Skip to main content

A Look at Social Engineering

By

Social Engineering:
A Social Psychology Perspective


Social engineering in the context of information security is defined as:

"The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."

To cite some more familiar examples, social engineering can take the form of impersonation, dumpster diving, phishing attacks, corporate espionage, or any persuasive and mendacious act that results in the gaining of information or material goods. Although social engineering has historically been associated with fraud, grift, or common scams, social engineering attacks have evolved with modern technology to become much easier to conduct, and potentially harder to combat. 

We have seen from the Milgram studies, and subsequent replications, that the average person will perform an action in response to authority that they may not normally perform on their own. In the case of the Milgram studies, this involved issuing a potentially lethal shock, simply because the experimenter told them to. In that specific study, participants conformed to an authority figure they had only just met, and performed an action that would potentially haunt them later in life. One reason that social engineering attacks are so effective is due to the common use of impersonation as a tactic. To better illustrate the real-world dangers of social engineering, as well as how the social context plays a role in successful attacks, I will use a story from when I worked as a social engineering consultant for Seagate Technologies from 2014-2016, as well as a more entertaining example from Kevin Mitnick's social engineering attack on Motorola.

The Seagate Incident - Power

In 2016 Seagate Technologies had the misfortune of falling victim to a social engineering attack that resulted in the theft of all current and former employee W-2 forms. This was a massive security breach that affected several thousand employees and exposed sensitive information to whoever conducted the attack. How did this happen? 

A Seagate representative had issued the following statement as the theft unfolded in media and internal confusion:

"On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was [sic] sent to an unauthorized third party in response to the phishing email scam. [..] The information was sent by an employee who believed the phishing email was a legitimate internal company request."

As mentioned earlier, one of the common forms of social engineering involves phishing, which appears to be the mode this attack took. Phishing works by exploiting the trust an individual has toward a person or company, social engineers take advantage of that trust by impersonating the source. In this incident, an attacker impersonated an executive at Seagate and sent an email to an employee requesting all of the W-2s. The employee, in turn, bundled them all up and promptly sent them as requested. We can see the effectiveness of trust from the quote above, but furthermore, the dynamic of employee and executive came into play. In this example, the social context of the requester being someone (presumably) high up in Seagate, it is likely that the employee felt the power dynamic was compelling for them to carry out the request with minimal scrutiny. Oftentimes coercive power is at play in an employee/employer relationship, as the employer has the potential to dock pay, fire, or demote an employee for any transgression. The fear of a potential reprimanding would have increased the likelihood that the target of the phishing scam would comply.

Kevin Mitnick - Ingratiation

As seen in the Seagate example, impersonation can be used to elicit conformity in others by representing someone that has power. Power can come in many forms, three that are often cited are Legitimate, or someone voted/elected into a position, Coercive, such as the example of an employer, as well as Expert, or someone in a position viewed as a role of trusted authority, such as a doctor or lawyer.

Social engineering does not always play on the influences of power to create desirable outcomes, in some cases simply being nice can result in conformity, In the below video, Kevin Mitnick details his approach to steal Motorola cellphone schematics- simply by impersonating an employee,  gathering information, and politely talking to numerous people as his request was forwarded from person to person. This recollection provides an extremely good example of how easily social engineering attacks can be done, but more importantly, how hard they can be to thwart. At any point in the line of people Kevin spoke to, someone could have questioned him, asked for credentials, or flat out rejected the request.


As you can see in the video, his request did set off red flags. The company was not allowed to send files to an out-of-network device. Even with this - the employee he was speaking to went out of her way to get security clearance & comply with his request. Why did this happen? Unlike the Seagate example, Kevin did not pretend to be the CEO, there was likely no feeling of coercive pressure from the Motorola employee, yet she went above and beyond to help Kevin. The answer is likely a mix of trust and ingratiation. Kevin attempted to become friends with the employee. He was very polite during the conversation, he wove in details, such as knowing the project manager (and that she was on vacation), as well as using the story that she had told him that this request was already signed off on and she simply forgot to follow through before leaving. Here Kevin is building trust with the employee, and becoming more likable to her. Because she believes that he is trusted and knows her co-worker, she yields to his influence and complies to the seemingly normal request, without further asking questions or verifying his claims.

Awareness as Protection

Many people fall victim to social engineering without really realizing it, and often we don't notice an attack has occurred until something substantial happens, such as identify theft, account hacking, etc. One example of a case where we wouldn't think twice is holding the door for someone carrying a heavy look box. This example is often used to describe "tailgating" - and is considered a very effective approach to getting into a secured area. Because people don't want to break the normative conformity - or to be seen as "bad" or stick out, we often hold doors for others without even thinking about it. A good approach to help combat social engineering attacks is simply awareness - did the Verizon rep who called to verify your identity provide any proof of their authority? Did the email you just received asking you to reset your password come from a site you trust? Did the person you just let into the building actually have authorized access? Being aware of requests made of us, and social situations that may involve sensitive information is a great first step to noticing when things are suspicious. Additionally, being suspicious of digital/phone identities, as we can't easily confirm people are who they say they are, can do a lot to prevent social engineering attacks.

Sources & Additional Resources

Anonymous (2016, November 28). How to Avoid Falling Victim to Social Engineering. Retrieved from https://www.globalknowledge.com/blog/2015/04/07/how-to-avoid-falling-victim-to-social- engineering/

Granger, S. (n.d.). Social Engineering Fundamentals, Part I: Hacker Tactics. Retrieved from
https://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Stangor, C. (2014, September 26). Principles of Social Psychology – 1st International Edition. Retrieved from https://opentextbc.ca/socialpsychology/chapter/obedience-power-and-leadership/

Shameless plug: if you're interested in the topic & would want to read a more technical article along with proposed solutions, check out my post on Medium.
Labels:

Comments

  1. Marcus RussellMarch 13, 2019 at 11:34 AM

    I really enjoyed reading your post! I liked the term "social engineering," because it turned out to be something totally different than I thought it would be. At first whenever I see something about engineering I assumed it would be a term related to math, or physics. It has nothing to do with actual engineering. I might start actually trying to use that term in a sentence know. In addition, I've seen many people use social engineering on YouTube in social experiments. For example, one youtuber dresses up as security to successfully get into a soccer game in Europe. This tactic is very effective to use as a deception technique.

    ReplyDelete
  2. Caden SumnerMarch 15, 2019 at 11:40 AM

    Hi Marcus! Glad you enjoyed the post, I definitely encourage you to use the term in sentences & spread awareness. Unfortunately a lot of people fall victim to social engineering due to lack of awareness. If you like YouTube like that you may also enjoy the movie "Catch Me if You Can", about the life of Frank Abignale.

    ReplyDelete
    Replies
    1. Ian Smith.March 19, 2019 at 6:18 PM

      Do you think there are any strategies that could be employed by companies to change workplace dynamics, or even just train employees to handle theses situations better? Or is social engineering to hard to combat that way, and other measures would need to be taken.

      Side-note High quality film.

      Delete
  3. Sophia JMarch 17, 2019 at 8:59 AM

    I did not know what social engineering was before this blog but this post really gave concrete examples, and it was really interesting to see an example of computer science and psychology overlapping. I have heard of people pretending to be someone else to gain information before, but I didn't know there was a term for it or ever connect it to Milgram's experiments. However, the addition that polite and friendly people are often given almost the same status as CEOs when asking for secure information is even more interesting. It makes me wonder how differently the Milgram's experiments would have turned out if they used not a Professor but a confederate that spent time befriending the teacher.

    ReplyDelete
  4. Lindsey KMarch 17, 2019 at 6:21 PM

    Reading this made me think of other examples of people using social engineering methods to fulfill their bidding, but before this highly technological era. Two examples immediately jump to my head and they are as follows.
    1. Ted Bundy would use a cane or wear a sling to convince his victims to follow him to his car to assist him. He could then overpower them and drive away with them in the trunk.
    2. About a decade ago an old neighbor tried to convince my little brother to follow him into his trailer, offering to let him try cigarettes and beer.
    Luckily awareness to these threats can help with the problems. The lessons learned from the serial killers of the past lead my mother to grill me and my siblings often about the threats of stranger danger. Using these lessons my brother was able to stay safe and avoid that neighbor then and in the future. So hopefully these technological problems can be dealt with in a similar way, with warnings from friends and family to keep each other safe.

    ReplyDelete
    Replies
    1. Kirstin BurnsMarch 17, 2019 at 9:06 PM

      The true crime examples are always the fun ones to read about aren't they! :)

      Delete
  5. Kirstin BurnsMarch 17, 2019 at 9:05 PM

    I have seen/ read about attacks like these but I'd never heard the term Social Engineering before and this was very interesting to read. Sadly I feel like I'd be one of the people to not ask question and just accept the 'authority'. Hopefully just having read your post will remind me to be more vigilant and careful. Thank you for sharing!

    ReplyDelete
  6. Caden SumnerMarch 18, 2019 at 5:55 PM

    It's definitely difficult to notice in-the-moment, especially when people feel like they're doing the right thing! Especially with the case of simply holding a door open.

    ReplyDelete
  7. Ethan ManarinMarch 18, 2019 at 7:43 PM

    This whole idea of social engineering reminds me the rhetoric classes I've had to take while here. In a way its similar, just instead of using the writing, you use your actions and your voice. Its pretty crazy to see just how much people are attached to these social norms, even going so far as to uphold even if it leads them to do something they know is wrong. I wonder why it is that we get so attached to routines we really have no reason to be.

    ReplyDelete
  8. Abby KuehneMarch 18, 2019 at 7:57 PM

    Caden, what a great blog post! I really enjoyed the topic and did research with Dr. Feltz relating to this topic (phishing specifically). With your knowledge of the incident at Seagate, do you feel that social engineering is targeted to people with low risk perception, or those with high tendency for trust?

    ReplyDelete
    Replies
    1. Caden SumnerMarch 19, 2019 at 7:02 PM

      It's definitely a mix of both, but in my experience social engineering attacks fall into either extremely targeted, or a wide-net. In that sense, individuals are usually targeted based on access, and there's often a form of "recon" to find out how to best stage the attack. So in the video Kevin finds out details to use when calling to weave the story + build trust. Overall it seems like people with a high tendency for trust are often taken advantage of the most, as even if you don't identify the risk, you can be "immune" to it by being skeptical.

      Delete
  9. Emma NanningaMarch 18, 2019 at 9:37 PM

    I’ve known about social engineering because that was a big focus in one of my cyber security courses in high school. My biggest surprise with coming to Tech, was the amount of phishing scams that still get though the filters the school already has in place. I’ve had to report over 15 this year. The most memorable one was one about a professor who just came off of a break studying abroad and was looking for research students to help with an online research lab. That email was sent to over 200 students and in the time before I reported it, 32 students had unknowingly given their email and password to a complete stranger. The amount of people who don’t know what different social engineering attacks are and how they can present is terrifying, just thinking about how many students could have given out information without knowing makes me nervous.

    ReplyDelete
  10. Jon FApril 7, 2019 at 2:07 PM

    I actually hadn't heard of the Seagate incident despite having a fair amount of interest in tech news. It's interesting how blind people can be to phishing--especially when it comes from an alleged higher-up. People are simply expected to trust any supervisor and whatever they have to say, even electronically, though in reality, especially as it pertains to intellectual property, classified materials, and financial documents, ought to be highly verified first. One method that could be employed is using sequential encryption keys for each person you're in contact with, or even isolating the company email for internal matters altogether, having isolated "internal" and "external" emails and email networks.

    ReplyDelete

Post a Comment

Popular posts from this blog

A Look Beneath the Children of God Cult

By
       A cult, as defined by Merriam-Webster, is "a religion regarded as unorthodox or spurious" ("Cult", 2019). While some may find cults unnerving, it is important to understand how these groups operate, and more specifically, how these "religious" leaders are able to foster extreme conformity in their groups—whether or not these cult leaders are actually religious will not be debated here. However, an absolutely fascinating cult, the Children of God, which reveals the deep power of the pressure to conform in an isolated group, will be the topic of our discussion.        A documentary on the Children of God can be found on Netflix, under the same name. As a result of the documentary containing graphic content only intended for mature audiences, I will provide a short synopsis rather than any clips from the documentary itself. Before getting into the synopsis, some background information is necessary. (Photo: xFamily.org)   ...
22 comments
Read more

A Population's Perspective - How Locals View and Experience Relationships

By
Relationships and attraction are two pretty complex topics. In trying to think of ways to explore these areas a little further, I decided to conduct a little social psychology research and get some information from a local population to answer two main questions: how do people in our local environment view relationships, and what makes them view them the way that they do? I was curious about whether our local environment here in Michigan's Upper Peninsula, specifically Houghton, even more specifically the MTU community, is unique in how relationships are viewed and experienced, or if we fit the mold discussed in our textbook and other literature. To get my answers, I created a simple 14-question survey and sent it out to a variety of family, friends, coworkers, and classmates, all in the local area. I received a total of 23 responses, none of which are in our social psychology class. After looking at the data I collected, I was able to make some links and connections to possible r...
36 comments
Read more

The Gender Gap in Bullying

By
We all have experienced the effects of bullying in our lives one way or another, whether or not they happened to us directly or we heard the horror stories from friends and family. You could even have just experienced it in the media where, in any fictional depiction of school one of the most prominent aspects is the bully. Bullying is a consistent aspect of school for children of all generations, just as consistent are the stark differences between the ways boys and girls bully one another. The differences are so clear in fact, that they easily fall into and make great examples of different types of aggression. It would make sense to start with the ways boys harass one another as studies suggest that they experience more frequently than the opposite gender. Boys tend to be the victims of physical violence far more often than girls and the actions don’t tend to be premeditated in any way. They are fueled by emotional turmoil and things such as establishing d...
21 comments
Read more