David Kennedy, a security consultant and former National Security Agency analyst, said he is amazed at the effectiveness of the techniques.
“I have done hundreds of these, and I have never been stopped,” said Kennedy, who teaches social engineering to other security specialists. “It sounds horrible, but it works every single time.”
The human factor
Social engineering works because it targets a vulnerable part of cyberspace that cannot be patched with technical fixes: human beings. People want to believe that their communication is safe.
“Because it goes at the human level, not at the technological level, we’re all vulnerable,” said Joseph Nye Jr., a distinguished service professor at Harvard University who is on the board of advisers to the Chertoff Group. Nye said he has received at least six spear-phishing e-mails purporting to be from the Chertoff Group. He said he deleted them all, but he added, “Every once in awhile, one of these will get by you.”
The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try. Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.
“This is the next evolution of social engineering, where victims are researched in advance and specifically targeted,” said a recent Internet threat report by Symantec, a computer security firm. “The very nature of social networks makes users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims.”
At the same time, technology is transforming social engineering. One online data-mining service favored by hackers — as well as by security researchers and law enforcement — works much like a laser-focused Google. The automated system, called Maltego, enables users to quickly bring together and analyze disparate details about people from all corners of cyberspace, showing an individual’s links to friends, family, work associates and personal interests.
“None of these steps are particularly difficult to code or do by hand. But doing it by hand is painful,” said Roelof Temmingh, founder and managing director of Paterva, the small South African company that sells the service. “Maltego can do all of this in a flash.”