Social Engineering

Did you know that humans get Hacked as much as computers? It is called social engineering and it has been happening long before computers ever existed!

Social Engineering is used among hackers for cracking techniques that rely on weaknesses in physical security rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security.

Classic scams include phoning up an employee who has the required information (password, username, etc.) and posing as a computer technician or a fellow employee with an urgent access problem.

• Callers may be male or female.
• The caller may appear to know the make and model of your equipment.
• The caller is after equipment serial numbers on devices such as printers, copiers, and computers.
• The caller will attempt to gain as much ‘extra’ information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information.
• The caller usually uses a ‘private’ phone number.

Should you receive a social engineering call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.

Hacking Humans

Social engineering is the human side of breaking into a corporate network. Companies like ours with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don’t know or failing to ask the right questions.

Social Engineering, an Example

AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL’s tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.

Forms of Social Engineering

Social engineering is not limited to phone calls; many organizations have reported cases involving visitors impersonating a telephone repair technician requesting access to a wiring closet or a new member of the IT department needing help accessing a file.

People, for the most part, look at social engineering as an attack on their intelligence and no one wants to be considered “ignorant” enough to have been a victim. It’s important to remember that no matter who you are, you are susceptible to a social engineering attack.

If you suspect social engineering – don’t be afraid to ask questions and/or notify your IT department. If a caller requests information that is technical in nature, please refer them to your IT department.