The human factor is the weakest link of the security chain – this statement has been said and written so many times, that is starting to become a cliche’. Even so, it doesn’t make it less true.
It’s easy for security professionals to assert that they would never fall for this or that scheme – even if a moment of distraction can prove anyone a fool – but it’s sometimes difficult for them to get in the mind of the common user and search for the reason behind this amazing “flaw” in the human psyche that makes us inherently trust other people.
Mike Bailey and Mike Murray are security penetration testers at Mad Security, a company that among different technologically-oriented testing offers also the social engineering kind. They say that even though they engage in plenty attacks that exploit vulnerability in the technology, it is usually easier to resort to social engineering techniques to get “inside”.
According to The Register, Bailey says that he has never had to employ complex schemes during a testing process – all it takes is to send a cleverly crafted email with a malicious link, and the employees just open the door for him. It is usually an email telling them that their passwords are being tested for strength, and that they should follow the link and and input their passwords for testing. What’s really shocking is that this approach works in nearly 50 percent of the cases!
In their talk, the researchers presented a string of the most common social engineering schemes and went through the psychological tricks that make them successful:
- Creating a sense of urgency
- Creating a bond with the victim
- Creating a situation that will throw the victim off-guard and will suspend his or hers critical capabilities.
This last trick was used by Bailey and two others for winning a $10,000 prize promised by StrongWebMail CEO Darren Berkovitz to anyone who succeeds in breaking into his email account: using a XSS vulnerability that can be exploited only if the victim clicks on the malicious link while he is logged into the account, they tricked Berkovitz to click on the link by sending him an email with the subject “We think we’ve already won this contest” and offering a link that supposedly explains how.
The point they were trying to make is that there is always something that will make even the most security aware individual slip – the challenge is to figure out what that is.