social-engineering-101written by Chris Griesemer

Social Engineering is generally described as hackers tricking people into giving up information that would greatly increase the chance to gain entry into a locked information system, network or physical structure.

When we think of hacking you may imagine a person tapping away at his computer trying to break through a firewall in order to gain access to a company’s server. What people don’t understand is the majority of hacking attempts started with information gained through social engineering. Let’s take a look at some basic social engineering techniques.

Phishing
Phishing scams are typically done by someone sending emails to a group of people in attempt to gain personal information. Sometimes website links are added to the email trying to get the user to click on the link. The link will take the user to a website that looks like a legitimate business, trying to further lower the user’s suspicions so he/she will start entering personal information.

It seems like this would be a very technical procedure that might involve programming and web page design but surprising there are services out there that will do all of this for you. You sign up for their service, put your list of user emails in their system and they will send the phishing email and track how many users will give up personal information, how many will just click on the link and how many will delete the email.

Pretexting
Pretexting is when an attacker puts forth a false scenario they can use to help steal their victim’s personal information. An example would be pretending to work for an IT business and convinces a company’s security staff into letting them into the building.

According to the Washington Post, scammers impersonating representatives from a modeling agency and escort service, created fake background stories and interview questions in an attempt to con women and teenage girls to send inappropriate pictures.

Baiting
Baiting is a social engineering scheme that promises an item or good that will then be used to help gather personal information. For example, Steve Stasiukonis, VP and founder of Secure Network Technologies, Inc., performed a baiting experiment by planting dozens of USBs with a Trojan virus over the parking lot of a business. Some of the employees picked up the USBs and when they plugged them into their computer, a keylogging program was executed and Steve was able to obtain usernames and passwords of the users.

There are more examples of basic social engineering techniques but look at how easy it is for anyone to perform these. Most of us have been targeted in phishing attacks and maybe have even been targeted in baiting. The most important thing to remember is these are the basic attacks. I haven’t even talked about the attacks that utilize vulnerabilities in Flash, ActiveX, JavaScript and plug-ins or advanced techniques like water-holing, Nigerian Prince and “419” scams. The point is the landscape has changed. The information is out there. Social engineers don’t have to be programmers or web page designers. They just need to have the ability to pick up the phone or strike up a conversation and ask the right questions.

How to Protect Yourself

  1. Awareness
  2. Training
  3. Prevention

If you have questions or need more information, please don’t hesitate to contact Chris Griesemer at The Whitlock Company 417-881-0145.

More details and information via http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/