Social engineering can take on some unsophisticated forms. The "I love you" Internet worm was a terrific example of mass social engineering. Worm writers and fraudsters alike have engaged in social engineering to peddle their viruses and fraud. Whether it's tricking someone into divulging their Internet banking passwords â€" in what's been termed a "phishing" attack â€" or convincing the recipient of an e-mail to run a viral attachment, social engineering is now "broadcast capable" when combined with spamming techniques.
Canberra-based Daniel McNamara doesn't appreciate that kind of deception, so he decided to do something about it. He set up a Web site, named Code Fish Spam Watch, designed to combat the scourge. McNamara monitors phishing scams and spam Trojans in the hope of exposing them. However, it doesn't stop him from describing victims of some social engineering attacks in less than flattering terms.
"The social engineering attempts are aimed at the more greedy and gullible section of society. I'm afraid to say there is a fairly large percentage out there," McNamara says.
However, the lengths to which social engineers will go to are astonishing. They will prey on the fears of the intended victim, posing as a news bulletin containing details of a terrorist attack on Australia, an e-mail from the bank claiming to have deducted money from victim's account, or even that the recipient is under investigation by the authorities for involvement in child pornography.
These examples are designed to rattle the victim. Instead of thinking "should I run the attachment," they're thinking "I wonder if my child died in the terrorist attack".
Not surprisingly, McNamara hasn't exactly earned the admiration of the online fraud community. Peeved phishers recently spammed messages with McNamara's e-mail address as the reply address. Because the spam involved a child pornography theme, McNamara's inbox was flooded with hate mail. The recipients of the spam had been socially engineered into attacking McNamara himself. He's taken it in his stride as a learning experience -- making some interesting observations about auto-responders -- which allow mail users to automatically reply to all e-mail, even spam, if they're out of the office.
"One of things I learnt during the recent attack... is that people put some very personal things in automated responses. People usually set up auto-responders to tell people about when they are away from work, that their off sick, and so on," McNamara says. "This is all fine and good but most people fail to realise that it might be possible that people they don't know end up reading these messages and that some of the information they're letting out shouldn't be."
"During the attack against my site we received approx 2500-3000 auto-responses. Most of these were fairly mundane but some we're very particular about where and when they wouldn't be in the office, what sort of sickness they had -- for example a fractured upper arm bone -- and a lot of US companies seemed to relish setting up auto-responders for ex-employees; one even stating that the person had been fired for misconduct," he adds. "This information is very useful to someone who is trying to target a business."
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian