In the past, social engineering schemes have traditionally revolved around a hacker posing as someone from the support department and either trying to assist the user with a problem or getting the user to help the hacker run a test.
But hackers like to break with tradition, and current social engineering methods are all about defying expectations. To help you understand the new face of social engineering, here are some of the new ways that hackers are manipulating social engineering to get what they wantââ,¬"access to your data. By reading through these new social engineering schemes, you can better educate yourself and your staff about the techniques being used, which in turn will help everyone in your company avoid falling prey to these security breaches.
Relationship social engineering
I had the chance to watch first-hand a social engineering stunt using common conversation to obtain password information. This particular job wasn't an illegal hack, but rather a situation in which a client paid a security company, Relevant Technologies, to see if its employees would fall victim to a social engineering scheme. The company felt it better to find out its security holes under controlled conditions than to be exploited by someone who really did have malicious intentions. Unfortunately, the social engineering scheme went off without a hitch, and the company's owner realized that he needed to place a greater emphasis on employee training.
For this particular scheme, the security company hired a woman with a sexy voice to call sales representatives at the company and pretend to be interested in buying the company's product. Part of the conversation went something like this:
Social Engineer: -My kids will love this product. I have a two-year-old named Fred and an eight-year-old named Beth. Do you have any kids?"
User: -Yes, I have a four-year-old son named Shawn."
This is seemingly innocent chitchat, but in organisations that don't enforce strict password policies, employees often use their kids' names as passwords. In this particular case, the employee had one son named Shawn. As it turns out, Shawn was the employee's password. Of course, that was a lucky guess, but the security company's social engineer was able to worm other personal information out of the employee as well.
For this particular job, the woman never asked for a passwordââ,¬"or anything else related to the computer system. What she did do was to build a relationship with the victim. Even if nothing on the password list had matched, she had built the guy's trust enough that on a future call she would be able to get something more useful out of him.
Note In case you are unfamiliar with the term, social engineering refers to an act in which a hacker tricks a user into disclosing a password or other sensitive information, rather than relying purely on traditional hacking techniques.
Password conundrum
People have a lot more passwords to remember than they used to. With so many passwords to keep track of, it isn't uncommon for people to use the same password in more than one location to keep from having to remember several different passwords. For example, the person might use the same password at work as to log on to the Internet at home.
There are cases in which hacker groups have set up Web sites advertising a bogus sweepstakes. They then require anyone registering for the sweepstakes to supply a username and password for future access to the site. Soon a database of thousands of usernames and passwords is compiled. A "robot" then systematically attempts to log on to many popular Web sites using the supplied usernames and passwords. The hacker group can then use information from these sites to gain further information. For example, if a hacker is able to get into a person's Hotmail account, he might be able to figure out where the person works and then be able to try to break into that company's computers using the logon name and password that he has in his possession.
6%
1%
