By Ahmad Austin
Just imagine that a cybercriminal doesn’t need to hack into your network or break into your office and steal your computer in order to obtain your information. All he or she needs to do is to use psychology and a human’s nature to want to trust people against them. This method is called Social Engineering. Social Engineering is the art of manipulating people into performing actions or divulging confidential information.
Social networking sites have opened a whole new door for social engineering scams, according to Graham Cluley, senior technology consultant with a U.K.-based security firm. One of the latest involves the criminal posing as a Facebook “friend.” They send a message or IM on Facebook claiming to be stuck in a foreign city and say they need money.
“One can never be certain the person they are talking to on Facebook is actually the real person,” he noted. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.” If a person has chosen a bad password, or had it stolen through malware, it is easy for a con to wear that cloak of trustability,” said Cluley.” Once you have access to a person’s account, you can see who their spouse is or where they went on vacation. It is easy to pretend to be someone you are not.”
Another technique is known as ‘search engine poisoning’. This will likely involve a specially crafted website that contains malware. As soon as an incident of international interest occurs, the attackers use search engine optimization techniques to make this website appear high on search engine returns. So, if there’s an earthquake or plane crash
– use caution when searching in Google, Bing or Yahoo; there may be false links to a bad website. Having said this, search engines are typically very good at recognizing this attack and removing the links.
One of the easiest and most common forms of social engineering is simply leaving a USB flash drive lying around and waiting for a person to pick it up and put it in their computer. Let’s play this scenario out, putting me in the role of the cybercriminal. I know that on Thursdays at around 6pm nursing school students host a weekly study session in the local coffee shop. I’m also aware by looking at the course syllabus online that they have to do 10 hours of clinical work at the nearby hospital.
At 5:45pm I strategically place a flash drive labeled “Nursing Notes” in the study area at the coffee shop. At 6:15pm a Nursing student picks up the flash drive and puts it in her laptop, launching a virus. The virus gives me access to her laptop, which she happens to record information from her clinical work, giving me access to patients social security numbers that sell for $200 a piece on the black market. If you have doubts about this scenario being realistic, place 5 USB flash drives in your company’s receptionist area and see how long they remain there.
The key to minimizing the risk of being a victim of social engineering is to enhance your security awareness. There are several websites that can assist you in this process. Below is one that I recommend readers to visit on a weekly basis:
http://www.sans.org/tip_of_the_day.php
Ahmad is a Principal Consulatant at Cy3 Computing LLC. He can be reached at
334-649-3208 Option 1
