Perimeter
3/17/2015
04:00 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The 7 Best Social Engineering Attacks Ever

Seven reminders of why technology alone isn't enough to keep you secure.
Previous
1 of 9
Next

Image, via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town Canakkale
Image, via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town anakkale

Social engineering is nothing new.

In 1849, Samuel Williams, the original "confidence man," as the newspapers named him, engineered gullible strangers out of their valuables simply by asking "Have you confidence in me to trust me with your watch until tomorrow?" Through the late 19th and early 20th century Joseph "Yellow Kid" Weil ran a variety of scams, including conning Benito Mussollini out of $2 million by selling him phony rights to mining lands in Colorado. And of course in the 1960s, Frank Abagnale, subject of the movie Catch Me If You Can, made a living faking identities and passing bad checks.

While technology has made some kinds of fraud more difficult to commit, it's created all sorts of new opportunities for adaptable fraudsters. And even the very strongest security technology can be overcome by a clever social engineer. That's part of the reason security awareness training for end users is so essential.

"Executives 'get it' right away," says Wombat Security president and CEO Joe Ferrara, about awareness training. "The people who are harder to convince are...the die-hard technologists who don't want to leave [anything] in the hands of the user." 

So for you die-hard technologists out there who need convincing, here are a few examples of social engineering prevailing over security technology. A few are my own personal favorites, and a few are Ferrara's, who will be presenting a session on the topic at the Interop Las Vegas conference.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sincee
50%
50%
Sincee,
User Rank: Strategist
10/2/2015 | 4:56:47 AM
thank's for post
system security in any country is the future !
MichaelH91401
50%
50%
MichaelH91401,
User Rank: Apprentice
10/1/2015 | 3:18:11 PM
Re: name required
The post refers to "Ferrara" repeatedly, but never describes who he is or what he does. 
AnonymousC493
50%
50%
AnonymousC493,
User Rank: Apprentice
5/9/2015 | 9:41:21 AM
Social Engineering examples
Here's another example:

https://engineering.social/2015/05/02/sinkholing-script-kiddies/

It's not one of 'the best social engineering attacks' ever, but shows that anyone can be a target.

 

 
mithoon
50%
50%
mithoon,
User Rank: Apprentice
3/28/2015 | 2:37:41 AM
Re: name required
great post
delllphi
100%
0%
delllphi,
User Rank: Apprentice
3/24/2015 | 7:21:23 AM
Confidence Man
The name of the "confidence man" was "William Thompson" and not "Samuel Williams". The article "Arrest of the Confidence Man" (New-York Herald, July 8, 1849) can be found online.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Apprentice
3/19/2015 | 4:24:22 AM
Good examples
Great article!  Periodic User awareness training to reduce social engineering is of paramount importance.  Some phishing emails are so good that high trained security people can fall for them.  The examples in the article effectively demonstrate the issue.


The rule I use for my own emails is not click links in emails, including unsubscribe, unless the email is expected, such as one as confirmation during new account setup. Of course, never click on attachments either unless they are expected.  I have within Spyshelter (anti-keylogger) where I can save an attachment, right click the file and on the pop-up menu click 'Spyshelter-> Check it on VirusTotal'; it uploads to virustotal.com .   It's then scanned by over 50 antivirus software products. 

I think this rule is probably the most important security measure I use for computers at my home.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
3/18/2015 | 6:45:32 PM
name required
Can we all agree to ignore any email that isn't addressed by name?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.