A New Spin on a Classic Type of Social Engineering Attack

Social engineering refers to manipulative tactics used by cybercriminals to gain access to a system. Manipulating people that have legitimate access to a system is sometimes easier than breaking in using more traditional hacking techniques.

Although social engineering attacks have been proven to work, organizations are increasingly taking measures to guard against them.

One of the oldest, yet most effective, types of social engineering attack involves a phone call. The attacker calls up an organization’s helpdesk, pretends to an employee, and requests a password reset. If the helpdesk technician complies, they essentially give the attacker a set of credentials they can use to access to the network.

This particular scam has gone on for so long that organizations have adapted with a variety of countermeasures. For example, an organization may require users complete multifactor authentication after requesting a password reset. I have also heard of organizations adopting a policy that requires all password-reset requests go through a manager. Other organizations have implemented technologies that prevent the helpdesk from resetting a password until verifying the requester’s identity.

A Different Kind of Social Engineering Attack

With organizations increasingly wary of suspicious password-reset requests, cybercriminals have resorted to other means of gaining access. One technique is for a cybercriminal to call the organization’s helpdesk and ask for a completely different kind of help than might be expected.

Related:How to Gain Insight into Failed Login Attempts on Windows

If a cybercriminal phones an organization’s helpdesk and requests a password reset, there will hopefully be security measures in place that prevent the reset from happening. But imagine if rather than asking for a password reset, the cybercriminal asks for a bit of guidance instead. The seemingly innocent request might be something along the lines of, “I’m trying to change my password, but the system isn’t wanting to take the new password that I’m trying to put in. What am I doing wrong?”

From the criminal’s perspective, the question would aim to get the helpdesk technician to let their guard down. At that point, there are a couple of things that might happen.

One possibility, which represents the best case for the criminal, is that the technician will feel sorry for the “user.” The technician will go ahead and perform a password reset on the user’s behalf. Even though the criminal hasn’t explicitly asked for a password reset, the technician may feel they are being helpful.

The more likely outcome is that the technician will spout off a list of password requirements. For example, they might tell the criminal the passwords need to be at least 12 characters long and contain a number. At that point, the criminal might even follow up by asking additional questions, such as whether a password requires a mixture of uppercase and lowercase letters or special symbols.

So, what does a cybercriminal really gain by learning an organization’s password requirements? Countless articles have been written that describe the merits of using lengthy passwords. Long passwords tend to be a lot more difficult to crack, simply because of the amount of time a brute force attack would take. However, a cybercriminal who may have no other option than to use brute force cracking techniques can greatly reduce the effort if they know the organization’s password policies.

Suppose that a cybercriminal learns that an organization requires passwords to be at least eight characters in length and contain a mixture of uppercase and lowercase letters and at least one number. The attacker knows that it isn’t worth their time trying to crack password combinations that are under eight characters in length.

There is a mathematical formula for calculating the number of possible password combinations: Possible Combinations = Number of characters^{Password Length}. For example, if an organization uses four-digit numerical PINs, then the number of possible combinations would be 256 (4 characters^{4 digits}, or 4⁴).

If you consider that there are 52 letters (counting uppercase and lowercase), 32 special characters, and 10 numbers, then the number of possible characters is 94. To find the number of possible password combinations for an eight-character password, you would take 94 to the 8^th power, which would give you roughly six quadrillion password combinations!

But suppose that the attacker knows that the organization requires passwords to be eight characters and doesn’t require special characters. While some users might use longer or more complex passwords, most won’t. As such, the attacker knows that they do not have to bother trying to crack shorter passwords. They also know that the elimination of special characters reduces the possible characters from 94 to 62 (26 uppercase letters, 26 lowercase letters, and 10 numbers). 62⁸ power is 218 trillion. That’s still a huge number of possible password combinations, but it’s way less than six quadrillion. Based on available computing power, an attacker could potentially try all these combinations in less than a day.

Conclusion

While it is true that some users will inevitably choose strong passwords, an attacker knows that most users will only meet the minimum requirements. As a result, a brute force attack based on the minimums is likely to yield a significant number of passwords.

These passwords can be used to gain initial access to the system. The attacker can then begin to work on elevating their privileges.