Social engineering is really no different than any old-school scam from the past, other than modern technology is the setting (for the modern attack).
Infamous hacker turned computer security consultant Kevin Mitnick, featured in the Werner Herzog documentary “Lo and Behold, Reveries of the Connected World,” very much embodies the dark art of the Social Engineered Attack.
Mitnick is perhaps best known for breaking into the networks of IBM, Nokia and Motorola (in the case of Motorola, he stole their source code simply by talking an employee there into emailing it to him). He also claims to have compromised computers solely by using passwords and codes that he gained by social engineering.
In other words, the one-time cyber criminal’s most dangerous weapon was his gift of gab, manipulating his victims just as a puppeteer would his marionette.
“It’s people, not technology, that are the weakest link in security,” Mitnick says in the “Lo and Behold” film.
Social Engineering is a modern-day attack vector that uses social conditioning and naivety of humans to infiltrate networks, gain access to systems and steal confidential information from organizations. Such as the case with Mitnick, it’s the art of persuasion, rather than tech-savviness, that manipulates employees – your employees! – into giving out passwords and unlocking confidential corporate information.
Three Puppeteering Tactics to Be Aware of:
1. Spoofed Number
With social engineered attacks, it might be a phone call with a spoofed number, and it might say, ’this is Microsoft, and I’m calling to notify you that there is a bug outbreak in Arkansas, I’ve been charged with the Little Rock area. I need to log into computer and apply a patch.’ And then you give them your login information.
2. The Human Equivalent of Phishing
A hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information or other confidential data. An example? An email from your “boss” to your HR person, requesting that he or she send all the W2s of all employees, in PDF form, to them to review.
3. Closing the “Deal”
An email comes in from a hacker disguised as a legitimate client, requesting pricing for 500 hard drives, 200 memory sticks ASAP. Attached is A PO. The sales person processes the order, ships the gear, and 30 days later the invoices goes out to an email address that no longer exists.
Ongoing education is the primary defense for organization. Outsourced Security consultants offer a series of educational programs that will not only provide a training regimen for social engineering, but also test employees by sending out “fraudulent” emails. When an employee clicks on these emails, they get a response saying “Oops, I got you!,” allowing managers to track who continues to fall for the scams.
There are other ways to defend your organization. Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Three Tips to Protect Against Social Engineering, Provided by Webroot:
1. Reject requests for help or offers of help.
Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
2. Set your spam filters to high.
Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ’spam filters’.
3. Secure your computing devices.
Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
Social engineering is really no different than any old-school scam from the past, other than modern technology is the setting (for the modern attack). They simply cast it out there and wait to see what happens.. They might get 10 ‘nos’ before they get a ‘yes.’
Are your employees trained to cut the strings of socially engineered puppeteering? Could you benefit from further education that goes beyond the hardware you’ve put in place? If so, let’s talk!