The 7 Best Social Engineering Attacks Ever
Seven reminders of why technology alone isn't enough to keep you secure.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt3dbd15d49dba4eef/64f0dc75420f8c3642c3b2bd/Brad-Pitt_s-horse-in-Canakkale.jpg?width=700&auto=webp&quality=80&disable=upscale)
Social engineering is nothing new.
In 1849, Samuel Williams, the original "confidence man," as the newspapers named him, engineered gullible strangers out of their valuables simply by asking "Have you confidence in me to trust me with your watch until tomorrow?" Through the late 19th and early 20th century Joseph "Yellow Kid" Weil ran a variety of scams, including conning Benito Mussollini out of $2 million by selling him phony rights to mining lands in Colorado. And of course in the 1960s, Frank Abagnale, subject of the movie Catch Me If You Can, made a living faking identities and passing bad checks.
While technology has made some kinds of fraud more difficult to commit, it's created all sorts of new opportunities for adaptable fraudsters. And even the very strongest security technology can be overcome by a clever social engineer. That's part of the reason security awareness training for end users is so essential.
"Executives 'get it' right away," says Wombat Security president and CEO Joe Ferrara, about awareness training. "The people who are harder to convince are...the die-hard technologists who don't want to leave [anything] in the hands of the user."
So for you die-hard technologists out there who need convincing, here are a few examples of social engineering prevailing over security technology. A few are my own personal favorites, and a few are Ferrara's, who will be presenting a session on the topic at the Interop Las Vegas conference.
The classic example comes all the way from ancient Greece, during the mythological Trojan War (possibly, but probably not based on actual historical events). After an exhausting, unsuccessful 10-year siege of Troy, the Greek army appears to give up. They pack their things, set sail, and leave the Trojans an enormous wooden statue of a noble horse -- an impressive gift to say "We lose. You win. Good game."
The Trojans wheel the horse into the gates, congratulate themselves, eat, drink, and be merry themselves into a sound sleep. Little did they know that hidden inside the horse was a small force of Greek soldiers. The soldiers crept out of their equine hideaway during the night, opened the city gates, and let in the rest of the Greek army, which had quietly returned under dark of night while the Trojans were carousing. The Greeks entirely destroyed the city of Troy, and the Trojans who survived had to live with the knowledge that, after their security measures held strong for 10 years, they'd allowed their own undoing by foolishly inviting their destroyers to come right in.
Mythical or not, if the Trojan Horse weren't such a genius example of a social engineering attack, we'd never have named an entire class of malware after it.
Here's another in the category of attacks on security companies. In 2013, the "Hidden Lynx" cyberespionage group in China used water-holing attacks to compromise security firm Bit9's digital code-signing certificates, which later were used to target some Bit9 customers.
Watering holes are more subtle than phishing attacks. Malware is injected into a legitimate website that organizations in the target industry are already likely to visit. And Hidden Lynx are the kings of the watering hole attack, behind not only this event, but the VOHO attacks and Operation Aurora.
They accessed Bit9's file-signing infrastructure, so that they could sign malware and make it seem legitimate. They then used it to attacked Bit9 itself, at least three of its customers, and three defense industrial base organizations that were customers of Symantec.
Nigerian frogs like this one don't generally turn into princes when you kiss them, and Nigerian princes who send you emails asking for money don't generally turn out to be princes at all. But that doesn't stop people from falling for the scheme.
What we think of as "Nigerian Prince" scams aren't anything new. They go back to at least the 16th century, with the character instead being a Spanish prisoner who's actually innocent (and wealthy).
One of the most embarrassing examples in recent times occurred in 2007. Thomas Katona, the treasurer of Alcona County, Michigan embezzled roughly $1.25 million of the county's $4 million operating budget and paid at least some of it to a scammer. The county had little hope of recovering any of the stolen money.
Katona was sentenced to nine to 14 years in prison for eight counts of embezzlement, one count of attempted embezzlement, and two counts of forgery. As the state Attorney General said, "The defendant's actions are unthinkable and indefensible."
Nigerian prince and "419" scams are definitely not a thing of the past. In 2013, according to recent research, such scams cost victims $12.7 billion worldwide; $82 million in the US alone. As the researchers explain, some of the worst victims of advance fee fraud scams experience something like an addiction, and some experience something akin to the Stockholm syndrome that kidnap victims suffer, defending their scammers, even though they only know them through e-mail communications.
In 2013, attackers lifted an unheard-of 40 million credit and debit cards from retail megachain Target's point-of-sale systems. Ferrara puts the breach in his top not just for the "devastating" scope of the damage, but because it showed just how dangerous an unwary business partner can be.
Investigators suspect the attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning subcontractor Fazio Mechanical Services via a phishing email that included the Citadel Trojan.
Even if a retailer giant makes certain every one of its greeters is as well-trained in social engineering defense as they are in saying "welcome to Target," they aren't entirely safe from phishermen. Target served as a lesson to require better security from third-party contractors and to limit the network access those parties are provided.
If you want to keep your organization secure, says Ferrara, "You have to engage the end users. If you don't, then you really have no shot."
Ferrara recommends that you start your awareness training with a knowledge assessment. Find out what your end users really know about security -- not so you can make fun of them, but so that you can decide where to focus your efforts, and so that you can measure their improvement later.
If you want to keep your organization secure, says Ferrara, "You have to engage the end users. If you don't, then you really have no shot."
Ferrara recommends that you start your awareness training with a knowledge assessment. Find out what your end users really know about security -- not so you can make fun of them, but so that you can decide where to focus your efforts, and so that you can measure their improvement later.
Social engineering is nothing new.
In 1849, Samuel Williams, the original "confidence man," as the newspapers named him, engineered gullible strangers out of their valuables simply by asking "Have you confidence in me to trust me with your watch until tomorrow?" Through the late 19th and early 20th century Joseph "Yellow Kid" Weil ran a variety of scams, including conning Benito Mussollini out of $2 million by selling him phony rights to mining lands in Colorado. And of course in the 1960s, Frank Abagnale, subject of the movie Catch Me If You Can, made a living faking identities and passing bad checks.
While technology has made some kinds of fraud more difficult to commit, it's created all sorts of new opportunities for adaptable fraudsters. And even the very strongest security technology can be overcome by a clever social engineer. That's part of the reason security awareness training for end users is so essential.
"Executives 'get it' right away," says Wombat Security president and CEO Joe Ferrara, about awareness training. "The people who are harder to convince are...the die-hard technologists who don't want to leave [anything] in the hands of the user."
So for you die-hard technologists out there who need convincing, here are a few examples of social engineering prevailing over security technology. A few are my own personal favorites, and a few are Ferrara's, who will be presenting a session on the topic at the Interop Las Vegas conference.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024