There’s a simple mantra beloved by pentesters and security specialists: “There’s no patch for human stupidity!” Whether it’s hiding a bunch of Greeks inside a wooden horse to breach the walls of Troy or hiding a worm inside the promise of a sexy picture of Anna Kournikova, the gullibility of our fellow humans has long been one of the most powerful weapons of anyone looking to breach security. In the penetration testing industry, working to exploit that human stupidity and naivety has a name – social engineering.
The idea that hacking involves cracking black ICE and de-encrypting the stand-alone protocol by splicing into the mainframe backdoor – all whilst wearing stylish black and pointless goggles – will always hold a special place in our collective imagination. In reality, though, some of the most successful hackers don’t just rely on their impressive tech skills, but on their ability to defraud.
We’re wise to the suspicious and unsolicited phone call from ‘Windows Support’ telling us that they’ve detected a problem on our computer and need remote access to fix it. We’ve cottoned on that Bob Hackerman is not in fact the password inspector who needs to know our login details to make sure they’re secure enough. But hackers are getting smarter. Do you think you’d fall for one of these three surprisingly common social engineering techniques?
1. Rogue Access Points – No such thing as a free WiFi
You’ve finally impressed your boss with your great ideas about the future of Wombat Farming. She thinks you’ve really got a chance to shine – so she’s sent you to Wombat International, the biggest convention of Wombat Farmers in the world, to deliver a presentation and drum up some new investors. It’s just an hour before you give the biggest speech of your life and you need check the notes you’ve got saved in the cloud. Helpfully, though, the convention provides free WiFi! Happily, you connect to WomBatNet.
‘In order to use this WiFi, you’ll need to download our app,’ the portal page tells you.
Well, it’s annoying – but you really need to check your notes! Pressed for time, you start the download.
Plot Twist: The app is malware. You’ve just infected your company computer. The ‘free WiFi’ is in fact a wireless hotspot set up by a hacker with less-than-noble intentions. You’ve just fallen victim to a Rogue Access Point attack.
2. The Honeypot – Seduced by Ice Cream
You love ice cream – who doesn’t? So you get very excited when a man wearing a billboard turns up in front of your office handing out free samples of Ben and Jerry’s. They’re all out of Peanut Butter Cup – but it’s okay! You’ve been given a flyer with a QR code that will let you download a Ben and Jerry’s app for the chance to win Free Ice Cream for Life! What a great deal! The minute you’re back in the office and linked up to your work WiFi, you start the download. You can almost taste that Peanut Butter Cup.
Plot Twist: The app is malware. Like Cold War spies seduced by sexy Russian agents, you’ve just fallen for the classic honeypot social engineering technique. At least you got a free ice cream out of it, right?
3. Road Apples – Why You Shouldn’t Lick Things You Pick Up Off the Street
You spy a USB stick, clearly dropped on the sidewalk. It looks quite new – but you pick it up and pop it in your pocket. Later that day, you settle down to see what’s on this thing – maybe you can find out who it belongs to and return it to them; maybe you’re just curious for the opportunity to take a sneak peek into a small portion of a stranger’s life. You plug the stick into your laptop and open up the first file called ‘Government Secrets’…
Plot Twist: It’s not really much of a twist by now, is it? That USB is crawling with malware – and now it’s in your computer. Early today, that pesky band of hackers went on a sowing spree scattering their cheap flash drives all over the streets near your company hoping to net themselves a sucker. Once again, you’ve fallen victim – this time to the Road Apples attack.
What can you do?
The reason people keep using social engineering attacks is simple – they work. As humans, we’re inclined to be innately trusting – and certainly there are more free hotspots, ice cream apps, and lost USB sticks that are genuine and innocent than ones that are insidious schemes of hackers. There may be no patch for human stupidity, but that doesn’t mean you need to be careless – keep your wits about you and remember security rules that you shouldn’t break, no matter how innocuous the situation seems. And if you’re a pentester or security professional? Keep on social engineering and make your life easy – the chink in almost any organisation’s armour is going to be its people.
Find out more about internet security and what we can learn from attacks on the WEP protocol with this article.
For more on modern infosec and penetration testing, check out our Pentesting page.