Social Engineering
Social Engineering is the attempt to gain access to sensitive
data (such as password, usernames and credit card numbers) by
gaining trust. This method of gaining access to a system is very
popular among hackers. It is often surprisingly easy and even
more often successful. THIS IS PROBABLY THE MOST SUCCESSFUL AND
MOST USED METHOD OF GAINING ENTRY TO ACCOUNTS!
Here's how it works. You might receive a phone call from a
representative of your computer company claiming there is a
problem which requires immediate attention. He may offer to come
right over and fix it (or, in a variation, he might send you a
disk in the mail). Of course, while he is there, he reboots your
system with a "diagnostic" floppy inserted into the drive. When
the "tests" are done you will be relieved to find out from him
that nothing is wrong with your system. Naturally, you were just
infected with a Trojan house which gives this stranger complete
access to your system and all of your data files.
A more common social engineering scheme (especially on America
Online) is to send out an email which says there is a problem
with your account. Would you please send your username and
password by return email so it can be fixed? Or perhaps you are
asked to visit a web site, which naturally requires you to log
in with your username and password. You might be asked to call a
phone number, where the very official sounding person on the
other end will just want to verify that your account is yours by
getting your credit card data.
An example of a standard social engineering attack is shown
below.
From: Security@yourISP.Com To: taylorwayne@yourISP.Com Subject:
Account Compromised
We have detected a major security breach to several accounts on
our network. While we do not believe that your account was among
those compromised by hackers, we recommend that you check your
account data immediately.
To verify your account, just visit the following URL:
http://www.yourISP.Com/security/view.htm
Login to your account and check your data. Make special note of
the last login data and time. If anything appears to be
incorrect, please send an email to security using the link at
the bottom of the page.
Thanks for your immediate attention. YourISP security
When you visit the site it shows a username and password prompt.
You enter your username and password, which sends you to an
"incorrect password - try again" screen. You hit the "continue"
button, which places you on the REAL ISP site. Now when you
enter your username and password, you are, of course, logged in.
You are greatly relieved to find that your account data has not
been changed and think nothing else of the issue. Of course, you
just gave your username and password to a hacker!
And that's all that social engineering is about - gaining your
trust, getting your vital data, and abusing that data.
How do you protect against this? Be aware that it exists and
don't respond to these kind of things. If someone asks you for
your password, then tell them to buzz off. Nobody needs to know
your password for any reason. Let me repeat: DO NOT GIVE OUT
YOUR PASSWORD TO ANYONE FOR ANY REASON. THERE IS NOT A VALID
REASON FOR ANYONE TO NEED IT. If the person who asked really
works where he says he works, then believe he, he can ALREADY
get to your account. Why on earth would he be asking you for
your username and password?
If you think the email or whatever might be accurate, then call
the ISP or navigate to their site yourself (don't use anything
from the email or letter that your received - use the menu's and
screens provided by the ISP). For example, say you get a letter
from your ISP saying to change your password immediately. It has
a phone number and URL. Throw the letter away without reading
either. Now, find your ISP phone number and URL yourself -
perhaps in your browser help menu or in the manual or letter
that arrived when you signed on. This bypasses anything that
might be wrong in the letter or email that you received.
If you do suspect that you've received a social engineering
attack, be sure that you notify your ISP, MIS department or
whoever needs to know. The only way this kind of criminal can be
caught is if the crime is reported quickly and accurately.