The Sport of Social Engineering: From Baiting to Phishing

Social engineering sounds like a harmless college social experiment, but it’s one of the most devastating ways hackers can gain access to your company’s sensitive data and destroy you from within. Here’s what you need to know about it and how to protect yourself.

The Plea For Help

Security companies, like Sec-Tec, see this one all the time. An attacker wants to gain entry to a secure facility. Rather than breaking in through the network, he shows up looking like he belongs there. An employee gives the attacker access because he is confident and plays the part.

If a person is dressed as an employee, carries a legitimate-looking badge, and follows an employee into a secure area, without an NFC-enabled or some other security badge, the best security system in the world is rendered useless. Unfortunately, many social experiments depend on human psychology – our desire to be nice and help others.

Phishing Scams and Why They Work

A phishing scam is used to obtain personal information like names and addresses, and Social Security Numbers. Often, attackers will use shorteners, or embedded links that redirect the victim to a suspicious website.

The attacker may use fear or a sense of urgency to get the user to comply. One scam, that involved APK files from Google Play Books, were preloaded with malware. The product looked legitimate, but was simply trying to gather user information.

Baiting

Baiting is a kind of phishing attack, though the attacker often promises something in return that hackers use to entire their victims. A hacker might offer users free music or some other kind of download if the user surrenders login credentials to a particular site.

A baiting attack isn’t restricted to online scams either. Attackers can focus on physical media as the “bait.”

Steve Stasiukonis, founder of Secure Network Technologies demonstrated how this worked in his own company. He, and his team, infected dozens of USB drives with Trojan viruses, and then dispersed them around the company’s parking lot.

Unbelievably, many of the company’s employees picked up the USBs and plugged them into their computers. This activated a keylogger, which gave Steve access to employee login credentials.

Quid Pro Quo

A quid pro quo attack promises some kind of benefit for the user if the user complies with a request from the hacker. This benefit is usually in the form of some kind of service instead of a product.

One of the most common types of scams involve hackers that pose as IT personnel. The fake IT personnel offer IT assistance to all of their victims. The fraudsters promise a quick fix in exchange for the user disabling their anti-virus program. When disabled, the fraudsters install a program posing as an update service but which is really malware.

Piggybacking

This form of attack is a physical attack, and covert. Instead of attacking a network over the Internet, the attacker shows up to the company’s office location. The attacker may strike up a conversation with an employee, wait for a secure door to open up, and then ask the employee to hold the door so that the attacker can gain entry.

Often, attackers, pose as a delivery person. Colin Greenless, a security consultant at Siemens Enterprise Communications, used this tactic to gain access to several floors, including a data room at an FTSE-listed financial firm.

He was even able to set up shop to attack the financial firm out of a third-floor meeting room. He relied on nothing more than acting like he belonged there. No one questioned him.

Irene Little enjoys being part of a global IT team and sharing her insights on new ideas and technologies with an online audience. She is a regular writer for a number of IT-related websites.


Advertising

Leave a Comment

Your email address will not be published. Required fields are marked *