There’s something about social engineering that we connect with on a very personal level – it wouldn’t be such an effective tool if we didn’t! In an article written for Info Security Magazine, Markus Jakobsson writes, “The effective use of social engineering is already one of the most dangerous weapons in the cyber criminal’s arsenal, with uses ranging from nation-state attacks…to attacks on organizations and consumers.” The tactics used by hackers to gain access to your personal information are ingenious and aside from that – often entertaining. We’ve explored a few stories from a variety of websites detailing how social engineers really work – and how easy it is at times.
- In 2011, attackers emailed employees of EMC, parent corporation of RSA, an excel spreadsheet entitled “2011 Recruitment Plan,” which was opened by 4 employees, deploying a zero-day Flash exploit and installing backdoors in the employee work machines.
- A “red teamer” tasked with testing corporation corporate security said in an “AMA” interview on Reddit.com that he often employs the tactic of sending company employees an email with a link confirming their subscription to an adult pornography website. Within this email is an “unsubscribe” link and he says, “You have never seen someone in an office click the unsubscribe links that fast.”
- In 2015 the accounting department of a large company received an emailed list of balance transfer instructions (supposedly) from the company’s Hong Kong subsidiary. $47 million was transferred to the hackers before the company caught on.
- A recent social engineering campaign on several of the largest social media platforms involved attackers using stolen credentials to message a link entitled “Did you see this video of you?” to people on the friends list. As the message looked like it was coming from a friend, countless people were redirected to a fake site and asked to enter their passwords and information – and many did.
- The “red team” founder of a prominent USA security consultancy says his most effective scam is calling a target and saying "I've been informed that you've been infected with this worm.” After he walks them through several screens, they will see things like registry lines and start to get nervous about how technically complex the issue will be. Eventually he suggests, “Look, why don't I fix this for you? Give me your password and I will deal with it and call you back when I am done.”
- Not all social engineering is done behind a screen! A widespread tactic used by social engineers and hackers looking for hands-on access to a corporations network is to bring cookies, donuts or pizza to an office – dropping it off and continuing about their day – with free reign of the office computers. They also love to “tailgate” or wait in smoking areas and follow employees inside after smoke breaks.
- Countless hackers and red teamers alike leave USB sticks laying around in parking structures and outside buildings hoping an unsuspecting person will pick it up and check it out on their computer.
Even a cursory search for social engineering tactics will turn up thousands of successful and unsuccessful scams and tactics. There seems to be no end to the way people can be manipulated by not-so-lazy attackers. So, how do you protect yourself? The answer should be “common sense” but the best and brightest of us can be fooled by tactics like this so:
- Be suspicious of tech support calls. How many times has tech support proactively identified a problem and approached you? It’s never happened to me!
- “Act Now” and “Urgent” requests should be scrutinized carefully. Personally, if I’m in a panic to get something from a co-worker, the last thing I’m going to type is “Urgent.” I’d go for a more “Hey! Sorry to bother you but I need blah blah blah…” or “I need this before blah blah blah time for this specific project.”
- Look…if you see a “forgotten” USB stick laying around somewhere – the chances are you don’t need to see what is on it. You want to try to return it to the owner? Leave it in lost and found.
- Phone calls or SMS requests for password and personal information is unusual. A company (insurance, bank, etc.) who is calling YOU should have access to this information – and again, how many times has a bank called to proactively deal with an issue with your account? Customer service just isn’t that good anymore.
- Look at the URL, spelling, grammar and read emails (even from friends) for contextual clues before clicking a link.
- It’s nice to let in employees who have forgotten their key-cards. I do it every chance I get…but use your best judgement.
These lists are by no means exhaustive. There’s just too much material available out there on social engineering, which is a tactic that’s been used since the beginning of time. While many of these examples are fascinating, funny or even cringe-inducing, they happen every day in every industry with great success.
The best defence is a good offence.
About Sangfor Technologies
Sangfor Technologies isn’t experiencing a lack of talent. We have over 5000+ of the best and brightest right here! We work closely with our customers to develop innovative products designed with today’s IT needs and professionals in mind.
Automated network security systems and services can often detect unusual activity on the network immediately. For example, Sangfor Technologies Next Generation Firewall (NGAF) is the world’s first AI enabled and fully integrated next generation firewall + Web Application Firewall (WAF). Security visibility, real-time detection of threats and simplified O&M keep IT informed and in control of all network security issues in real-time.
But, if we’ve learned anything from social engineers, it’s that they can be in your system FAST and sometimes from inside the very building you are working in. What do we do?!
Sangfor’s Internet Access Management (IAM) solution helps IT stay on top of traffic, queries and user behaviour with easy to read charts and reporting. Unified, network-wide management means more authentication methods and a clear view of the entire network for IT professionals.
Get in touch with us at https://www.sangfor.com to check out the host of network optimization, network security and cloud computing solutions designed with you in mind – just like social engineering.
Founded in 2000 and a publicly traded company as of 2018 (SANGFOR STOCK CODE: 300454 (CH)) Sangfor Technologies is the global leading vendor of IT infrastructure solutions specializing in Cloud Computing and Network Security.