Social Engineering

Social Engineering

Social Engineering is the attempt to gain access to sensitive data (such as password, usernames and credit card numbers) by gaining trust. This method of gaining access to a system is very popular among hackers. It is often surprisingly easy and even more often successful. THIS IS PROBABLY THE MOST SUCCESSFUL AND MOST USED METHOD OF GAINING ENTRY TO ACCOUNTS! Here's how it works. You might receive a phone call from a representative of your computer company claiming there is a problem which requires immediate attention. He may offer to come right over and fix it (or, in a variation, he might send you a disk in the mail). Of course, while he is there, he reboots your system with a "diagnostic" floppy inserted into the drive. When the "tests" are done you will be relieved to find out from him that nothing is wrong with your system. Naturally, you were just infected with a Trojan house which gives this stranger complete access to your system and all of your data files. A more common social engineering scheme (especially on America Online) is to send out an email which says there is a problem with your account. Would you please send your username and password by return email so it can be fixed? Or perhaps you are asked to visit a web site, which naturally requires you to log in with your username and password. You might be asked to call a phone number, where the very official sounding person on the other end will just want to verify that your account is yours by getting your credit card data. An example of a standard social engineering attack is shown below. From: Security@yourISP.Com To: taylorwayne@yourISP.Com Subject: Account Compromised We have detected a major security breach to several accounts on our network. While we do not believe that your account was among those compromised by hackers, we recommend that you check your account data immediately. To verify your account, just visit the following URL: http://www.yourISP.Com/security/view.htm Login to your account and check your data. Make special note of the last login data and time. If anything appears to be incorrect, please send an email to security using the link at the bottom of the page. Thanks for your immediate attention. YourISP security When you visit the site it shows a username and password prompt. You enter your username and password, which sends you to an "incorrect password - try again" screen. You hit the "continue" button, which places you on the REAL ISP site. Now when you enter your username and password, you are, of course, logged in. You are greatly relieved to find that your account data has not been changed and think nothing else of the issue. Of course, you just gave your username and password to a hacker! And that's all that social engineering is about - gaining your trust, getting your vital data, and abusing that data. How do you protect against this? Be aware that it exists and don't respond to these kind of things. If someone asks you for your password, then tell them to buzz off. Nobody needs to know your password for any reason. Let me repeat: DO NOT GIVE OUT YOUR PASSWORD TO ANYONE FOR ANY REASON. THERE IS NOT A VALID REASON FOR ANYONE TO NEED IT. If the person who asked really works where he says he works, then believe he, he can ALREADY get to your account. Why on earth would he be asking you for your username and password? If you think the email or whatever might be accurate, then call the ISP or navigate to their site yourself (don't use anything from the email or letter that your received - use the menu's and screens provided by the ISP). For example, say you get a letter from your ISP saying to change your password immediately. It has a phone number and URL. Throw the letter away without reading either. Now, find your ISP phone number and URL yourself - perhaps in your browser help menu or in the manual or letter that arrived when you signed on. This bypasses anything that might be wrong in the letter or email that you received. If you do suspect that you've received a social engineering attack, be sure that you notify your ISP, MIS department or whoever needs to know. The only way this kind of criminal can be caught is if the crime is reported quickly and accurately.