaged hacker and two associates got access to the private email account of CIA director John Brennan—mainly through the use of social engineering (aka social hacking, or human hacking) techniques.
Inside Brennan’s email account, the hackers found, among other things, Brennan’s application for his security clearance, including criminal records, medical records, and details about the personal relationships of not just Brennan but the members of his immediate family. It is easy to imagine what damage this information can cause beyond just the compromise of an email account.
To pull off their hack, the teen and his associates first got hold of Brennan’s phone number. Through reverse phone lookups with various phone providers, they determined that Brennan was a Verizon customer.
The hackers then posed as Verizon employees to trick other Verizon employees into giving them manual access to the Verizon database. They did this by claiming they had Brennan on the phone and he wasn’t able to access the database on his own. This process possibly required a lot of knowledge about the inner workings of Verizon, but none that wouldn’t be accessible by a low-level employee.
The information they obtained from Verizon included a backup phone number, the last digits of his credit card, his AOL email address, and Brennan’s four-digit PIN with Verizon.
This information might not itself seem very valuable, but for many services like AOL, it is all that is needed to gain access to an account.
And with access to a person’s primary email account, it is incredibly easy to reset the passwords to many other accounts, like social media or even financial accounts.
To protect yourself against social hacking, keep your information private and your accounts secure. Choose security-minded online service providers for your email, VPN, or cloud storage needs, and take all the measures necessary to secure your computers and all your accounts. Opt for service providers offering two-factor authentication. That way a hacker can’t reset your password just by knowing your birthdate! If you prefer to separate your personal emails from account notifications, make sure that both email accounts are with a trusted email provider (i.e., Google or Apple) and secured with a strong password and two-factor authentication.
While having a provider that you can reach via a call center at all times for help can be convenient, this means an attacker can just as easily reach that call center in your name.
But even more importantly, learn about the techniques that social hackers might be using, so that you don’t unwittingly fall prey. Here are the six most common social hacking exploit techniques you should be aware of to protect yourself and your data.
The attacker will reach out to you under a pretext, which can be very believable depending on how much effort they put into researching you. This pretext can then be used as a hook to verify information they already have, or gain new information. The attackers might also leverage information they previously acquired to give the impression that since they are authorized to know what they already know, they are authorized to know more.
For example, knowing about a recent Internet outage at your office, a clever attacker might call you for a follow-up or even show up in person to gain valuable insights into how your network is secured—and where it’s vulnerable.
In this tactic, the social hackers will try to intercept data or even money by routing it along routes that they control. These requests could come in the form of a call from the “suppliers,” which will inform you of a change in their bank or email accounts. But it could also be as simple as adding somebody in cc of an email chain.
You could for example get an email from a private account with the name of your business partner. Your “business partner” claims they currently can’t access their work email, asking you to resend the budget forecasts or blueprints.
The most common version of this tactic can come in the form of a USB stick you find near your car, or a free music in your mailbox. These come pre-filled with malware that infect your computer as soon as you insert the drives. In a well targeted attack, they are custom made for your computer and likely evade common anti-virus software.
But baiting can also be much less technical. It could take the form of a free tour during which you are befriended and tricked into revealing sensitive information, or you have your equipment bugged.
Especially in large organizations, it can be difficult for each employee to at all times know who they are accountable to. Hackers exploit this by asserting their authority over people and pressuring them into revealing information, making changes to data structures, or giving up access to systems.
In security-relevant departments, it is important to develop a clear chain of command, including a limited set of authentication methods (PGP works great for that). The people in that command have to learn to deny requests when they do not come from the appropriate channels or lack proper authentication.
Imagine getting a request from someone in an overseas department who claims to have superiority over your boss, asking you for their travel details. Would you give it to them?
It’s great when people are helpful, and we usually assume that those around us have good intentions. But from a security standpoint, giving strangers the benefit of the doubt can be devastating. An attacker might appeal to your kindness. Often enough, asking for compromising information is all that it takes.
Some rare compliments from a contractor can brighten up anybody’s day. So is it too much when they ask for a heads-up on the budget planning? Most likely it is.
The human mind quickly jumps to conclusions and sides with what is familiar to us. This is why we see the Virgin Mary on toast and that woman standing on Mars. Attackers can exploit that by playing with your associations, making it unclear who is calling you and being vague about what they are talking about. Often enough the attacker doesn’t know themselves who they supposed to impersonate, but the person being hacked fills the gaps for them.
Who was that just now on the phone talking about some security audit? Must have been Adam. He always bugs people about that stuff. But if it wasn’t Adam, who did you just gave that password to?