Being Aware of the Value of the Information You Are Being Asked For

Before giving out information to someone, determine whether the person who is calling or interacting with you deserves it. Humans have this built-in desire to want to help and to be helpful to those whom we perceive need it. It is a major way a social engineer manipulates a target into handing over valuable information. Analyzing the person with whom you are interacting and determining whether she deserves the information she is asking for can save you the embarrassment and damage of falling victim.

For example, in the social engineering contest at Defcon one contestant had a pretext that he was a customer of a major antivirus company. He called in with a serious problem—his computer couldn’t get online and he felt it was due to something the antivirus was doing and wanted the technical support representation to do one simple thing—browse to a website.

Malicious SEs often use this attack vector. By driving a victim to a website embedded with malicious code or malicious files they can gain access to a target’s computer and network. In the case of the contest, the website was  not malicious at all, but it was to show that if this were a malicious attack it would have been successful.

The first attempt was laid out like this by the contestant: “I cannot browse to my website and I think your product is blocking me. Can you check by going to this site so I know for sure whether it is your software or not?”

The technical support representative answered well by saying, “Sir, our product would not block you from going to that site; it wouldn’t matter if I can go there or not.” He declined the request.

The contestant did not give up there; after talking a bit more he again tried, “I know you said your product would not block the site, but it worked until I installed your software, so can you please check for me?”

Again he was declined his request: “Sir, I am sorry for that inconvenience but again our product would not block you and my going to the site will not help you fix the problem.”

It seemed as if the request was going to be rejected for good when the contestant tried one last-ditch effort and said, “Sir, it would make me feel better if you would just try going to this site for me. Please, can you help me out?”

This simple request put our technical support rep over the edge and he opened his browser and went right to the site. He had the right idea, he even had the right security awareness answer, but in the end he wanted his “customer” to “feel better” and honored his request. This could have led that company to a major pitfall if it were a malicious attack.

The technical support representative knew that this information was not relevant to that particular call. Like him, you must be determined to analyze whether the information being asked for is deserved and relevant to the person with whom you are interacting. Approaching this scenario from the other angle, what if the contestant were a legitimate customer and the rep had declined to go to that website—what is the worst that could have happened?

The customer might have been a little upset at being declined the request he wanted but it still would not have changed the outcome. The product he had was not the cause of his woes.

A social engineer often uses charm to start a conversation about the weather, work, the product, anything at all, and uses it to reveal the information sought. This is where a good security awareness policy comes into play—educating your employees about what tactics might be used against them can save them from acting out of fear.

In one audit the pretext I used was being the assistant to the CFO. The call center employees had a fear of losing their jobs for rejecting the requests from such a high-level management. Why? They are not given the proper education to know that rejecting that request would not cost them their jobs. At the same time protocols should be in place for the employee to know when a request for information is proper.

I mentioned earlier that creating an atmosphere that makes information seem less valuable is also a tactic used by social engineers to get people to freely divulge this “unimportant” information.