Social Engineering - The Ultimate Con
Social engineering is the ultimate con – the bag of tricks employed by fraudsters who lie, cheat and steal their way past your organization’s security controls. Their goals: theft, fraud or espionage. Social engineering bypasses all technologies, including firewalls. It appeals to hackers because there is a general lack of awareness of the problem and it’s nearly 100% effective.
What is an organization’s best line of defense?
Their people. Properly trained staff, not technology, is the best protection against social engineering attacks. Learn how to protect yourself and your organization against social engineering attacks by understanding social engineering tactics and knowing how to recognize scams. People are the weakest link and as a result, organizations must build a human firewall by training their people.
Their people. Properly trained staff, not technology, is the best protection against social engineering attacks. Learn how to protect yourself and your organization against social engineering attacks by understanding social engineering tactics and knowing how to recognize scams. People are the weakest link and as a result, organizations must build a human firewall by training their people.
What is social engineering?
Social engineering is the human side of breaking into a corporate network. Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders.
Social engineering is the human side of breaking into a corporate network. Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders.
Social engineers manipulate people into speaking/acting contrary to their normal manner. The goal of a social engineer is to fool someone into providing valuable information or access to that information. In most cases the attacker never comes face-to-face with the victim, but they get the information or the access they need to commit fraud nearly 100% of the time.
Why are social engineers so successful?
Experienced social engineers relate well with others. They are consistently quick to establish a personal connection with the target and use that connection as the basis of building rapport. The simplest way to get information is to ask for it directly, and this forms the basis for the various techniques used by hackers.
Experienced social engineers relate well with others. They are consistently quick to establish a personal connection with the target and use that connection as the basis of building rapport. The simplest way to get information is to ask for it directly, and this forms the basis for the various techniques used by hackers.
Common social engineering techniques include:
- Pretexting is when a social engineer develops a story line that he or she is able to portray to the target. It provides the justification for the questions being asked.
- Impersonation , such as posing as an employee, is arguably the best technique used by social engineers to deceive people because most people are basically helpful toward coworkers without question.
- Phishing is a way of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
- Dumpster Diving – Improperly discarded memos, organizational charts, or policy manuals could be used for foot printing (the art of gathering information or pre-hacking). Social engineers commonly research a predetermined target and determine the best opportunities for exploitation. Dumpsters provide a huge amount of information, including the information a hacker needs to impersonate an employee.
How do you protect yourself and your company?
Social engineering attacks may be inevitable in the world today for the simple reason that humans are easy targets; nevertheless, that does not mean that attacks are unpreventable.
The single most important key to avoiding social engineering attacks is to not give sensitive information to anyone unless you can verify that they are who they claim to be and that they have a legitimate need for access to the information. Organizations and individuals can protect themselves through training and awareness as well as security-related policies and procedures.
By staying alert to potential security threats and keeping in mind the suggestions listed above, you will be much more prepared to enjoy the conveniences of online services with peace of mind!
Impersonation in Social Engineering
No matter how secure a system is, there's always a way to break in. Hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people – who are often the easiest to manipulate and deceive.
Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.
The social engineer "impersonates" or plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. This type of social engineering plays on our natural tendencies to believe that people are who they say they are, and to follow instructions when asked by an authority figure. It involves the conscious manipulation of a victim to obtain information without the individual realizing that a security breach is occurring.
Impersonation requires a lot of preparation, so it occurs less often than other forms of social engineering. Social engineers prefer the more anonymous phone or email approach over appearing in person. Done well, however, nobody ever knows that the impersonator was ever there. To the people they spoke to, they were just another individual in a non-stop stream, although perhaps just a bit nicer than the run-of-the-mill grump.
Roles of the impersonator
Some common roles that may be played in impersonation attacks include: a repairman, a meter reader, IT support, a manager, a trusted third party (an auditor, for example), or a fellow employee. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most people want to help, so they will bend over backwards to provide the required information (or access) to anyone with authority.
These tricks work because we all regularly interact with people we don't know. It's human nature to trust credentials – a badge or a uniform – but they can be forged. We trust uniforms, even though we know that anyone can wear one. And when we visit a website, for example, we use the professional appearance of the page to judge whether or not it's really legitimate -- never mind that anyone can cut and paste graphics. In the same way, we have a tendency to automatically trust someone in authority.
Common social engineering roles:
- Posing as a fellow employee
- An employee of a vendor or partner company, or auditor
- As a new employee requesting help
- Pretending to be from a remote office and asking for email access locally
- As someone in authority
- A system manufacturer offering a system update or patch
Impersonators do their homework
Impersonation works best when the social engineer gives a convincing performance, complete with the proper technical jargon or other insider information. Impersonators do their homework. They come armed with:
Impersonation works best when the social engineer gives a convincing performance, complete with the proper technical jargon or other insider information. Impersonators do their homework. They come armed with:
- A uniform
- An ID badge
- A fake or forged business card
- Insider information
- Names and details about employees
Once inside the building, impersonators will look for opportunities to:
- Learn more about the organization and its employees
- Eavesdrop on employee conversations
- Shoulder surf to uncover passwords or pins
- Steal documents, equipment, or other items of value
- Gain access to computers, copy or fax machines
- Sabotage the network
There are some warning signs of an attack. Pay special attention to:
- Out-of-ordinary requests
- Claims of authority
- Stressed urgency
- Threats of negative consequences of non-compliance
- Displays of discomfort when questioned
- Name dropping
- Compliments or flattery
- Flirting
Before releasing any information to anyone, it's essential to at least establish:
- the sensitivity of the information
- your authority to exchange or release the information
- the real identity of the third party (positive identification)
- the purpose of the exchange
Countermeasures for impersonation attempts
Verification is the key. A social engineer's goal is to fit in with the crowd - to look like someone who should be there. They may be disguised as any number of people who frequent your organization and, because they look like they belong, your best defense is being alert and asking someone in authority if they should be there. Always verify the identity of anyone who shouldn't be allowed inside your organization.
Tech Support Scams
In a recent twist, scam artists are using the phone to try to break into your computer. They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t
need.
These scammers take advantage of your reasonable concerns about viruses and other threats. They know that computer users have heard time and again that it’s important to install security software. But the purpose behind their elaborate scheme isn’t to protect your computer; it’s to make money.
- How tech support scams work
- What to do if you get a call
- What to do if you've responded to a scam
How Tech Support Scams Work
Scammers have been peddling bogus security software for years. They set up fake websites, offer free "security" scans, and send alarming messages to try to convince you that your computer is infected. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.
The latest version of the scam begins with a phone call. Scammers can get your name and other basic information from public directories. They might even guess what computer software you're using.
Once they have you on the phone, they often try to gain your trust by pretending to be associated with well-known companies or confusing you with a barrage of technical terms. They may ask you to go to your computer and perform a series of complex tasks. Sometimes, they target legitimate computer files and claim that they are viruses. Their tactics are designed to scare you into believing they can help fix your "problem."
Once they’ve gained your trust, they may:
- ask you to give them remote access to your computer and then make changes to your settings that could leave your computer vulnerable
- try to enroll you in a worthless computer maintenance or warranty program
- ask for credit card information so they can bill you for phony services — or services you could get elsewhere for free
- trick you into installing malware that could steal sensitive data, like user names and passwords
- direct you to websites and ask you to enter your credit card number and other personal information
Regardless of the tactics they use, they have one purpose: to make money.
If You Get a Call
If you get a call from someone who claims to be a tech support person, hang up and call the company yourself on a phone number you know to be genuine. A caller who creates a sense of urgency or uses high-pressure tactics is probably a scam artist.
Keep these other tips in mind:
- Don't give control of your computer to a third party who calls you out of the blue.
- Do not rely on caller ID alone to authenticate a caller. Criminals spoof caller ID numbers. They may appear to be calling from a legitimate company or a local number, when they’re not even in the same country as you.
- Online search results might not be the best way to find technical support or get a company's contact information. Scammers sometimes place online ads to convince you to call them. They pay to boost their ranking in search results so their websites and phone numbers appear above those of legitimate companies. If you want tech support, look for a company’s contact information on their software package or on your receipt.
- Never provide your credit card or financial information to someone who calls and claims to be from tech support.
- If a caller pressures you to buy a computer security product or says there is a subscription fee associated with the call, hang up. If you're concerned about your computer, call your security software company directly and ask for help.
- Never give your password on the phone. No legitimate organization calls you and asks for your password.
- Put your phone number on the National Do Not Call Registry, and report illegal sales calls.
If You've Responded to a Scam
If you think you might have downloaded malware from a scam site or allowed a cyber criminal to access your computer, don't panic. Instead:
If you think you might have downloaded malware from a scam site or allowed a cyber criminal to access your computer, don't panic. Instead:
- Get rid of malware. Update or download legitimate security software and scan your computer. Delete anything it identifies as a problem.
- Change any passwords that you gave out. If you use these passwords for other accounts, change those accounts, too.
- If you paid for bogus services with a credit card, call your credit card provider and ask to reverse the charges. Check your statements for any other charges you didn’t make, and ask to reverse those, too.
- If you believe that someone may have accessed your personal or financial information, visit the FTC's identity theft website. You can minimize your risk of further damage and repair any problems already in place.
- File a complaint with the FTC at ftc.gov/complaint .
Use Bluetooth? Protect Yourself From Hacking Scams
Cell phone users are increasingly turning to Bluetooth technology to talk - hands free - on their phones. But as this high tech tool gains popularity in the US and Canada, scammers are finding ways to exploit it.
How the Scam Works:
Scammers use specialized software to intercept your Bluetooth signal and hack into your device. It's called "blue-bugging." Doing this gives them access to all your texts, contacts, photos, call history... everything on your phone.
Scammers use specialized software to intercept your Bluetooth signal and hack into your device. It's called "blue-bugging." Doing this gives them access to all your texts, contacts, photos, call history... everything on your phone.
Scammers sometimes use hacked phones to make long distance calls. Other times, they access your private text messages or photos. But unless you are a celebrity, government official or high-powered corporate executive, you are unlikely to be a target.
Recently, the newest scheme is for scammers to set up a pay-per-minute phone number. Then, they hang out in a busy area and hack into phones. Scammers use the phones to dial the number and rack up charges by the minute.
Tips to Ensure Your Bluetooth Isn't Hacked:
- Always use a minimum of eight characters in your PIN. The longer your code, the more difficult it is to crack.
- Switch Bluetooth into "not discover-able" mode when you aren't using it. If you make a call from your car, be sure to switch it off when you get out. Crowded public places are top spots for hackers.
- Don't accept pairing requests from unknown parties. If you happen to pair your phone with a hacker's computer, then all your data will be at risk.
- When pairing devices for the first time, do so at home or in the office.
- Make sure you download and install regular security updates. Device manufactures will release updates to address threats and correct weaknesses.
For More Information
Check out Bluetooth.com for tips on using products with Bluetooth technology. Also, see your cellphone manufacturer's website for more advice.
Check out Bluetooth.com for tips on using products with Bluetooth technology. Also, see your cellphone manufacturer's website for more advice.
To find out more about scams, check out BBB Scam Stopper.
Signs You've Been Sucked Into A Facebook Scam
A Facebook scam highlighted the threats posed to the millions of users of the popular social network. Security experts say users of social networks and Facebook, in particular, have high confidence in the links and information shared there. Attackers are constantly trying to take advantage of the high levels of behavioral trust, according to security firm BitDefender. While Facebook has security teams and automated systems to detect suspicious activity and contain threats quickly, third-party app baits, spam, Likejacking and other activities persist, said Catalin Cosoi, head of the online threats lab at BitDefender. Here are six signs you may have fallen prey to a Facebook scam.
- The Facebook App You Just Clicked On Promises Too Much
Apps that promise to spy on people, or allow the user to interact with other Facebook users in ways that the social network does not allow, are illicit and very likely a scam, Bitdefender said. While the app may be freely available, victims are prompted with quizzes and surveys and the data collected is used in aggressive advertising. In a recent study, BitDefender estimated that more than 30 percent of suspicious apps attempt to provide additional services such as traffic profiling to determine who is viewing your profile, who deleted your connection and who is a "profile stalker." While some services may be legit, many of them use the access granted to view Facebook connections and collect other information that may be considered personal, the security firm said - You Were Tempted To Click On A Photo Or Video You Just Couldn't Resist
Shocking images, news articles, blog posts and videos easily trick users into clicking links to view the content. The Facebook scam will redirect users to a malicious website where spyware or adware is installed on the victim's browser. BitDefender's Cosoi said many of the scams are attempting to gain access to the victim's photos, likes, check-ins and other information, collecting the information for use in a potential social engineering attack. This is seen in 14 percent of Facebook scams, estimates BitDefender. - You Clicked On A Post With One Of These 10 Facebook Scam Trigger Words
Use of the word "Wow" is most commonly associated with a potential phony link or scam, according to BitDefender. Other top scam trigger words or sayings include "Profile," "OMG," "Killed," "Girl," "Viewed," "Stalker," "Video," "Crying" and "Busted." BitDefender said the words are associated with human-curiosity triggers. Facebook scammers used the trigger words in November when they attempted to trick users into viewing bogus videos of Rihanna and Miley Cyrus. The attack attempted to steal passwords through surveys. - You Clicked On A Post With One Of These 5 Common Facebook Scam Phrases
"Is this you?" ranks as one of the most frequently used scam catchphrases, according to BitDefender. Other phrases include, "What are you doing in this video?" "Find out who is doing x to you," "When after I saw this…" and "I just found out x about me. Check yours." Many of the phrases are also regularly used on other social networks to lure people to click on malicious links, BitDefender said. Catchphrases changed often in 2012 in order to evade detection, Cosoi said, but many of the latest threats are attempting to reuse older ones. - Your Profile Says You 'Like' Something That You Don't
Some attackers have developed a way to enable a victim to like a piece of content without their knowledge. BitDefender said the technique is used to spread threats quickly. The content auto-generates a posting on the victim's wall, broadcasting to people that the content behind a malicious link was liked. Typically the Like button is embedded in a video or image, automating the process of endorsing the link. Likejacking is believed to have been used to spread a lose weight offer last year. Facebook has done a good job of reducing this threat, according to Cosoi, but charity scams using phony donation requests continue to persist. - Your Data Was Just Stolen
Attacks using data-stealing malware and other Trojans accounted for only an estimated four percent of Facebook threats. Facebook aggressively monitors for worms and other malware and believes the number of users ever impacted by malware attacks on the site is always well below 1 percent. Last year, a Facebook worm called Ramnit is believed to have compromised 45,000 accounts, ending up stealing passwords of victims. The Ramnit botnet is still being tracked and has been connected to banking malware. Cosoi said he and other threat researchers also have seen botnet owners use Facebook pages and other social networks for command and control purposes.
Source: By Robert Westervelt, CRN / Original Post from CRN.com