Social Engineering – You Are the Weakest Link

The most vulnerable point of access to your data isn’t a computer, but a human being

Cyber security has been a hot topic as of late, but few are discussing the fact that humans are actually the weakest link in the information security chain.

While hackers do employ some seriously powerful tools, it’s often just as easy to trick their targets into revealing too much information, or even unknowingly installing malware on their own systems.

For those of you new to the term, here are a few examples of social engineering tactics being used on the web today, from Consice-Courses information security expert Henry Dalziel:

1. Social Networks

Having your Facebook account hacked can easily result in having a friend (who is a genuine friend of yours) asking for cash because their “wallet was stolen” whilst they were travelling. Clearly, receiving an email from a friend is exactly that: from a friend, so the barrier of trust is completely open.

2. “Someone has a secret crush on you! Download this app and find out who it is!”

This social engineering attack also comes from social networks like Facebook. Facebook applications are for the most part free from any malware of bad intent, but some still contain nefarious objectives. The wording of the app is all too important and needs to touch some fundamental human emotional buttons, because, as the title of this entry states, who wouldn’t want to know who had a “secret crush on you!”

The “I love you” computer worm that attacked millions of Windows personal computers May 5th 2000 started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The success of this download was due to the wording.

3. “Click this link!”

On the same subject of effective copy to entice a social engineering attack, social engineers title an email to solicit an action – i.e. getting the user to “click here”. Again, the attacker’s ideal set-up is to have gained access to a user’s social account or email account. The inherent trust that you will have to open and click on a link from someone you know is second nature. Visiting an infected site or page from an email can install malware on your machine, either by a Java drive-by or another means. Another good example is Twitter spam that we often receive which contains the subject “Did you see this video of you?” again it’s a play on words. See the 2nd “secret crush” scam and you’ll see how being able to connect on an emotional level will ensure a pretty decent success rate for the hackers.

4. Fake office IT Support

This is a pretty varied but very popular social engineering attack whereby someone pretends to be an IT Support Technician and offer to fix a “broken computer” or an “infected machine” that contains viruses and malware. All you need is confidence and authority in your voice and choice of words. Again, refer to back to our Hacker Hotshots event with Chris Silvers and listen to some of the calls that he and his team made to solicit passwords and other sensitive information. In some extremes examples the attacker will actually enter the business and pose as an IT Technician. We learned about a technique called “tailgating” when we compiled our Concise Courses ComPTIA Security+ Information Pack – which is actually a unit within section 3.0 Threats and Vulnerabilities of the syllabus. As the terms suggests, tailgating is when the attacker attempting access to a building will purposely wait near an office lobby waiting for real employees to enter the building with their genuine ID cards – as they open the door they politely hold the door open for the attacker. Appearance is vital for this to work. Being dressed like an IT Technician would for that particular organization will certainly greatly assist this particular social engineered scam.

5. Phishing lures

Receiving an email that claims that you have not paid for an item on eBay can very often solicit an action from an unsuspecting victim. You might think that that is a ridiculous scam that will not affect anyone, but as long as the attackers are sending out millions of messages like that – their success rate can be low but yet profitable. Like several other social engineering attacks listed in this post, the eBay Phising Lure Scam also works on a human emotion. EBay users are very aware of the impact of receiving negative reviews, therefore any message that arrives in their inbox from someone who seems to be from eBay often will result in an action being taken. When the user falls for this attack they can be send to a spoofed eBay page that looks just like the real login page with the user’s login information being captured and then used against them to withdraw funds etc. Withdrawing funds from eBay is often possible owing to the fact that many users login information for their eBay and PayPal accounts will be the same. One solution with this particular scam is to manually open up a browser and hit your account yourself – is there a message in your eBay inbox? If yes then it is genuine. If not, then ignore your other message.

6. “You have been dismissed” or “Help victims of ‘fill in the blank’ natural disaster”

Social engineering tactics are becoming increasingly specific. Sending out blanket emails to hundreds of employees saying that regrettably their position at the organization has been terminated and that they must download a certain form etc can have a decent success rate. Why? Because perhaps there was a rumour circulating that redundancies were inevitable owing to the financial crisis. Timing is everything with this scam.

Unfortunately, every time there is a natural disaster there is an associated social engineered attack. Again, as is consistent throughout this blog post, the natural disaster scam along with the redundancy email is associated to human emotion for curiosity.

7.Hijacked Twitter hashtags

Social engineers just need to look at what is trending on Twitter to fabricate or hijack a hashtag that has an embedded link to a malware site or Java Drive-by.

With studies showing that under 1/4 of all organizations do any type of social engineering training at all, most targets are an easy slam-dunk for a skilled manipulator. Mark these words – as we base more and more of our operations around a digital model, preventing social engineering attacks from being successful WILL gain traction as a must-have component to any crisis management plan.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Erik Bernstein is Social Media Manager for Bernstein Crisis Management, Inc. and editor of Crisis Manager]