A month in the life of a social engineer – part one

With social engineering set to plague 2022, understanding cyber criminals’ tactics, and the mistakes they make, might help us defend against their efforts. The second in our four-part series, published weekly, navigates the infiltration process and how criminals prey on our greatest weaknesses.

Once a master plan is formulated, the social engineer must find a way into their targeted system. The primary route of entry, of course, is a human being.

An attacker only needs to fool one person within your organisation to gain access to your core networks and sensitive data. They'll start with a pool of candidates, before whittling down this list, perhaps after first making contact to establish a basis of trust and learn who's most amenable to the lie and willing to unwittingly help out.

Smoking out weak links

The TalkTalk breach of 2015 demonstrated how attackers use social engineering to find easy targets. First, the stolen data delivered a pool of targets with TalkTalk accounts alongside detailed contact information. Then, when cold-calling potential victims, the attackers only tried to scam those who believed the story.

Businesses aren’t above being scammed in the same way. Former fraudster and We Fight Fraud founder Tony Sales tells IT Pro: "Social engineering's just a buzzword for lying. Some people understand what the lies are and are able to defend against them, and some people don't. We're seeing this happen to brands; it happened to Spar, and it impacted everyone in their supply chain."

The social engineer might start by choosing a particular department whose employees have access to a network through which you want to spread remote-access malware, explains Freeform Dynamics analyst Tony Lock. "If you can attack someone on the help desk, maybe customer support, who then gets attacked and compromised, it'll then trickle up to the line manager and the group manager, and then it gets up to the top."

Finance, IT and reception staff are common targets, and have the added bonus of being accustomed to dealing with urgent demands from outsiders every day. Workers within these departments are, therefore, unlikely to be overly suspicious when a new "client" tries to get to know them. If the attacker has experience of a particular department, it’ll also give them a head start in gaining trust.

"I understand what HR does within a corporate organisation and what its processes are," says Sales. In addition, he adds, HR staff deal with job applications, any one of which could be loaded with a backdoor that's set to install as soon as the "application" is opened.

Probing for holes

Insecure workplace tech helps in any breach, of course, and any competent social engineer will take that into account when selecting their target. A new recruit who's struggling with Windows updates on a decade-old computer will be valuable prey, for example.

Not much ingenuity is required to find flaws in a company's network. Firstly, the attacker might make a friendly, fraudulent call or two to IT to ask for advice on "updating my Windows 11", thereby confirming what operating system is being used. After that, they'd simply look up previous Microsoft patches. "You'd find out what's been fixed in older versions of Windows, then see if the same components are in Windows 10 and 11," says Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University.

Other perfectly above-board tools that social engineers may use at this stage include Shodan, which finds compromised IoT devices, and the flaw-detecting framework Metasploit. "The attackers could do a bit of probing and find out a department is running Apache 2.34, which they know has this certain flaw," Curran adds. "Then they'd use Metasploit to target it on the victim's machine."

Gathering Intelligence

The attacker's next step is to collect information about the person they plan to exploit. This will be infinitely useful in softening them up, gaining trust, and then exploiting that trust with a pretext, such as a phishing email laced with a backdoor. The idea is to prepare the ground so the email or call isn't suspicious at all, and to gather all the intelligence needed to craft a convincing and irresistible message.

Ambitious attackers approach this stage "like a marketing professional studying their target audience," says James Stanger, chief technology evangelist at IT education group at CompTIA. They'll use AI tools, data analytics and online stalking to get intimate knowledge of that person, including their devices, work roles and behaviour patterns, right down to when they have lunch.

Our human instinct to share and connect makes this easy for social engineers, suggests Sales. "My friends see me constantly beating on about this stuff on social media, but they still click video links they shouldn't, and they still share information they shouldn't. We all want to connect with the world and have a little story with it."

Sales is far from laying blame for criminal espionage at the feet of victims who are just trying to do their jobs. After all, social engineers will glean personal information from their victims one way or another, Lock concludes. "Machine learning mechanisms can troll and accumulate a huge swathe of information from social media, then do some analysis on that before anyone even looks at it."

In the next part of our series, we find out how social engineers exploit the trust of your best employees to break into a network or even bring down a supply chain.