Social Engineering: The Methodology of Deception
Manipulating people into performing unwanted actions.
By Jesse Wang Photos by Nishant Mehta Print Design by Xiaoshen Zhang
The essence of trust requires years or even a lifetime to construct, and yet so many are exploiting this virtue. Scammers and frauds are prevalent in every society; they take advantage of humans’ unwatchful nature to obtain material goods or confidential information. With the introduction of social networks and electronic communications, deception has transformed into digitalized crime. Social engineering is a form of deception to gather information, commit fraud or gain computer system access. It is understandable to confuse social engineering as a discipline of engineering science because professional engineers apply mathematic and scientific principles to problem solve and improve people’s quality of life. However, social engineers exploit the weak communication link between people for personal gains. Similar to the traditional disciplines of engineering, social engineers utilize a complex methodology and follow a series of sophisticated steps which can be viewed as a form of science.
Today, the increasing reliance on technology shifts the traditional data storage in a file cabinet to an electronic environment. Although the digital revolution simplifies the strenuous task of information retrieval, it also increases the risk of unauthorized access to personal records such as bank numbers, student records, or even a large cooperation’s financial tactics. The most popular form of social engineering is pretexting, which is when an individual lies to obtain privileged data. These experts will disguise themselves to either gain access to restricted areas or deceive authorized personnel to help them do so. “Social engineers are experts in leveraging human emotions” says Nicholas A. Davis, the UW-Madison IT Security Architect. The signifying difference between authentication and identification is the presence of evidence. Often times, a social engineer will identify themselves as another through physical appearance, body language or knowledge of specific information, but they are unable to provide the evidence to verify their identity when asked for. For instance, an accountant working at a law firm receives an anonymous call from a stranger stating that he is an officer from the fire department and, as required by law, he needs a routine inspection of the accountant’s workplace for fire safety hazard. The accountant is therefore obligated to comply with safety laws and give the officer a tour of the building. Since physical identification was not asked, the officer, in reality a social engineer, is able to gain access to the building and obtain classified documents.
Another type of strategy widely employed by these engineers is the use of Trojan horses. A Trojan horse is a code insidiously hidden in seemingly harmless files and when opened, it latches onto the host computer. From this code, a computer programmer can remotely initiate transfer of documents or infect other devices connected to the same network. Sometimes, elements of deception are also used to embed the code. For example, a social engineer, after conducting thorough background research, will send the victim a friendly email posed as an acquaintance and requesting the victim to open an attachment along with the email. On July 3rd, 2012 a group of espionage campaign hackers based in China, sent out multiple emails to intelligence contractors and security consulting firms such as Chertoff Group and EnergySec. Those emails, although seemingly harmless, contained documents and links that bait the users into downloading a malicious code. Cyberweapons of this intensity are relatively common; hacking humans are much more effective and simple to execute than hacking computer systems. “It’s really hard for someone to take money out of your bank account, but it is easy to make you willingly give it out,” says Nicholas.
Many countermeasures can be taken to prevent an attack of this scale. Since social engineers feed on human’s vulnerability to trust, it is essential to be wary of suspicious behavior. The best prevention is to properly store sensitive documents and restrict people’s access to personal records. “Private information is like your toothbrush, not meant to be shared” says Nicholas. When possible, it is best to ask for identification to verify that someone is who they claim they are. It is also a good practice to filter published information. Social engineers can easily obtain family information through websites or even newspapers. Obituaries, for example, provide a wealth of family history that may be useful when gathering the victim’s background information. A person who may sound like they are trying to force information out of people may be a social engineer. The evolution of technology introduces much more insidious methods of exploitation; to better equip ourselves against these threats, it is best to redefine the naïve concept of trust.