Social Engineering via Social Networking

30 November -0001
by Justin C. Klein Keane
March 19, 2008

Social engineering is one of the oldest tricks in the hacker book. No matter how long I'm involved in computer security, I'm always amazed that such a simple technique continues to yield such powerful results. Although scorned by many in the community as lame, social engineering is a threat vector ignored only at your own peril. If you're in charge of securing an organization then end user training that illuminates social engineering must be one of your priorities.

Social engineering is, at its core, a trust exploitation. The attacker must leverage the trust of the victim in order to extract useful information. There are many ways that an attacker can gain trust. One common method is to create a sense of urgency. Targeting a user with a time sensitive scenario can often overcome the user's initial reluctance to reveal information. Most people gauge threat by the potential harm. If an attacker can create the sense that impending harm can be prevented by exposing sensitive information, many victims will relax their usual modes of judgment. This shift in criteria used to evaluate a claim can often expose either information of a higher sensitivity than would normally be revealed or less reluctance on the part of the victim in imparting information. In other words, the user lowers their bar for gauging trust due to circumstance. A common example of this method is contacting a user and claiming to be someone important and in a hurry. Since the user may be made to feel their job is in jeopardy they relax their normal judgment of trust.

Another means of leveraging trust is to exploit networks of trust. If an attacker can leverage the trust the victim accords a third party the attacker can elevate the trust with which the victim regards them. For instance, if the victim knows a person in their organization whom they trust, and the attacker claims to be an employee or coworker of this trusted third party, then the victim might accord the attacker the same trust that they normally apply to the third party. This avenue of trust exploitation works best when the attacker is well informed of the victims trust network.

Traditionally discovery is the first phase of a social engineering attack. It always aids an attacker to know details about their victim. Publicly available information regarding the victim's employer, organizational structure or coworkers is invaluable in creating an atmosphere of trust. Often times an attacker will research the names of higher level executives or people in departments normally accorded trust (for instance, the names of people in an organizations IT department).

Although an attacker might easily be able to glean names and titles of people in an organization, understanding a victim's trust network is much more difficult. Rather, this has traditionally been difficult. New online social and business networking applications make it increasingly easy for an attacker to explore the trust relationships of a victim by scrutinizing the data that the victim voluntarily, but perhaps unwittingly, provides. For instance, scanning through business networking sites like LinkedIn, or social networking sites like FaceBook, MySpace, or Friendster, can yield a very complete picture of a person's trust network. By examining the people the victim has linked to via these networking sites the attacker can build a clear picture of the victims trust network.

Once armed with a topology of the victim's trust network the attacker can much more effectively exploit the victim. By identifying trusted third parties and manufacturing or mimicking relationships with these third parties, the attacker can leverage the trust accorded them.

Let's examine a trivial example of this principle in action. Suppose we have a victim, say Bob Jones, who is part of the administrative staff of an organization. Looking through various online networking applications we see that Bob actually has a friend in the IT department named James Doe. We also find, via these same resources, or perhaps from a company directory that James works for his manager Mike Smith. Once the attacker has collected this information they approach the victim, say via a phone call (perhaps even spoofing the caller ID to appear to be calling from inside the organization). The attacker greets Bob and says something like "Hello, my name is Jim Brady, I work in the IT department. James Doe and I are currently investigating a situation involving your user account for Mike Smith. Can you confirm your account name and password for me?"

As you can see the attacker has taken a request that would, under normal circumstances, be met with a fair amount of suspicion and wrapped it in a request that leverages third party trust. If a stranger calling from the IT department requested a username and password the victim would likely refuse. However, by invoking the names of people the attacker knows the victim will be familiar with the victim is likely to associate that third party trust with the attacker. Of course, doing this implicitly involves other people into the exploit scenario, which could narrow the window of exposure, but the gains in trust often outweigh this drawback. The risk in the above example (for the attacker), is that the victim will communicate with one of the third parties, which could expose the fraud rather quickly.

The essential problem with this scenario is that users are volunteering information to attackers, often without realizing the exposure. Most users of social or business networking services see only the benefit to themselves and never question the wisdom of revealing so many details about their personal connections to the world at large. As of this writing I am unaware of any organization that prohibits posting on these types of websites and I would be willing to wager that the number of admins that have considered this type of attack is fairly low. This makes for an extremely dangerous situation from a security standpoint as the avenues for attack are ripe with possibilities and by and large potential victims are uneducated as to the threat that exists. Only time will tell if this new vector becomes problematic for organizations, but based on experience and the short shrift most security administrators give to social engineering in favor of "rackable" solutions one can surmise that this could be an expanding problem over time.