4 Examples of Social Engineering Attacks
How a seemingly worthless piece of information be extremely useful for the attacker
“Hello Sir, This is Eren from SafeTravels Company. Your tickets to New York are ready. Do you want them delivered or will you pick them up yourself?” Mac, who was the employee of a reputed IT firm was startled hearing this. He replied, “ I have not booked any tickets. Why don’t you talk about this to my boss?” “On our System, we use the Employee Number to book travel arrangements. Must’ve been a mistake perhaps. Can you please confirm your Employee Number?” Mac ended up giving them his Employee number.
What do we conclude from this? Can Employee Number and other information be that vital? NO. But three or four pieces of information is all that it takes to get access to a company’s confidential information.
Conclusion: DO NOT give out personal or Company’s internal information unless the requester’s voice is recognisable or he/she has a need to know.
DUMPSTER DIVING
Dumpster diving means pawing through a target’s garbage in search of valuable information related to the target’s identity. The amount of information you can get from Dumpster diving is astounding.
Most people don’t give much thought to what they’re discarding at home: phone, bills , credit card statements, medical prescription, bank statement, and so much more
Dumpster diving going through a company’s garbage to find discarded information that either itself has value, or provide a tool to use in a social engineering attack, they often go through outside and vulnerable Dumpsters
So your trash may be your enemy’s treasure. We are not giving much importance to the materials we discard in our personal lives, so why should we believe people have different attitudes in the workplace? It all comes to educating the workforce about the danger.
LINGO
TROJAN HORSE:
A program containing malicious or harmful code, designed to damage the victim’s computer or files, or obtain information from the victim’s computer or network. Some trojans are designed to be operating systems and keep a track of every action that is performed by the user of that compute, or accept instruction over a network connection to perform some function; this all is done without the victim being aware of its presence.
And that didn’t end here. He could search through your email messages and private memos of the company’s executives, running a text search for words that might reveal any interesting information
BUILDING TRUST: MOST EFFECTIVE SOCIAL ENGINEERING TACTIC
The reason why social engineering attacks are so successful is, not that people are stupid or lack common sense. But we, as human beings, are all vulnerable to being deceived because people can misplace our trust if manipulated in certain ways.
The social engineer predicts suspicion and resistance, and he’s always prepared to turn mistrust into trust. He anticipates the questions his target might ask so he can be ready with the proper answers. Well, that’s a good social engineer’s plan!!
One of the important and initial steps in social engineering is to build a sense of trust on the part of his victims. A con man can make you trust easily. Yes, he can! The more he can make his contact seem like business as usual, the more he reduces suspicion in the minds of the victim. In this way, it becomes easy for a social engineer to gain their trust. Once the bridge of suspicion is vanished, he gets easy access to take whatever information he wants.
As children, our parents taught us not to trust strangers. Maybe we should all heed this age-old principle in today’s workplace.
It’s natural for people to have a higher level of acceptance for anyone who claims to be a fellow employee, and who knows company procedures. Accordingly, a social engineer takes advantage of that, e.g. by finding out the details of a promotion, identifying himself as a company employee, and then asking for a favor from another branch. This happens between branches of retail stores and between departments in a company, people are physically separated and deal with fellow employees they have never actually met day in and day out.
In a telephone conversation, you have to think about whether you really know the person you’re talking to. In some rare instances, the person might not be who he claims to be. Accordingly, we all have to learn to observe, think, and question authority.
Think of your attitude when somebody you don’t know asks you for something. If a shabby and hostile person approaches you, you’re not likely to trust that person and start doubting, whereas if a person who approaches you is nicely dressed, shoes shined, hair perfect, with a polite manner and a smile, you’re likely to be much less suspicious. You’re willing to start out trusting that person as long as he looks normal and doesn’t have a carving knife in his hand.
Similarly, we judge people on the telephone as well. Does this person sound like he’s trying to sell me something? Is he friendly and confident or do I sense some kind of hostility or pressure? Does he sound nervous? Does he or she have the speech of an educated person? We judge these things and perhaps a lot of others unconsciously, often in the first few moments of the conversation.
A good social engineer knows all these human psychology behaviors and manipulates and acts accordingly to deceive the victim.
Social Engineering Manipulation Case~ John’s Caller
Most of the banks use internal security codes for verification purposes. When an employee from one branch calls another branch, he is verified with this code. This code changes everyday. Now, let’s see how an attacker can get the desired information without any prior knowledge of programming and hacking, by just exploiting human vulnerabilities.
John didn’t think of it when a stranger called him that afternoon. He thought it was a call like others he handled regularly several times a week.
“Hello”, said the caller. This Mike from branch no and so, said the caller. I need to talk to Scarlet as she left a message saying she needs some information regarding one of our customers and faxed them. John to the caller, “She’s at lunch, can I help”.
The attacker in some cases gather’s basic information of the target. He makes it sound like he had a really bad day by saying, “The person who generally handles these requests is out sick, and it’s almost evening, I have to complete these last tasks and leave for a doctor’s appointment.”
The level of manipulation here is to give all reasons so that the other person should feel sorry for him. He kept speaking , “The person who took the request doesn’t have full details. The fax number is not properly visible – it is 312 something…”.
John gave him the fax number. The caller said, “Thank You”.
“Before I fax these, I need the code B.”, said the caller. Mike replied, “But you are the one who called me, you should be the one to verify the code”.
The caller started manipulating him again by giving fake reasons of manager. Then he said, “But listen, if you don’t need the information, it’s okay, no need to verify!”. John replied, “Look, Scarlet is out for lunch, as soon as she arrives I will let her know as you were not verifying these as a legitimate request by giving the code.”
The caller said, “The message says “URGENT” no problem, I ‘ll call tomorrow”.
John gave up under pressure and gave the code, “Its – 3041”.
The caller said, “No, It’s the wrong code”. John replied, “No, It’s B – 3041.” Caller said, “No no, I asked for code E”. John said, “Ok wait let me search for E, It’s 5043”. “Yeah, this is the right code”, said the caller.
In this way the caller was able to get two secret codes from the employee by just using a technique of manipulation.
