Social Engineering on the Internet

Social Engineering on the Internet: Protecting Yourself from Con Games in Cyberspace

Jon Miyake
Acceptable Use Policy Officer
miyake@uoregon.edu

The purpose of this article is to help you understand what social engineering is and how it relates to the Internet--and to encourage you to think twice before opening that attachment, filling out that web form, or replying to that email.

1. "There's a sucker born every minute."

- David Hannum (often erroneously attributed to P. T. Barnum

Social engineering is the creative mixing of truth, half-truths, or lies in order to extract information from you or encourage you to take a particular action. It happens every minute of every day in a variety of ways.

Social engineering skill is often colloquially referred to as good advertising, spin doctoring, or "hacking the wetware." Successful social engineering ploys do everything from luring you into divulging your credit card number over the phone, cajoling your boss into giving you a raise, or persuading you to buy a particular product or service. When social engineering is practiced with malicious intent, it's referred to as scamming or pulling a mark, and in the worst cases it is a federal offense.

Social engineering on the Internet. Malicious social engineering is false advertising. By combining false advertising with the selective use of known software flaws, it's easy to convince one person in fifty that something false is likely to be true--or is at least close enough to the truth to be worth the risk.

The Internet attracts many individuals to the dark side of spin doctoring because they can easily target a wider audience, get faster responses, and stay well out of reach of their irate victims. But even more alluring is the fact that the anonymity of the Internet allows an individual, no matter their creed, accent, hair color, or height, to become anyone they want to be. . .

2. "On the Internet, nobody knows you're a dog"

- Cartoon in the New Yorker

In cyberspace, nobody knows who you are or what you look like unless they've met you in person. You are represented only by your username and email address, and often your sole communication with a particular individual is via email.

Email is an increasingly important component in business and personal life. As a result, it's more common to think of a person by username rather than by first or last name. As your brain unconsciously creates these connections, the more likely it is that you're going to treat a message that purportedly comes from a person you know just as you would if it were handed to you in person. Unfortunately, the "From:" field in an email message is easily forged. This brings us to the third adage…

3. "Pay no attention to that man behind the curtain!"

- Wizard of Oz

Unless you're a sophisticated "uber user" (super user) or support professional, most underpinnings of your Internet service are invisible to you. Many network programs, email clients, and web browsers create beautiful façades that hide much of the data that can be used to determine their source and authenticity. In some cases, it's not so much the program's features that scammers and virus authors use to deceive you, but its flaws.

For example, suppose an uber user and an average user both receive an HTML (web-formatted) email message stating that their credit card company has had trouble sending paper billing. The email asks them to follow a link to an online form that will allow them to update their billing information. Each user reacts differently:

Average user's approach:

Reads the message

Looks at the sender's address

Clicks on the link provided and sees a professional website running a secure (SSL) web server that belongs to the user's well-known credit card company

Uber user's approach:

Reads the email carefully, looking for grammar and spelling errors

Looks at the message's full headers to determine its source

Copies the link into a web browser to view, and sees a professional website hosted in China that uses plain text as the SSL encryption method for an insecure webserver that definitely does not belong to the user's well known credit card company!

How do uber users see through the illusion?

They use email and web browsing software that has a known track record.

They don't click on links provided in an email message.

If they're in doubt about the source of a message or attachment that purports to be from someone they know, they confirm its authenticity by phoning the sender.

For a real-life example of a recent spoofing incident of this sort, see "Bogus Banking Email Allows Trojan Infection for Outlook Users" at http://www.auscert.org.au/3981

4. “There ain't no such thing as a free lunch”

- Robert Heinlein

If it sounds too good to be true, it probably is! Think critically before acting.

Viruses that Rely on Social Engineering

Many of the new viruses that are being seen both on campus and in the wild rely on social engineering to infect your computer. Although their viral payload can be assisted by features in such clients as Outlook or Internet Explorer, these viruses still rely on the user to help them propagate.

The W32.Beagle virus is a great example of a virus that depends on social engineering. The viral payload appears in the form of a file attached to an email message which purports to come from an administrative source. The message warns of a problem with your Internet or email service, and urges you to run the infected attachment in order to rectify the problem. Here are three sample Beagle virus messages with misspellings preserved:

"Our main mailing server will be temporary unavailable for next two days, To continue receiving mail in these days you have to configure our free auto-forwarding service."
"Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software."
"We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions or your account will be disabled."

Ironically, Beagle's diabolical virus-generated warning is actually prophetic. If you run the attachment, your email account or Internet connection will be disabled--not directly through the actions of the virus, but because your computer will begin spewing virus-laden email, prompting disconnection by the Computing Center's network security group! To prevent viruses from propagating, UO network security staff routinely disable an infected machine's network access. During periods of high viral outbreak, restoring your network access may take the better part of a day.

Note that Computing Center support staff usually do not send attachments unless requested. Even then, the email message will most likely be cryptographically signed to bolster authenticity (for an introduction to PGP cryptography, see http://www.pgpi.org/doc/pgpintro/ ).

Hoaxes that Rely on Social Engineering

A common hoax that rotates in and out of circulation is the jbdbgmgr.exe or “teddybear” file hoax.

This hoax is propagated via email when one concerned colleague or friend forwards it another. The email explains that a trusted friend sent them a message warning them about an undetectable virus on their computer, an executable (.exe) file buried within their system files in the form of a teddybear icon. And indeed, when they checked their system folder, they found the infected file exactly as foretold.

In reality, the teddybear icon was the unfortunate choice of some developer. The file jbalbalh.exe is actually a java debugger that poses no real threat to your system, and deleting this file will not harm your computer.

Using Social Engineering to Go 'Phishing'

"Phishing" is the act of using Internet media, such as email and websites, to elicit sensitive information.

This is typically done by "spoofing" (emulating email or website formatting to masquerade as a well known entity, such as AOL, eBay, PayPal, Visa, and so on). In addition to their slick appearance, malicious websites or emails may take advantage of flaws in certain applications (e.g., Microsoft Outlook, Internet Explorer) to enhance their authenticity.

Nigerian 419 Scams: In some cases, such as the never-ending Nigerian 419 scams, greed is used as a motivator. As these scams have been circulating for the past 20 years, you are probably already familiar with emails that begin with entreaties such as, "Dear honored sir, I am the son of the late dictator and I need someone to hold onto my money for me ..." The message goes on to request your personal banking information, promising a big reward in return.

Other common phishing ploys: Immediately become suspicious if you receive email messages such as:

"Your account is about to expire please go to this website to re-enter your account and credit card information."
"We were informed that your card is used by another person or stolen. It could happen if you have been shopping on-line, and someone got your 'billing information' including your card number. To avoid and prevent any billing mistakes and to refund your credit card, it is strongly recommended to proceed filling in the secure form on our site and applying for our Zero Liability program. This program is free and it will help us to investigate this accident."

Conclusion

Don't trust a message or an attachment just because it appears to be from a familiar source. Don't be too quick to fill out a form on a website, especially if it asks for sensitive personal information that could be used in ID theft.

Forewarned is forearmed. Being aware of the ways in which social engineering is used to perpetrate Internet scams can help you avoid becoming a victim.

Spring 2004 Computing News | Computing Center Home Page