My sister-in-law recently had an experience where she was called by someone posing as a head hunter. They spoke to her with confidence and gained her trust by knowing a good deal about her work experience. During the call, they confirmed much of the information that could be found from her resume online and pumped her for more by dangling the carrot of a position that she was perfect for.
The call seemed promising and legit up until the point where they told her they needed her credit card information so they could bill her the $30 finder's fee. She immediately got suspicious, and to my surprise, asked the caller if this was a scam. He responded with "Yes" and hung up.
You can imagine my excitement when my wife was relaying the story to me. It's just like the rogue antivirus-ransomware -- crap I see all the time with friends, family, and users. Machines are infected with the ransomware and the users are hooked into thinking their machines are infected because of the very legitimate look of the infection notices. And, just like the attack against my sister-in-law, the fake notices are invoking an emotional response where no one wants to be infected.
With the economy and unemployment situation still not fully recovered, social engineering attacks like this one could be more commonplace than I realize. However, it serves as a great example for educating users (and friends and family) on the dangers of posting personal information online whether it's for fun on sites like Twitter or for employment purposes.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.