informa
/
Risk
Commentary

Real-Life Social Engineering

Social engineering attacks are becoming so commonplace that it has become a little easier to educate users about identifying phishing e-mails and websites because they are seeing the attacks firsthand on a more regular basis. What they often don't realize is the damage that can be done, or how similar attacks might come at them, through their personal lives.
Social engineering attacks are becoming so commonplace that it has become a little easier to educate users about identifying phishing e-mails and websites because they are seeing the attacks firsthand on a more regular basis. What they often don't realize is the damage that can be done, or how similar attacks might come at them, through their personal lives.Steve Stasiukonis and his team at Secure Network recently put together a list of who they consider to be the top four social engineers of all time. It's a fun read that I recommend you check out, and what I like about the list is that it shows you social engineering skills extend beyond the digital realm as is exemplified by Frank William Abagnale, Jr.

My sister-in-law recently had an experience where she was called by someone posing as a head hunter. They spoke to her with confidence and gained her trust by knowing a good deal about her work experience. During the call, they confirmed much of the information that could be found from her resume online and pumped her for more by dangling the carrot of a position that she was perfect for.

The call seemed promising and legit up until the point where they told her they needed her credit card information so they could bill her the $30 finder's fee. She immediately got suspicious, and to my surprise, asked the caller if this was a scam. He responded with "Yes" and hung up.

You can imagine my excitement when my wife was relaying the story to me. It's just like the rogue antivirus-ransomware -- crap I see all the time with friends, family, and users. Machines are infected with the ransomware and the users are hooked into thinking their machines are infected because of the very legitimate look of the infection notices. And, just like the attack against my sister-in-law, the fake notices are invoking an emotional response where no one wants to be infected.

With the economy and unemployment situation still not fully recovered, social engineering attacks like this one could be more commonplace than I realize. However, it serves as a great example for educating users (and friends and family) on the dangers of posting personal information online whether it's for fun on sites like Twitter or for employment purposes.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5