1. Social Engineering and
What To Do About It
Aleksandr Yampolskiy, Ph.D.
Director of Security and Compliance, Gilt Groupe
2. Security decisions are based on risk, not
just threats and vulnerabilities.
The roadmap aims to mitigate top risks.
Heavily based on policy and user
education.
“Onion security” – multiple protections at
each layer.
Achieve “essential”, then worry about
“excellent”.
Be a “how team” instead of a “no team”.
Our Approach to Security
5. Types of social engineering
– In person
– Phone
– Email
– Websites
– …the list doesn’t end there…
Social Engineering
6. • It’s an old-fashioned manipulation of people.
• The goal is to obtain sensitive information about a
company (password, financials, customer info, etc.)
• Organizations are too focused on technological
security controls, but often the weakest link is
people!
What is Social Engineering?
Gartner 2002
7. Social engineering is not as glamorous as it
sounds and requires lots of groundwork
1. Information gathering
2. Idle chit-chat
3. Assuming different personas
4. Getting what you want.
It can be very easy or very hard and yields largest
rewards.
What is Social Engineering? (cont.)
Gartner 2002
8. Four categories of attacks:
1. Direct request
– Usually the least likely to succeed
2. Contrived situation
– Additional factors the victim must consider
3. Walking the walk, talking the talk
– Service person, employee, carry clipboard
4. Personal persuasion
– Make victim believe she is in control
Types of Social Engineering Attacks
9. Bold impersonation
– Impersonate another employee.
Learn the lingo
– Sound like an employee, using company
jargon and dropping names of other
employees.
Fragmentation
– Gather info one piece at a time across
multiple conversations.
Avoid detection
– Different callers
Building Blocks
10. Social Engineering’s goal is to influence
the victim to reveal sensitive information!
Caldini’s Six Principles of Influence
11. Six elements to influence in social
engineering:
1. Authority = “Wearing uniform, …” “People highly responsive
without question to those with authority”.
2. Scarcity = “Sense of urgency”
3. Similarity = “People are comfortable with those similar to
themselves”. “Same problems at work, same interests,
political frustrations, etc.”
4. Reciprocation = “Something for something” “But you agreed!”
5. Commitment = “What people do today they will likely do
tomorrow”
6. Social proof = “He knows William’s cell, so he must be
important”
Caldini’s Six Principles of Influence
12. Social engineer tricks you into asking him
for help.
Sabotage
– Create a paper jam on a printer.
Advertising
– Leave a business card, advertising attacker’s
services to fix PCs.
Assisting
– Attacker assists a victim with the solution.
Reverse Social Engineering
13. From: Alan Davis <alan@acrne.com>
To: Cheryl Hines <cheryl.hines@example.com>
Cheryl,
I just called Bob on his cell phone to ask if he could send me a copy of
the press release that is to go later today. He was picking up his
daughter Jennifer from school and he asked me to reach out to you.
Can you please send me a copy right away? It’s a little urgent, as you
can imagine.
• Bob was enjoying his lunch with coworkers in a Thai place next to the
office.
• He casually mentioned that today a press release for Acme will be
issued, and that he’ll be taking off early to pick up his daughter Jen from
school.
• At 2:15 pm, his secretary Cheryl received an email followed up by a
frantic call from Alan. Since Bob was away, she promptly sent him the
release.
Real Example. Names have been changed.
15. • Yes, hi – Gilt Customer Support?
• This is Aleksandr Yampolskiy. I am on vacation in Dominican and I can’t log
in to Gilt site. Could you reset my password?
• Sure, my email is ayampolskiy@gilt.com and address is 135 East 50th Street,
NY, NY
• Thank you so much!
Yet another example.
16. All people are naturally helpful and
especially Customer Support… since their
job is to help!
Generally not trained to question validity of
each call.
That makes them prime targets for social
engineering.
Customer Support
17. • You must have at least 1.5 points to verify the identity of a customer if they
have previously placed an order.
• You must have at least 1 point if no orders were placed.
• Do not provide information unrelated to the user’s account (users calling
regarding spending habits of children, spouse, etc. cannot be discussed).
• Password resets can be requested over the phone, but first verify the identity,
then send the password by e-mail.
Customer Identification
18. Recognize when the situation comes.
Don’t be afraid to say “NO!”
Incident response policy.
Defenses
19. Spear phishing. Targeted email which
appears to be coming from your colleague
or a friend.
Nigerian scam aka 419 scam. Forward
money in hopes of financial gain.
PDF, JPEG, EXE attachments with
greeting cards, images, documents.
Social Engineering by Email
Lovebug virus
23. Some advice to stay safe:
1. Don’t assume that email is legit even if you get it from a colleague or a
friend.
2. Companies, like PayPal, always address their customers by their
username in emails, so if an email addresses a user in a generic
fashion ("Dear PayPal customer") it is likely to be an attempt at
phishing.
3. Be cautious about posting your e-mail address on public web sites.
4. Disguise your e-mail address when you post it to a newsgroup, chat
room, bulletin board
5. Use multiple e-mail addresses for different purposes. E.g. use one to
correspond with friends, colleagues and another for public forums.
6. Do not reply to spam
7. If you have a website or blog use an encoded, e-mail address on the
site.
8. Use your common judgment or ask security@
Stay Safe - Phishing
25. Many of these viruses spread through
social sites (a user is 10x more likely to
open them than via email)
Malware has many shapes and forms
26. A concrete example: Erin Andrews is an ESPN
sportscaster, who was secretly videotaped through
hotel peephole in July 09.
Shortly thereafter, a site video.report-cnn.com hosting
the tape appeared.
Fake Youtube videos
LIVE VIDEO PLAYER
BLOCKED
Your popup blocker has
blocked access to the
Video Player. To view
your video, please launch
the Live Video Player
below.
27. Spear Phishing – a highly targeted
phishing attack
Disguised as a legitimate communication
Giltcorp.com is not owned or operated by
Gilt
Social Engineering
29. Incident response policy, outlining steps to
take if a phishing website resembling Gilt
is detected.
Buy similar-sounding domains.
Block these sites at firewall level.
Education. Test your users if they fall for it!
Preventing social engineering on the web