I have a love/hate affair with the term ‘Social Engineer.’ To me, this is the most professional and committed ‘job’ I have ever had. It has required training and endless education, and it has changed my life in nearly every aspect. But for some, the term is used for when a free warranty deal is obtained or a loved one is tricked into exposing a secret. Take a look at the reddit.com/r/socialengineering pages to see examples of this. The term in itself has become tired; it lacks aim and enthusiasm, and when it does, it is often combined with uneducated pseudo mind control, personal interpretations of NLP and stories more appropriate for a Darren Brown show. So, maybe it’s time to take it back to basics and relate this very real world threat into something we understand – something that is out there scratching away at us all, every single day. People familiar with my previous work may have seen an article about ‘Sakawa,’ where I tried to reveal the human element behind the scam emails originating from the west coast of Africa in the attempt that we can better understand them and their motives – or even deter them with this knowledge. Very much the same today, I think it’s time we look at the typical British fraudster. They are certainly closer to home, and we may have more of an insight into their world, or so you would think... Britain is home to some of the world's most notorious fraudsters, conmen and blaggards. A long-standing underground fraud network serves every level, ability and appetite for people wishing to be someone they are not for financial gain. We learn the most about these people by avoiding the tabloid headlines of big data breaches and scare tactics, and head into your local town and grab a paper.
“To be of any use for security protection you have to think like a ‘real social engineer,’ you need to understand the brazen dedication these people have to being rogue— forget some American retail giant and look closer to home."
Let’s look at being someone you are not 'in the wild.' For me, at work, I simply print a realistic photo ID card and dress accordingly for the pretext I am working with that day—a suit for a businessman, jeans and a t-shirt for a casual workplace, a teller's uniform for a bank. I have fake business cards and usually a fake letter to enforce this pretext, but the biggest thing I have with me on the day is the knowledge that if I get caught, I won’t have ten years behind bars contemplating the job. In the wild, we can learn a lot about the levels of preparation that are put forward for a big job. They won’t just order new uniforms from eBay and stroll in; they will make sure they look used and authentic. They wouldn't leave proving their identity to chance and counterfeit passports and photo ID would be obtained prior to the job. Planning for such an event 'in the wild' would leave nothing out of scope and nothing to chance. Staff would be followed home, petty theft prior to the event would obtain further information (think domestic burglary to obtain a laptop), and chuck in the sheer desire for wealth and to succeed, and you have a very malicious attack. Now isn’t the time to get scared or resort to morals because when you think like this, you have the personality that would empty the banks of a charity or take an elderly woman's life savings. It’s hard to forget whilst sitting in our comfy offices, swinging on our office chair the sheer savagery and evil that exists in this world. Throughout the industry, you do come across little gems of creativity that shine through, such as that which is found here. What I found amazing about this is the ingenuity and level of skill we are defending against. It is well documented. Already in prison for serious financial fraud, Neil Moore escapes using the social engineering skills we preach about to information security professionals every day. Some are complacent, as they have ample security measures in place already, but few look to see the details in this story. The prison is the pinnacle of security. It has all the security we can muster, yet the techniques and principles of social engineering do not care for it. We work alongside existing security principles, exploiting as we go; adapting transactions for own favour and reward, step by tiny step working towards our goal. We need to understand this mindset to realise how these people would exploit your organisation. Fraud and cons are evolving in the UK. No longer are they paper-based events in some dodgy London pub; they are amalgamating with technology and advancing at an alarming rate. Spurred on by laughable conviction statistics, the criminals are winning nearly every step of the way. The way organisations handle social engineering has to be adapted and bought into the mainstream security testing practice of every business. Criminals are done with the days of obtaining credit cards – they are £5 each and not worth the hassle. Attackers are moving towards your business and looking at your balance sheets with mouth-watering appetites. Only a fool would think they are secure and that an internal team of security practitioners could possibly cover every last attack vector. It’s time to look at the underground ways of Britain and shine some light on them – this is the only way we are going to get wise about it all and stamp it out. Britain loves a good social engineering film, like ‘Dirty Rotten Scoundrels’ or ‘Catch Me If You Can’ from across the pond. But surprisingly, few businesses relate these blockbuster films with day-to-day life and that is worrying, although hardly surprising. Many companies have benefited from our advice already – information from our reports has improved profits, social media presence, business communication efficiency, trust with investors, staff safety and of course, security. So, please remember social engineers aren’t a rare thing. It’s time you considered the impact they could have against you.
About the Author: Richard De Vere, who is the Principal Consultant for the AntiSocial Engineer Ltd., has an extensive background in penetration testing and social engineering, including ‘red team’ exercises and information gathering assessments. Qualifications include CISMP and CompTIA Security+. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.