Social Engineering - Christopher Hadnagy [185]
The technical support representative knew that this information was not relevant to that particular call. Like him, you must be determined to analyze whether the information being asked for is deserved and relevant to the person with whom you are interacting. Approaching this scenario from the other angle, what if the contestant were a legitimate customer and the rep had declined to go to that website—what is the worst that could have happened?
The customer might have been a little upset at being declined the request he wanted but it still would not have changed the outcome. The product he had was not the cause of his woes.
A social engineer often uses charm to start a conversation about the weather, work, the product, anything at all, and uses it to reveal the information sought. This is where a good security awareness policy comes into play—educating your employees about what tactics might be used against them can save them from acting out of fear.
In one audit the pretext I used was being the assistant to the CFO. The call center employees had a fear of losing their jobs for rejecting the requests from such a high-level management. Why? They are not given the proper education to know that rejecting that request would not cost them their jobs. At the same time protocols should be in place for the employee to know when a request for information is proper.
The perceived value of the information being asked for closely ties in with an educated and aware person knowing that even minor tidbits of data can lead to a massive breach. Knowing that the person on the other end of the phone doesn’t really need to know what the name of the food preparation company for the cafeteria can help an employee to answer appropriately. If you are an employer then help your employees develop answers to these requests. In most cases a simple, “Sorry, I don’t have that information; please contact our purchasing department if you want that.” Or “I’m sorry I am not allowed to divulge that information but you can send an email to info@company.com to request some of this info,” can go a long way toward quashing many social engineering efforts.
I mentioned earlier that creating an atmosphere that makes information seem less valuable is also a tactic used by social engineers to get people to freely divulge this “unimportant” information.
Using the contest example again, one contestant was asked to provide some identifying information. His pretext was a company that was hired to do an internal audit and when the target wanted to verify who he was he asked for something off of the requisition form. Our contestant pretended to lean over to an imaginary co-worker and said, “Jane, the gentlemen from Your-Target-Company wants the ID number from the requisition, can you do me a favor and grab it from Bill’s desk?”
As “Jane” went to get the form the contestant engaged the target in idle chitchat. “How’s the weather in Texas?” and “Have you ever been to Charlie’s Pub?” escalated into things like, “Who handles the food for the cafeteria?” and “Want to see a cool website we are working on here?”
All this happened while he was “waiting” for the ID number. Social engineers use this tactic every day. Diversion and charm are key tools in many pretexts. Information that is asked for during “chitchat” is perceived as having less value because of the time in the conversation it is asked for. If the SE had asked that same question when he was “verifying his audit findings” it would have been met with a different attitude, but because he asked it during a friendly conversation so much information was given freely.
Mitigation for this SE tactic is to ponder the value of the information that you are planning on releasing despite of when in the conversation it is asked for. In the earlier example, the target’s simply waiting for that ID number before continuing any conversation would have been very appropriate and saved him from being duped.