Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)
Social Engineering &
efforts to influence popular attitudes and social
behaviour on a large scale, whether by
governments or private groups
- Wikipedia definition
What is Social Engineering?
techniques hackers use to deceive a trusted
computer user within a company into revealing
sensitive information, or trick an unsuspecting mark
into performing actions that create a security hole
for them to slip through
- Kevin Mitnick
Why social engineering works
• Tendency to trust
• People want to help
– Customer service focussed society (e.g. call centres)
• Respect for authority
– Milgram experiment
– It’s easier to give people information to get rid of them
• People don’t like confrontations
– The Yes Rule
• Social engineers are good at evoking emotion
– Greed (passwords for chocolate)
– Fear (of getting into trouble for not doing their job, of their
credit card being cut off)
What is Social Engineering from a
Social Networking Perspective?
• An exploitation of TRUST
• A social engineer is an exploiter of trust, who
leverages the TRUST of their victim to gain
access to sensitive information or resources or
to elicit information about those resources
What is social networking?
• A TRUST platform
Social Engineering & Social Networking
1. Why social engineers use social networking
2. Why social engineering over social
3. Examples of how social networking is used
by social engineers
4. Tips on how to prevent social engineering
attacks that make use of social networks
Why social engineers use social
• HUGE attack surface
• Quick and easy, even automated
• E.g. Set up a botnet to gather email addresses for
• Low barrier entry point (skillz not necessarily
• Often relies on publicly available information
(no obvious wrongdoing)
• No more dumpster diving☺
#2 Why social engineering over
social networks works
Why Social Engineering over
Social Networking works
• Trust model
• No real authentication
• Easy to impersonate someone else or set up a fake
• Influential (Cialdini’s principles of influence)
• Social proof: people do things that other people are
• Similarity: people are influenced by people they like
• Hey, look at this. John says it’s cool.
Impersonation in the Real World
Impersonation in the Real World
• Takes money (to buy police costumes)
• May involve other criminal activities
(“procuring” police costumes,
impersonating a public official, physically
• Takes a lot of planning
• Usually involves several people (5 people
in this instance)
• Much easier to get caught
The Robin Sage Experiment
• 28 day experiment run by Provide Security
• Security researchers created a fake Facebook, Twitter
and LinkedIn profile under the alias Robin Sage
• They used a photo of an attractive girl from an adult
• They gave her the job title “Cyber Threat Analyst”
• Established connections with more than 300 people in
the security industry, including National Security Agency,
DoD and Global 500 companies
• Revealed information that violated operational security
and personal security restrictions, such as troop
locations, what time helicopters were taking off
• 10 years of cyber security experience at
25 years of age
• Robin Sage is the name of a military
• You DEFINITELY don’t know her – she
#3 How social networking is
used by social engineers
3 ways in which social networking
is used by social engineers
1. To execute an attack
2. To propagate an attack (e.g. spread
3. Reconnaissance phase for a larger attack
Using LinkedIn for SE
• Tactical research:
• Build an organisation chart for the target organisation
• Identify staff names and roles
• Target these individuals
• Pretend to be these individuals
• Name drop: <insert CEO’s name here> said... Or <insert
CEO’s name here> needs this document...
• Check who is on holidays (Trippit).
• Set up fake profiles and link in to your target
• E.g. It’s highly likely John from Company A knows Jane from
Company B. If they are not already linked in, set up a profile that
looks like Jane and send a LinkedIn invitation.
• Lots of people will connect with people they don’t even know, so you
don’t necessarily need Jane’s profile.
• You don’t even need to use LinkedIn. You know what a LinkedIn
invitation looks like. Make one yourself with malicious links or malware...
Your target doesn’t even need to use LinkedIn – we ALL get invitations.
Using other social networking
sites for social engineering
1. Find the name of someone who works at the
target organisation (maybe via LinkedIn,
company website, etc).
2. MORE tactical research on that person.
Old attacks reworked on Social
• Nigerian 419 scam
• Instead of coming from a stranger in
Nigeria attack comes from your friend
• Instead of getting an email you are
contacted via a social networking site
• Naturally, you want to help your friend
The London Mugging
Oh my God i am sorry i didn't inform you about my traveling to London, UK.
It as been a very sad and bad moment for me, the present condition that I
found myself is very hard for me to explain. I am really stranded i am in
some kind of deep mess right now,I came down here to London,UK for a
short resort got mugged at gun point last night at the park of the hotel where
i lodged.All cash,credit cards and cell were stolen,I've been to the U.S
embassy and the Police here but they're not helping issues at all,Our flight
leaves today and I'm having problems settling the hotel bills,
passport,documents and other valuable things were kept on my way to the
Hotel am staying,
I am facing a hard time here because I have no money on me. I am now
owning a hotel bill and they wanted me to pay the bill soon or else they will
have to seize my bag and hand me over to the Hotel Management.,I need
this help from you urgently to help me back home,I need you to help me
with the hotel bill and i will also need to feed and help myself back home so
please can you help me with a sum of 1720Pounds to sort out my problems
here? I need this help so much and on time because i am in a terrible and
tight situation here,I don't even have money to feed myself anymore
Volcano Friend Scam?
I’m stranded in <random foreign location> because
of the volcanic activity in Iceland. Please could
you lend me some money...?
Hijack someone’s account to
launch attacks against other users
• Attackers take over someone’s account
and target their friends
• Contact comes from your friend, so you
are more likely to trust it
Terremark: Company Picnic, 2009
• An employee, Bob, posted on his Facebook profile that he would be
attending a company picnic.
• Attackers hijacked Bob’s Facebook account and sent out a message
after the picnic that read:
• Hey Alice, look at the pics I took of us last weekend at the picnic.
• Alice clicked on the accompanying link on her company laptop
which installed a keystroke logger.
• The attackers used Alice’s company logon to access the company
network for two weeks, gaining control over 2 servers.
• One of Bob’s friends mentioned to him that the photos he sent failed
• A closer look at network traffic uncovered the attacker’s probing.
Social Networks as Malware
• Malware inserted via user-contributed content,
ads, compromised hosting networks and other
• How do you get someone to visit a website
• Social engineering is the magic ingredient that
makes these attacks work
• 3 examples
From: "Your Facebook" <firstname.lastname@example.org>
Date: 17 March 2010 07:45:06 GMT
Subject: Facebook Password Reset Confirmation! Customer
Dear user of facebook,
Because of the measures taken to provide safety to our clients,
your password has been changed.
You can find your new password in attached document.
Example 2: Send a malicious attachment
that looks like it’s from Facebook
Example 3: Koobface Virus
• Users receive a message in their Facebook inbox:
– You look funny in this new video
– Look, you were filmed all naked!
– You look just awesome in this movie
• User clicks on (malicious) URL to view video to a
website that looks suspiciously like YouTube
• A pop-up message says a Flash update is required
to view the video; the viewer is prompted to open a
file called flash_player.exe...
• Personal information (phone numbers, dates of
birth, home addresses, work details, etc)
– often publicly available (directly or indirectly)
– your friends post a message wishing you a happy
• Answers to secret questions
• Company profiles, org charts
• Understand your target’s trust network
– Who do they work with? Name of boss?
– Who’s in their family?
– Who are their friends?
• Find information to hone phishing attacks (spear
How to social engineer Bob
1. You know what company and city Bob works in. Establish which office
he is located in.
• More online research
• Call up each office and ask to speak to him until you get the right one
2. Get a Domino’s delivery shirt ($10 for 4 on eBay, share them with your
3. Order a Domino’s Meat Feast Pizza for collection.
4. Collect the pizza.
5. Put the Domino’s t-shirt on.
6. Deliver the pizza to Bob’s desk.
7. If Bob says he didn’t order it, tell him Paul (who we know is his friend
on myspace) ordered it for him.
8. For an extra special touch, deliver it on his birthday as a birthday
9. Don’t forget to leave a key logger or access point in the office, or at
least grab some important looking documents while you are in there!
Some more SE scenarios…
1. Jo has 45 friends on his MySpace page. Send Jo a birthday
card on behalf of one of his friends with a USB key as a
present. Put malicious software on the USB key.
2. Send Jo a “stop smoking” CD with malware on it.
3. Threaten him with creepy crawlies until he gives you the
information you want!
Some interesting social
networking sites for
Hi, I’m emailing/calling from Netflix to see how you enjoyed watching
Screenshot from Mashable.com Search Term: site:blippy.com +”from card”
Go to Corcoran’s on 23 Boulevard Poissonniere, Paris. You know what
your target looks like. Buy them a drink. Steal their bag.
#4 Some ideas on how to avoid
social engineering attacks over
Tips on how not to be a victim
• User awareness
• Acceptable use policy
• Use privacy settings
• Be careful what you post online
• Avoid “promiscuous friending”
• Don’t click on links in emails received unexpectedly,
even if they appear to be from a friend
• Don’t send money without speaking directly to your
• But most of all…
• Think about the information that is available about you
online and consider how it could be used against you by
a malicious social engineer
Most of the time people spend on
social networking is during work
hours and on work computers
How does this affect you?
Social Engineering &
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.