Let’s start with a story…

Even before I knew what the term “Social Engineering” was, I think I was already doing it.

I have a friend who used to live in the center of Cardiff in a penthouse at the top of an office block. You needed a key card to get in and there was no intercom between the front or rear door and the penthouse that would allow them to open the door for you, so I’d often have to rely on texting my friend to ask him to come down and let me in. This usually took a while because the entire office block was serviced by a single lift - so you could be waiting ages for it to finally make its way to your floor - and that’s if my friend even noticed the text in the first place!

One day I noticed that the car park next to the rear door had a smoking area next to it. This smoking area usually had a handful of people in it throughout the day. These people didn’t seem to talk to each other, so I assumed that although they all worked in the building, they must be strangers. As I was about to text my friend to ask him to come and let me in, one of the women in the smoking area finished her cigarette and made for the door. Quickly, I put my phone to my ear, pretended to be deep in conversation with someone on the other end, and hurriedly followed after the woman. She scanned her key card, then noticed me coming in behind her. She helpfully held the door open for me and I offered her a smile in thanks as I passed her.

I was in the building.

But now I started to panic. I wasn’t 100% sure, but I felt like I may have been trespassing. I had a legitimate reason for being there of course, but no one knew me apart from my friend. This building had security too. What if they saw me and didn’t believe that I was there to visit my friend? Would that woman get in trouble for letting me in? Is this the sort of thing they call the police for?

I’m in the building, but what do I do now??


What is Social Engineering and why should you care?

In this blog post I’m going to talk a little about a subject that I find incredibly fascinating; Social Engineering.

Lots of the information in this post is based on a fantastic book by Christopher Hadnagy called “Social Engineering - The science of human hacking (second edition)”. If you find any of this interesting I’d highly recommend picking it up and having a look.

I’ve also taken inspiration from some episodes of Darknet Diaries. I’ll link some interesting episodes a little later on.

I’m first going to provide some context for what social engineering is, then provide some examples based on real life scenarios, then talk a little about why and how social engineering works before concluding with some general tips for staying safe.

Christopher Hadnagy, writer of “Social Engineering - The Science of Human Hacking” came up with this definition for social engineering:

Social Engineering is any act that influences a person to take an action that may or may not be in their best interests.

If you’re still reading this post it is probably because you want to hear the end of the story I started above. In some sense, I’ve attempted to influence you (sharing that story and deliberately not telling you how it ends) into doing something for me (reading this post). Don’t worry, I’ll tell you the end of the story in a moment, but this should hopefully serve to highlight that social engineering happens to us all the time. Whether it be in the form of advertising, or a guilt trippy social media post trying to get you to donate money to a cause, or whether it is that slightly odd looking email from PayPal telling you that they’re going to withdraw thousands of pounds if you don’t act quickly!


The Social Engineering Pyramid

I’m quoting again from Christopher Hadnagy’s book, “Social Engineering - The science of human hacking” here. He suggests that a professional social engineering engagement is made up of a few sections:

The Social Engineering Pyramid

Open Source Intelligence (OSINT)/Intel
In this stage the actor is gathering and analysing information that is openly available to them. This information will underpin the rest of the engagement.

Pretext Development
Here the actor will determine a logical pretext behind their engagement with a target, based on their findings in the initial OSINT stage.

Attack Plan
With the pretext in mind, the actor must now determine what their engagement (or, attack) will look like.

Attack Launch
With all the preparation done the actor can now launch their attack.

Report
The actor will feedback to their client on their findings so that the client can make an informed decision on what they should do next.

With this in mind, lets revisit that story at the top of the post and try to identify each of these areas.

  1. OSINT/Intel - I observed that some of the office workers would gather in the smoking area outside of the building, and wouldn’t talk to each other.

  2. Pretext Development - I could pretend to be another office worker who was late to a meeting. The fact that they don’t talk to each other suggested that they probably wouldn’t raise an eyebrow at an unfamiliar face entering the building. To help achieve this, I’d need to pretend to be on the phone to someone. If they asked for ID, I could simply say I left it in my car, walk away and text my friend to come and let me in.

  3. Attack Plan/Attack Launch - Admittedly these two happened pretty quickly in my story. I saw someone finish up their smoke break and start to head into the building. I began pretending to talk on my phone whilst hurriedly moving towards the door, making sure the woman could hear me talking and vaguely gesturing for her to hold the door for me, which she kindly did.

  4. Report - In hindsight, I probably should have gone straight to the security desk to explain what had happened and advise them to discuss tailgating with the various companies in the building. Instead, much to my friends surprise, I knocked on his front door and we laughed about it.


Open Source Intelligence (OSINT)

I’ve mentioned this a few times now so I suppose we should really define what it means. According to Wikipedia, the source of all truth:

Open-source intelligence (OSINT) is a … methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context.

It goes on to clarify that Open Source Intelligence and open source software aren’t the same thing. That being said, there are a great deal of open source OSINT tools available out there, some of which we’ll talk about in more detail.

In fact, if you’re reading this there is a good chance you’ve already used one of the most effective OSINT gathering tools out there: Google.

Google makes finding openly accessible data extremely easy. If I want to find out the business hours of a company, what their office building looks like, their contact details, what business operate nearby, who works there and a whole load of other information - I just need to google the company. In fact, Google have made this even easier by showing this information front and center on their search results page.

Now I know a lot more about the Google London office

In fact, with the above example they’ve even taken some images from inside the building - which would make things much easier for me if I ever gained access and wanted to look like I belonged. I already know some of the layout which will make it easier to blend in.

Clearly there is a balance to be struck here, obviously Google London feel comfortable with you knowing what parts of their building look like, but you’d be hard pressed to find an image of their security desk, or their server rooms. But this does raise an interesting question. In the age of social media, when does sharing information openly about ourselves become dangerous?


Social Engineering Examples

I’m going to try and provide some hypothetical, yet realistic examples of social engineering engagements following the Social Engineering Pyramid described above.

Example 1 will show a bad actor using social media and other openly available data to gather intel on a target with the ultimate goal of obtaining that target’s bank details.

Example 2 will focus on a good actor who has been hired to test the physical security of a building by seeing if they can gain access to one of the inner offices.


Example 1. A malicious actor gathering and selling people’s personal details online.

Step 1: OSINT/Intel

Let’s start by simply searching the #FirstDay hashtag on Twitter. I see a few tweets from people who are happy to be starting a new job, some of them have even posted pictures of them holding their ID badge.

I hone in on one post in particular. It is from an account, @JBlogsz, who has posted a picture of his new ID badge after starting at a new company called Regional Marketing Company. The ID badge contains his full name, Joe Bloggs and the fact that he is a Sales Agent. I decide to look into his profile a little more. A see a tweet complaining about how his new passport is blue and asking “brexiteers - was it really worth it??”. Interesting, now I know a bit about Joe’s political leanings too. Seems Joe posts a lot about liberal politics. He doesn’t like Trump very much. He’s got a post asking people to refer to him as him/he. I make a note of that in a text file I’m compiling on him, because it tells me more about what kind of person he is. I can see he supports Man Utd and really liked what Marcus Rashford was doing to help lobby for free school meals. Again, I make a note of this.

I do a quick Google search of the company he just joined and I see that the company has 2 offices, one for their sales agents and another that seems to house back office staff. This is good news, it means that our target (a sales agent) is unlikely to be working directly with the HR staff. I make a note that this could be present an opportunity later on. I notice that on the Google results page the company have listed a general sales email address. I decide to drop them a line…

To: sales@regional-marketing-co.com
From: attacker@osint.com
Subject: Potential business opportunity

Hi there,
My name is Karl and I’m the marketing director for a large multinational company, and we’ve shortlisted your company as being one of a number of marketing consultancies in the area that might be able to help us in an upcoming ad campaign. Could you provide me with the email address of the person who would be best suited to helping us move forward with this?

Kind Regards,
Karl

After a short wait, I receive this response:

To: attacker@osint.com
From: sarah.smith@regional-marketing-co.com
Subject: RE: Potential business opportunity

Hi Karl,
My name is Sarah. Thanks for reaching out. This sounds like a very good opportunity and I’d be happy to work directly with you on this. Do you have a good time/date where we could arrange a phonecall to discuss further?

Kind Regards,
Sarah
Senior Sales Director
Regional Marketing Company
Voted #1 marketing company in the region!

Perfect. That email gave me some really good information. Now I know what the company’s email signatures look like, and I know what their email addresses look like (firstname.lastname@regional-marketing-co.com).

Step 2: Pretext Development

At this point, I feel as if I’ve gathered enough openly available intel to begin crafting my attack. I decide that I can pose as a member of the HR team because seems unlikely that Joe works directly with them and it won’t be suspicious that HR are contacting a new employee.

Step 3: Attack Plan

My plan is to pose as an HR representative at Joe’s company, faking an HR systems outage that has wiped his data. I’ll make it sound urgent by claiming that if he doesn’t respond he may miss out on his monthly salary. If the email is intercepted by IT, or if he decides not to reply - I haven’t really lost anything.

Step 4: Attack Launch

I send this email to Joe.

To: joe.bloggs@regional-marketing-co.com
From: fake-hr@regional-marketing-co.co
Subject: URGENT: Incorrect Bank Details

Hi Joe,
Congratulations on joining the Regional Marketing Company team! I know you don’t want to hear this, but we’ve just switched our HR IT system and it looks like we lost some of our employee’s information.

Unfortunately it looks like you may have been affected as when I sense checked your details we have stored they didn’t look quite right to me. Can you double check these details and reply to me directly with the correct details?
Bank Name: HSBC
Sort Code: 12-34-56
Account Number: 1234567
Personal Email: <missing>
Mobile Number: <missing>

Please respond asap as if these details are incorrect it would result in you missing out on your monthly salary payment.

Kind Regards,
Andy
HR (PAYE)
Regional Marketing Company
Voted #1 marketing company in the region!

Of course, I’ve totally made up the bank details here and (unless I’ve been astronomically lucky) they won’t match his real bank details. I’m using my similar looking email domain and email footer to try and blend in as much as possible with the rest of the business. I get a response from Joe pretty sharpish:

To: fake-hr@regional-marketing-co.co
From: joe.bloggs@regional-marketing-co.com
Subject: RE: URGENT: Incorrect Bank Details

Hi Andy,
No those details aren’t right. Please can we resolve this quickly? I’m literally just about to go on leave for a week and need this money in my account!

Bank Name: Lloyds
Sort Code: 11-11-11
Account Number: 7654321
Personal Email: joeyblogs@gmail.com
Mobile Number: 07777777777

Please let me know when this is sorted!

Thanks,
Joe
Sales Advisor
Regional Marketing Company
Voted #1 marketing company in the region!

Perfect. I now have what I need to sell Joe’s details on to the highest bidder!


Example 2. A good actor who has been hired to test the physical security of a building.

Step 0: Pre Engagement

We’ve been tasked with testing the physical security of a building by attempting to gain access, with the ultimate goal of planting a USB device in one of the company’s meeting rooms. Every employee at the office has an ID badge that is used to open most of the doors, including the doors to the meeting rooms.

Step 1: OSINT/Intel

The company who hired us has a strict social media policy that stops its employees posting anything work related online so we’re unlikely to find much joy there. Instead, we start with a Google search of the company and find some basic information like a phone number for the help desk, an email address for general enquiries, the building address (which we already knew). We take a look on Google street view to see what the area around the building looks like. Interestingly, we see a pub next door to the target building.

Street View - Pub adjacent to target building

We posit that this pub is probably frequented by employees of this company, so we make a note to head down there Friday lunchtime to see if we can spot anyone wearing ID badges that we might be able to clone.

In the meantime, someone else on the team has been looking through the company’s employees on Linkedin. There isn’t too much info there, but we do get some names, pictures and email addresses of some of the employees. All of these go into a folder so we can start organising our intelligence on them.

Then, someone in the team has a bright idea. The company may not allow its employees to post to social media, but the company itself has a marketing team who post there. We decide to check out their feed where we spot a post talking about a charity drive the company partnered on recently. Following the link to the website we find some pictures of the event. Cross referencing these with the Linkedin profiles we found, we are able to place some of the employees who were at this event.

Step 2: Pretext Development

One of the people we managed to link to the charity event was a senior executive named Sarah. She has her company email address posted on Linkedin, so we decide we’re going to pose as a member of another charity organisation and ask her for a meeting. If she agrees, we won’t need to fake a company ID card as we’ll actually have a somewhat legitimate reason for being in their offices as visitors.

Step 3: Attack Plan

We are going to use one of our generic fake charity email domains to craft an email to Sarah, stating that one of our representatives is in the area meeting another partner, but that the other meeting fell through leaving our guy with nothing to do. We hope she’d accommodate him for a short meeting where he’ll give a short presentation on our charity, with no expectations of donations, partnerships or endorsements.

If she agrees to the meeting, we’ll have a date and time where we’re expected in the office and, more importantly, in a meeting room, giving us an opportunity to plant our USB device.

Step 4: Attack Launch

We send off the email to Sarah, but immediately we’re sent an out of office reply. Sarah is on leave, but someone else in her department is covering for her whilst she’s away. The response contains a phone number for the other person. We decide that we’d rather not wait for Sarah to return, so we pivot our plan and decide to call the number.

Lee: Hello, this is Lee speaking, how can I help?

Us: Hi Lee, I was actually trying to reach Sarah. We have an appointment to meet her and some of her team for a presentation this afternoon and was told to call ahead to get a headcount.

Lee: Oh, weird, Sarah is on leave for the next few weeks. Do you want me to take a message for her?

Us: Ahh, that’s a problem. You see I work for a charity and I met with Sarah at an event last month, we got talking and she set up this meeting so we could talk to you about a potential partnership.

Lee: Okay. Well I don’t see anything in the diary so perhaps we could organise it when Sarah gets back?

Us: I understand, but we’ve already got two of our reps in town and we likely won’t be able to get them back to you for at least a month if the meeting doesn’t happen today as Sarah promised.

Lee: I’m not sure, I can’t see anything in the diary.

Us: Considering she’s signed off on this I’m surprised she didn’t put it in the diary. Sarah paid for our guys to be there. (short pause) Unless you can think of anything, I guess we’ll just have to tell Sarah that she’d forgotten to tell you about the meeting, so she’ll have to book another one.

Lee: Hmm, you know, I’m actually free for an hour this afternoon. I guess I could meet your reps, if that would work?

Us: Ah Lee, you genius! Yes I think that’d be fine. We can present to you and you can pass it on to Sarah when she gets back!

Lee: Sure, okay. I’ve put it in the diary. Just tell your reps to report to the front desk at 14:45 and I’ll meet them there.

So we’ve got our in. Once there, the rest is fairly straightforward. We’re shown into a meeting room and after some introductions we are left alone for a few minutes to set up. We take this opportunity to plant our USB device. Mission accomplished.

Step 5: Report

After our engagement we arrange a meeting with the Chief Technology Officer, the Chief Information Security Officer and the Head of Security of the building (the ones who hired us in the first place). We explained our engagement and offered up some recommendations for remediation (which are beyond the scope of this post).


How does it work?

Once again, I’m taking my cues from Christopher Hadnagy’s book here, in which he lays out 8 principles of influence (based on 6 principles originally suggested by Dr. Robert Cialdini). I’m not going to go through each of them, that’d take some of the fun out of reading the book! Instead I’d like to focus on 3 that I think are fairly common ones.

Principle 1: Reciprocity

In 2016 the High-Value Detainee Interrogation Group (HIG) released a paper, “Interrogation: A review of the science” that summarised some of the influencing strategies used by some of the most effective interrogators in the world. The first strategy they mention is the use of reciprocity. It is also the first influencing technique mentioned in Christopher Hadnagy’s book. The reason for this is simple, reciprocity appears to be a social norm in almost all cultures.

Generally speaking, the way this works is that if someone does something for you, you then feel obliged to return the favour. In a police interview this can take the form of something as simple as offering a suspect a glass of water, a cigarette or something to eat. Subconsciously the subject feels that they’ve been given something and so may be more willing to reciprocate. This is an incredibly powerful tool in any sales person’s belt, where they may offer up a compliment or a free sample before interjecting their request.

It is important to note that the perceived value of the thing being given away is important. In the first example scenario we discussed above, we found that Joe was a Marcus Rashford/Man Utd fan. Imagine if we’d sent this email, posing as his HR department:

To: joe.bloggs@regional-marketing-co.com
From: andy.faker@regional-marketing-co.co
Subject: Charity Opportunity

Hi Joe,
I’m working as a consultant for our PR/outreach department and wanted to discuss an opportunity that has come up. We’ve been approached by a 3rd party working for Marcus Rashford and his campaign for free school meals to help raise its national profile.

To kick off the partnership on this initiative we’ve been offered box seats at Old Trafford for a Manchester United home game, with an opportunity to meet the players post-match. Unfortunately our initial candidates for this are unable to attend, but someone mentioned your name. I need to respond to our consultant by end of play tomorrow so if this is something you’d be interested in please could you respond with a quick yes, along with confirmation of your personal email and phone number for the travel/accommodation booking.

Kind Regards,
Andy
PR/Outreach Consultant
Regional Marketing Company
Voted #1 marketing company in the region!

Principle 2: Scarcity

The principle of scarcity is simply that as something is made scarce, its value increases. This is perhaps more commonly seen in economics. Those old enough to remember might recall the price of oil spiking as a response to the Iraqi invasion of Kuwait in 1990, as the market prepared for a coming shortage of oil. More recently, how often have we been enticed by “end of line sales”, “closing down sale”, or even the “only X left in stock” on Amazon.

Only 6 left in stock!

To some extent we saw this principle in action in example 2 above when we explained that our reps were only going to be in town for that day, and weren’t going to be able to return for at least a month. This creates an element of scarcity because we’re pressuring the target for a decision right now.

Time is precious and if time is scarce we can sometimes pressure people into taking action. In the first example we emailed our target and made sure he knew that he had to act quickly if he wanted to get paid on time. This introduced an element of time scarcity which pressures the target into taking action (think fake PayPal or Ebay emails).

Principle 3: Authority

I used to work as an usher at a theatre and we were trained that in the event of a fire we must direct the hundred or so people in our section to the fire exit. The way to do this was to stand tall, shoulders back and to loudly and clearly instruct the crowd to follow you - in effect, becoming the authority figure in the room.

One of the most famous studies into this topic was carried out by Dr. Stanley Milgram in 1963. During the Nuremberg Trials the defence used was, “I was following orders”. Dr Milgram wanted to understand whether seemingly ordinary people could be coerced into harming another person simply because an authoritative figure instructed them to. The experiment called for a volunteer to answer a series of questions. If they got an answer wrong they were told that a subject in another room would be electrocuted. Each wrong answer would increase the voltage up to 450 volts. Asking the questions was a person in a white lab coat who, if the volunteer objected to the screams of pain coming from the other room, was instructed to respond with either; “The experiment must go on, please continue”, or “There is no permanent tissue damage. Please go on”. The study found that 65% of volunteers took the voltage all the way up to 450 volts, simply because an authority figure told them to continue.

This was evidenced in our second example above. We had the implied authority of Sarah, even though she was away. It would have been awkward for Lee to tell his boss why her meeting didn’t go ahead, and we used that pressure to ensure we could get our people on site.

Principle 4: Social Proof

Being the first person to do something can be scary, but being the third, or fourth, or tenth is much more comfortable. You’ve probably seen this video (at every corporate event you’ve ever been to), but in case you haven’t here it is:

Just a guy, dancing in a field.

Once it becomes socially acceptable to get up and dance (somewhere around the fourth or fifth person) you see the crowds start to flock. That cocktail of feelings, of wanting to be a part of something but not wanting to be socially outcast for doing it, fuels many of the decisions people make each day. Taking advantage of this can be an extremely powerful tool so it is important we recognise it.

In the second example scenario we told Lee that Sarah had already given us the go-ahead to have our meeting. In effect, what we’re saying is; “its okay, you can trust us because Sarah trusted us”.

Conclusion

I’m hoping that by now you will have started to get a more general understanding of what social engineering is and some of the techniques employed by others to influence us to do things. We’ve all been told to be careful what we post on social media but hopefully, with some true to life scenarios acting as examples, you will be more attuned to some of the risks of over sharing. If you’re reading this and are thinking that perhaps your business might be at risk, perhaps due to what the business posts online or how your employees communicate with outside parties - I hope that this post might stir you into reading further on the subject to gain an understanding of how to mitigate some of the risks.

If you’ve found any of the content in this post even vaguely interesting I’d recommend listening to any of the Social Engineering episodes from Darknet Diaries, but I’ve selected a few here that I find particularly interesting:

This one features the Christopher Hadnagy who’s book I’ve talked about so much in this post.

This episode features some really interesting stories from Jayson Street, including how he once broke into a bank in Beirut.

If you’ve made it this far I just want to say thanks for keeping with me.

Stay safe.

Andrew.