Social Engineers Show Off Their Tricks

Experts in deception shared tricks of the trade and showed their skills at Black Hat and DEF CON 2018.

Its not every day you hear or see social engineers in action – well, knowingly, anyway – but thats exactly what the crowd did at Black Hat and DEF CON 2018 held last week in Las Vegas.
Traditional methods of social engineering and phishing attacks are mostly well-understood and remain successful, explained Matt Wixey, technical research leader for PwCs UK cybersecurity practice. Still, attackers are finding new and more advanced ways to manipulate their victims.
Wixey detailed their efforts in a Black Hat presentation on Remote Online Social Engineering (ROSE), his name for long-term campaigns in which actors leverage false personae and highly detailed reconnaissance to compromise target networks. By building a relationship with their targets, attackers can persuade employees to send data and assist in corporate hacking.
Why go to the trouble of social engineering when simple phishing attacks are just as effective?
A big reason would be to bypass technical controls, and bypass the effects of user education and awareness, Wixey explained. Social engineers want to do more than slip past firewalls. They must also deceive a humans threshold for which behavior is suspicious and which isnt.
Because [an attack] is designed to target a specific individual, it can be designed specifically to bypass that persons filters, he continued. We all have different standards for what constitutes phishy behavior, all of which vary depending on personality, upbringing, and other factors.
Getting to Know the Victim
A ROSE attack starts with an in-depth analysis of the target: their online activity, how they communicate, responses to good and bad news, linguistic styles, and their motivations for taking particular actions. They learn where they went to school, where they previously worked and which roles they held, interests and hobbies, names of family members and friends.
The attacker can use this information to craft a profile before reaching out to the target. Their fake profile may include similar interests, a shared educational background, or another trait to facilitate an opening for conversation. Their profile photo may not be stolen but may be altered or concealed behind a paywall from a private source to conceal the attackers identity, he said.
They may keep up this charade for a while to build credibility and, over time, they may automatically post content and/or alter their fake profile to reflect changes in employment, interests, styles, and politics. When working toward direct contact, the attacker may like content from their targets friends or related to their interests to make themselves known.
Finally, they go in for the hook. An attacker can ping their victim with a request for help or proposal for a business relationship. All the while, theyll use their earlier research to inform their conversation and pursue more frequent contact to build rapport and trust.
Social engineers rely on several techniques to make their interactions more believable, said Wixey. Lies often include more negative emotions and fewer sensory details. Liars often use cognitive details and keep things simple so there are fewer details to recall in the future.
Liars may ask more questions, perhaps in an attempt to shift the focus from them onto the person theyre trying to device, Wixey added.
Dial-in Deception: Capture the Flag 2018
In his presentation, Wixey referenced a study stating people lie in 14% of emails, 27% of face-to-face interaction, and 37% of calls. We saw the final stat live during DEF CONs Social Engineering Capture the Flag competition, in which competitors call corporate targets and use social engineering tactics to get its employees to provide different pieces of data (flags).
Participants are assigned target organizations a few weeks before DEF CON and prepare by collecting open-source intelligence on the company, its employees, and other characteristics. They prepare a game plan: who their fake persona is, why theyre calling, and how they might leverage social engineering techniques to persuade the target to hand over information.
This years winner, Whitney Maxwell, directly called employees at service centers for the company she was assigned to target. She was doing an audit, she explained, and she just needed the answers to a couple of questions. By using techniques to establish legitimacy with the employee – saying they have the same name for example – she got some key data.
One conversation yielded information including the companys version of Windows (XP), whether they used wireless Internet, building security, type of computer and desk phone, and whether they used Outlook and Adobe. She confirmed the centers location and, in one instance, was able to convince an employee to enter a bit.ly URL into the browser.
If you can do that over the phone, you can compromise a whole network, said Chris Hadnagy, president and CEO of Social-Engineer, Inc. and organizer of the DEF CON event.
Challenges in Defense
Much of the time its difficult to tell when the person on the other end of a phone call, email, or social media message is malicious. Wixey pointed to a few techniques businesses can use to stay safe as cybercriminals get stealthier.
To limit the amount of available information online, he advises setting a Google alert for your full name so you know when a specific term (your name, for example) appears in a Google search result. Conduct reverse image searches on new contact requests and research the people who want to join your network. If youre unsure about someone, check their account for early auto-posting and inconsistencies.
If a stranger pings you with a question or collaboration opportunity, second-guess their motives. Why might they ask you to do this, and how might they benefit? If they contact your corporate email address, how did they find it? Do they avoid face-to-face or video interaction?
We lie all the time, said Wixey. Everyone lies to each other, all day, every day. The challenge for businesses is determining where the malicious intent is.
Related Content:
NSA Brings Nation-State Details to DEF CON
6 Eye-Raising Third-Party Breaches
AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models
Weakness in WhatsApp Enables Large-Scale Social Engineering
Learn from the industrys most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for
more info
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Social Engineers Show Off Their Tricks