Social engineering – Beware the Silver-Tongued DevilLast week we wrote about one of the most deadly threats to your data; the various forms of the Crypto Locker virus. This week we discuss a different type of threat – Social Engineering.

Wikipedia defines this as: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.”

I believe the key in this explanation is that you realize social engineering is often just the first step a hacker uses to perform a deadly attack later. It allows even rookie hackers the initial bit of information needed to get into your computer network and potentially run scripts created by the pros.

A simple phone call is the most common way this attack is carried out. To get into large businesses, the hacker might pose as an IT help desk technician and then attempt to get a user’s password. The user does not have to be a high level employee; any username and password will work. The key is just getting inside with proper credentials that allow the hacker to run various programs that find more information on how the IT structure is setup.       

Home users are also at risk via the phone; especially the elderly.

Slowly and patiently the hacker tries to gain the trust of the target, and then uses this to get access to sensitive information like password or bank account details. One of our main recommendations to clients is always use different passwords for each sensitive online area. This way, even if a hacker gets access to one account, they don’t have the key to the entire kingdom.

Probably the most famous incident of social engineering was the Trojan horse, used after an unsuccessful 10 year siege of Troy.  Thinking the Greeks have given up, they wheeled this “congratulations gift” inside their gates. Later that night a small force of soldiers exited the horse and opened the gates allowing their entire army to rush in. I’ll end the article with other ways this type of attack has been carried out in the past, but let’s jump right into some of the ways our firm can help you avoid this tragedy.

  1. Training is paramount, and the number one defense that businesses need to have in place. CPR can supply your firm with easy to understand training material that can be given to your employees. This will help educate your staff to recognize this type of attack.
  2. We can have meetings with your employees (maybe over lunch) to discuss various concerns on cyber security and make it worth their time. You may be surprised by how many people are genuinely interested in how to keep themselves, friends, and family at home safe from cyber criminals. Our staff always strives to speak in layman terms.
  3. We can perform social engineering attacks for you. We have conducted several of these in the past with rather good results. Even if we fail completely, you’ll come away with a greater confidence that your employees have a good understanding of this topic.
  4. CPR can alert you to the most current scams that come out at any given time. We read several publications each week that cover common forms that have that gained popularity. We just received an email from Dell stating they have seen a rise in these attacks, and even created a phone number you can call (8am-5pm Central) to report these scams to them: 866-453-1742.
  5. We can help lock down your overall network. Even if an employee falls victim to this type of attack, CPR can help you minimize the damage. We’ll cover this in our next article.

Unfortunately, nothing you can do will completely thwart the most talented silver-tongued devils. In 2011, a breach occurred at the security company RSA. This attack occurred via a phishing scheme and their parent company spent over $60 million dollars recovering from it. This was one of the first attacks against a company whose job it was to protect others.

In 2007, a man burgled the safety deposit boxes at an ABN Amro bank in Belgium to the tune of $27.9 million dollars. He used nothing but his charm to gain the confidence of several employees. Over time, he somehow obtained information on which boxes contained the most diamonds and the original box keys to make copies.

Everyone has heard of the “Nigerian Price” scam; needing your help to get money out of his country. These come in emails and seem laughable in so many ways.  Un-fortunately they actually somehow work. Recent research indicates that in 2013 such scams cost victims $12.7 billion worldwide; $82 million in the US.

Thieves somehow obtained the information of 40 million credit and debit card users from mega-retailer Target in 2013.  Investigators believe the attackers got into Target’s network using the credentials obtained from H VAC contractor Fazio Mechanical Services via a phishing email that contained the Citadel Trojan virus.

The Def-con conference is held every July where hackers come together to swap tips and show off cutting-edge technical exploits. Here is a fascinating story about one contestant, Shane McDonougall, who easily pulled the wool over a Walmart store manager’s eyes in 2012.

Shane used nothing but a telephone during the demonstration, and the audience burst into applause after the scam was completely successful.

“Social engineering is the biggest threat to the enterprise, without a doubt,” MacDougall said after his call. “I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”

As we said in bullet point #1, Training is paramount. Let CPR help you in this area.

Here’s one last beautiful attack… a fellow IT admin got a call from a telemarketer. Did he yell and scream? No, he went on the offensive like this:

Automated computer call: “Press 4 to speak with someone about your mortgage issues, or press 9 to not be contacted in the future”

<IT guy presses 4>

TM: “Hello, are you having problems paying your mortgage?

IT Guy: “Hi, this is the IT department. We intercepted your call as we detected a problem with your phone and need to fix it.”

TM: “Oh… ok, well what do we need to do?”

IT Guy: “We’re going to try fixing the settings by pressing 4-6-8 and * at the same time.”

TM: Ok, nothing happened.

<IT guy now knows he isn’t using a Polycom phone>

IT Guy: Are you using the new Polycom phones we just deployed?

TM: No, it’s a Yealink.

IT Guy: “Ok, I see. Let me check our technical documentation for the older Yealinks.”

<IT guy does a quick Google search: “yealink phone factory reset”>

IT Guy: “Alright, do you see an ‘OK’ button on your phone?

TM: Yes I do.

IT Guy: Good, you’re going to press and hold that button for 10 seconds.”

TM: “Ok, pressing it now.”

IT Guy: Perfect, let me know if you get a password request.”

TM: “Ok, nothing has popped up ye—“

<CLICK>

That’s right, the IT guy just made the telemarketer unwittingly factory reset his phone, and cannot make any more annoying calls until someone is able to reconfigure it. That’s what I call social engineering at its finest.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s