Social Engineering, the Flaws of Human Error, and Methods to Defend from It

3 min read

“Hi, my name is Samuel Gills, I’m one of the lead database engineers for (insert company name here). Our database for employee identification crashed overnight and we need to verify some information to ensure that what we recovered is accurate and correct, could we just have five minutes of your time to help us out with this very painstaking process.”

Believe it or not calls like that come into companies all the time, in this case this is called a “Vish” (think of that as voice phishing). The ones that come in legally are executed by professional security researchers, often labeled as “White Hat Hackers”. These are experts hired by the company to determine which of their employees are gullible to the biggest weakness for most companies today, the human brain.

Let us dive into the world of Social Engineering and how security researchers utilize this tool for Red Team Operations and how criminals use it in the exact same manner, only just for malicious purposes.

The Vish

Vishing is the phone call version of phishing and it is often highly effective because it forces the recipient of the call to use “heuristics”, or quick instantaneous decisions. The caller knows that the individual who picks up the phone is more than likely not going to verify the credentials of the caller if the caller provides that information immediately.

Security Researchers who are hired by a company to test if an employee will click a link in an email or provide what is called “guarded information”. This would be like when the employee’s vacation is, if John Doe still works with (insert business name here), or if they can get the employee to do something that is outside of protocol. The researchers will often research the company’s IT department number or the number of another department that they could be hired to audit. When they place the call, it will genuinely seem as if it is a number from that department; this is called “Call Spoofing” or “Spoof Dialing”. Call Spoofers are applications either via mobile app or online tool, that allow the caller to disguise their caller ID and number as someone else. Literally anyone else.

With a proper security researcher performing the operation, the call is often placed to the targeted sector of the company or specific employee. It will 90% of the time look as if it is from a number from within the corporation.

The Operative

These individuals are professional Social Engineers, or people who perform security audits on a corporation by physical intrusion. You can see an example of this in action on the channel Tech Insider via YouTube where white hat hackers perform a Red Team Op: they‘re hired to hack the US electrical grid.

Often these individuals will claim they are doing a random audit and need to access the database or other essential IT areas within a business. These professionals will always get permission in writing to do what you see in the video beforehand, so if something does happen, they have paperwork to prove that they are hired to do the operation.

One of the most notorious Social Engineers, and at one point the most wanted hacker in the world by the FBI, Kevin Mitnick, explains in his book “The Art of Intrusion”, how these individuals use cunning, deceit, and extensive “foot printing”, or reconnaissance so to speak, to launch an audit on a building or a company.

They often study for weeks the building, its exits, the doors that the employees use for lunch that has little to no security (piggy backing opportunity), if there’s a gate checkpoint for vehicles (this would require much more preparation before launching the audit), if there’s a security check-in before entering , or if the physical barriers (fences, locks, door locks), can be picked or broken. On occasion, to survey the property they could use a drone to map the area. All of this takes place before even launching the physical part of the audit, which would be the Social Engineering.

Once these audits begin, the Social Engineer will often physically gain access to the building, or more specifically exploit the flaws of the employees, in order to get to the targeted area within the corporation as requested by the employer in writing.

The Phish

Ah yes, the “phish”. These are well crafted emails that will normally have a link within the email. It could be suggesting anything, from a new pre-screened credit card offer, life insurance, hoax style phishing emails (setting you in a panic and causing you to believe that you need to click the link), or even a “test phish” sent by your own corporation.

Many companies now test their employees with decoy phishing emails. These will often say something like “Click here to see the new Summer uniform policy” or “Congratulations! You are in the sweepstakes for a $250 Visa gift card from (insert business name here)! Click on this link to activate your entry.”

Now typically what happens if you do indeed click the link: it sends you to a dummy page or the page goes blank. What happens next is you are registered as clicking the phishing email, typically your boss will have a sit down with you and mandate more “phishing defense” training. Let us say you clicked the internal corporate “Report Phish Email” button link within the corporate E-mail service, believe it or not you will typically be notified that you: “Passed the test! This is was a simulation.”

At my company I had one of those and when my instincts said to report it, I did. General rule of thumb for phishing emails: if it looks sketchy, odd grammatical mistakes, or anything else that simply generates skepticism of the email, it more than likely is a phish.

In conclusion, these types of attacks happen every day and it is a good idea to retain a stout mind in these types of scenarios. Some are utilized by paid professionals and others would be with criminal intentions. The general rule of thumb is if the vish, phish, or individual seems even just slightly out of place, there is more than likely malicious intent behind it.

Jos de Kanter J.S. is a Cyber Security bachelors student at Miami-Dade College in Florida, USA. He's fluent in Python and C++ coding languages. Having access to Windows 98 as a child with dial-up connection, J.S. took an early interest in the world of computers and their vulnerabilities. His goal as a contributor for DDI is to inform the public of how they can improve their cyber security in everyday life. J.S. is currently taking his CompTIA Security+, EC-Council Certified Ethical Hacker, and CompTIA Network+ courses for his degree to bolster his knowledge in the world of cyber security. Jos is also a FAA Part 107 commercially licensed drone pilot and flies a DJI Mavic 2 Enterprise.

One Reply to “Social Engineering, the Flaws of Human Error, and Methods…”

  1. Smart Contract runs on the blockchain platform. Though smart contract ensures integrity, tamper-proof, decentralized, and automated, we need to ensure the security of smart contract too. For this, we need to involve the auditors who conduct security audits on the smart contract. Smart Contract Audit Company identifies bugs present in the code that can lead to security vulnerabilities like a huge loss of money, theft, and loss of personal data. It is usually conducted by external auditors and eventually removes the flaws in the code and provides you an extra layer of security. Bug-free code is nice to have in other types of software, not in blockchain

Leave a Reply

Your email address will not be published.