The presentation covered four key aspects of Social Engineering
- Change Society – Make Cyber Crime a Bad Choice
- Old School Social Engineering
- Phishing: Greed and Fear
- Post Phishing: key loggers
- Spear Phishing
Change Society- Make Cyber Crime a Bad Choice
The presenter started off by prefacing his reasons for the current state of internet social engineering. To start changing the current status of the internet environment the presenter suggested a change in the way society cyber crime. He stated two main reasons Phishing scams are so prevalent on the internet. The First reason is the lack of sufficient laws to prosecute criminals. The Second is the insufficient sentencing of social engineering crimes. For example, if someone robs a bank they could get a twenty year prison sentence, but if they steal your credit card information over the internet they normally get a slap on the wrist. This inconsistent administration of laws makes it an easy choice for criminals to committing cyber crime with little chance of severe consequences.
Suggestion to change the current state of Cyber Crimes:
-
Better laws enforcement technologies, tools, and training
- Need to have dedicated study (college, community college, trade school)
- Need to have more money invested technology to help prevent and catch cyber criminals
- Need to have dedicated study (college, community college, trade school)
-
Stronger laws and punishment against cyber criminals
- Local, state, and federal government need to take a look at stronger law to change the mentality of cyber criminals
- Local, state, and federal government need to take a look at stronger law to change the mentality of cyber criminals
-
Raise awareness to reduce victim pool
- Information Technology Departments or tech savvy users should make people aware of dangers that social engineering.
-
People should be praised for making right choices
- Incentives should be given (give away a $10 dollar gift card (randomly selected) to lunch once a month for anyone that helped deter a potential security infraction)
- Incentives should be given (give away a $10 dollar gift card (randomly selected) to lunch once a month for anyone that helped deter a potential security infraction)
- Information Technology Departments or tech savvy users should make people aware of dangers that social engineering.
Old School Social Engineering
“Old school social engineering” the presenter showed a picture and asked the audience what they saw.
A lot of the audience said a doctor. The presenter then told how our preconceived notions can mislead us. The picture above, for his example, is a criminal who dressed up as a doctor and then talked his way in to the hospitals network closet. Once inside the closet he installed a key logger to collect user’s passwords.
Social Engineering is not about having brilliant technology skills to crack high levels of encryption. Social Engineering is about using a moderate level of technology skill and charismatic personalities to crack the weakest link in security, the human element. The doctor example above is just one way show how social engineers can gain access to important information. Another way is for someone to call the companies helpdesk and talk them in to resetting a user password to allow the criminal to login to the system.
He also brought up a good point that the one of the most dangerous individuals’ in an organization maybe the lowest level employee. Often in large organizations there are employees that only last 3-5 months. These entry level positions often have access to more sensitive information than CEOs. Social Engineers will try to offer these employees vast amounts of money to copy sensitive information for them.
Phishing: Greed and Fear
Since the internet has become such an engrained part of society, this has made an easy target for cyber criminals. People have started to use the internet for banking, talking to friends, storing health records, talking about personal information, using public email for business purposes, ect… With email becoming the standard for communication within businesses, it has also become ground zero for the social engineering technique known as Phishing.
Phishing: A type of scam with the intent of capturing personal information such as Social Security numbers, online banking user identification numbers, debit and credit card account numbers, and passwords.
Greed Phishing: this phishing style is used by offering people incentives for filling out information. A common greed phishing scam is to send an email that looks like your bank sent it asking people to fill out a questionnaire to receive money. People receive and email that looks like a customer review form from a bank. At the end of the customer survey you are asked to give you account number and password so the bank can deposit money.
Fear Phishing: this is the most common style of phishing. Fear phishing uses emails to scare people to quickly access their account.
The email above is an example of how scammers get unassuming people to rush to what they believe to be their banks website (through the link inside the email). When a customer attempt to login to the fake site the cyber criminals get all applicable information to steal the customer’s money and identity.
There are a couple ways to prevent this type of phishing scam.
- Do not use links within emails to access websites. Open a web browser and navigate to the website directly.
- Check the URL of the website you are logging onto. If the URL address is not familiar do not give any of your information.
Post Phishing
Post Phishing is very similar to the fear phishing scams listed above, except it is software driven. It uses key loggers to wait until people login to an actual account and then send the login information to the social engineers. Key loggers are normally distributed through websites by using links within phishing emails. If the user clicks on the links within a post phishing email it could send you to a website that would infect you machine with malware.
Spear Phishing.
Spear Phishing: combines using emails and key loggers to get information for a specific target. Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization or a person. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient’s own company (spoofed email address) and generally someone in a position of authority.
According to an article in the New York Times, spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by “sophisticated groups out for financial gain, trade secrets or military information.”
Here’s one example of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering tactics to convince the recipient. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and gain access to sensitive data.
(Courtsey of http://searchsecurity.techtarget.com/
)
The presenter gave a similar scenario where a personalized email is drafted to the CIO of a technology company. The email uses information found in public website to depict a plausible reason for the sender to have an attached picture. The CIO reads the email and thinks the picture attached is of his daughter making a great play at her soccer game (found by reading the daughters blog). Once the attachment is opened a key logger is installed on the CIO’s computer.
Closing Thoughts
The presentation was very informative. Although I have heard of phishing the examples given helped greatly to understand how phishing scams really work and some of the motivation that drive people to fall for these scams. I would suggest that if given the chance everyone should be take a class on the dangers of phishing schemes. Also, look to implement a reward type system, even if it is just public kudos, within the department for people who help deter Social Engineering schemes.
