Auditors at TraceSecurity employ social engineering tactics to track down how employees can be tricked by cyber-criminals into releasing sensitive information or getting infected.
While cyber-attackers can probe Websites to find application
flaws and network holes, employees at many financial institutions are just as vulnerable
to social engineering tricks.
Why hack a Website
when all it takes is a phone call to get
into a customer bank account? That is the question Jim Stickley, CTO of
TraceSecurity asks when auditing the security measures in place at banks and
credit unions around the country. The audits focus on both physical thefts as
well as what Stickley called "virtual thefts," where thieves use
emails and phone calls to get the passwords they need to remotely penetrate sensitive
TraceSecurity's auditors employ the mindset of a cyber-criminal
to determine what would be targeted, and what techniques would be used, Stickley
"Most of the time, it's bank accounts," Stickley
The first step is to identify new employees, Stickley said.
Finding out who just started working at the targeted institution, such as a
mid-sized credit union or regional bank, is very easy in this day of social
networking, as all the attacker has to do is search the targeted institution on
Once the attacker has a list of employees with a recent
start date, the next step is to masquerade as a senior manager.
"New employees are gullible. They don't want to annoy
their managers, so they just do what they are told to do," Stickley said,
adding they are less likely to question suspicious incidents when a superior is
Attackers can call the credit union's general number
directly to find out the name of a manager. The trick works best if the
targeted institution is big enough to have multiple branches or offices,
because then the attacker can find out the name and phone number of a manager
in a different branch, Stickley said.
"New employees are less likely to know what that
manager sounds like," Stickley said.
With the phone number and name of the manager in hand, the
attacker calls the employee directly. There are software readily available
online that let people spoof their phone numbers. With software, the attacker
modifies the caller ID information so that the employee, when looking at the
phone display, sees a phone number that matches the pattern the company uses
and thinks it's a legitimate call. Since the employee already thinks the
attacker is actually a remote manager, there is already a sense of trust
present, Stickley said.
The supposed manager can claim that the branch's network is
down; IT is working on the manager's computer; or a myriad of other reasonable
scenarios as to why the manager can't log in to the network and access a
customer account. "Don't make it a big deal, just mention it and move on to
the actual request," Stickley said.
By asking the employee what account login is being used or
reading information to supposedly verify some details, the attacker has
obtained sensitive information to compromise the account. The fake manager can
also convince the employee to change the password to something else "for
security purposes" and then promise to call back after a specified time
interval to change the password back, Stickley said.
"That's 45 minutes for the attacker to do whatever is
necessary," Stickley said. Some attackers may even continue the masquerade
by calling back and saying they were done.
New employees don't want to push back, so it's important for
financial institutions to "empower" them to ask questions and feel
comfortable pushing back right from the start, Stickley said. Employees need to
hear that it's OK to tell managers, "No!" or all the rules go out
the window, he said.
It's one thing to teach employees policies, but better to
teach them what to do when they are asked to violate policy, especially if it's
by a senior executive or the company president. "The policy might be,
'Don't give out private information over the phone,' which is good, but the
reality is, when the manager asks, you don't say no," Stickley said.
Employees need to be told to say they can't do that, and to offer to transfer
the call to a senior manager. Attackers will often hang up at this point, since
the manager might know the person they are pretending to be and expose the
Another common social engineering tactic relies on email.
Many institutions have a corporate directory available on the phone system.
Attackers call the phone number late at night to go through the phone
directory. Many systems have a quirk where if the caller doesn't punch in the
"first three letters of the person's name," it lists all the names
matching whatever was entered.
"So press number '2' and wait a few minutes. The system
will time out and then give you every name that begins with the letters A, B,
and C," Stickley said.
The attacker can get all the names of the employees
relatively fast in this way. The attacker then picks up a free email account
from any email provider and sends the employees a spam message
. Some companies
make this step easy because they publish email addresses online, making it
easy to guess what pattern the company follows, whether it's
firstname.lastname, first initial followed by the last name, or some other
variation, Stickley said. If the attacker can't figure it out, then it's just a
matter of entering every possible combination into the message's BCC field.
While most of the combinations will fail, at least one of
the addresses won't bounce back, Stickley said. With the list of valid email
addresses, the attacker can send out messages with links to malicious Websites,
downloaders or infected attachments to try to compromise at least one user. The
malicious links can claim to be e-cards sent by a "secret admirer,"
or messages from industry regulators or professional organizations, Stickley
Another method is to pretend to be another employee sending
an internal email. It's easy to create domain names that look similar to the
legitimate name, such as replacing the o in .com with a 0 to create .C0M, or
dropping an "i" in the company name. At first glance, people will not notice the
slightly different domain, Stickley said.
Financial institutions need to restrict Internet usage by
employees, Stickley said. Most employees generally need to access a handful of
sites, and don't need to be able to go to so many places on the Web during the
course of their workday, he said.
"Lock down the sites and 90 percent of the risks go
away," Stickley said. When users can't go anywhere other than approved
sites, the only threat with this kind of social engineering attack is the
malicious attachment, and most organizations are "smart enough to strip
out the malicious payload," said Stickley.
Most organizations can afford to do two networks and tell
users that if they want to access the general Web, they should use the system
dedicated for Web surfing, Stickley said. The Web surfing machines should not
have any access to internal systems or sensitive data. It's similar to how the
intelligence and defense industries have a classified and unclassified network,
"The risk is too great that you can't just let users go
anywhere they want," Stickley said.