|
Social engineering – how to protect yourself from a non-technical network attack
continued from Did you
know?
<BACK
Attack #1
Jane Doe is sitting at her desk when a call comes in to her
office.
“Jane Doe, can I help you?”
“Hi, this is Steven Smith,
Director of Network Security for HHS Information Systems, we’ve
noticed an attack on our personnel servers coming from your network
address. It appears to be coming from someone using your username
jdoe and your password.”
Jane replies, “Well, jdoe is my
username for my company, but I’ve never been to your website before,
what should I do?”
Steven goes on to say, “In my
position at HHS Information Systems I am very concerned regarding
network security and would hate for you to get in trouble with your
IT department for attacks that you obviously aren’t doing, so if you
could give me your current password as a verification, I would be
happy to block your username and password at our gateway so that you
don’t get in further trouble.”
Jane is very concerned and
doesn’t want to get in trouble for something she’s not doing, so she
gives Steven her password so that he can “block it at their
gateway.”
Attack #2
John Doe receives a paper letter in his mail stating that there is
unclaimed money in a financial institution named “First National
Securities” in Springfield, Ill. It’s not a large sum of money, but
is sure enough to pay for that summer vacation he’s planning.
The letter asks him to call
217-787-3464 to discuss this matter immediately, as finance charges
have just begun and that the money is going to be diminished by $50
per week until the remainder is gone.
John calls the number where they
politely tell him they will send him a form in the mail he is to
fill out to claim the money. Evidently the money is from a rebate he
was entitled to regarding a class action lawsuit with General
Telephone several years ago, that he never claimed.
John receives official form from
them, which he fills out and returns and patiently waits for the
money to arrive.
Attack #3
Sidney Green receives a letter in his mail at home that there is
unclaimed money in a financial institution named “First National
Securities” in Springfield, Mo. It’s a large sum of money that is
quite hard to believe that he’s the beneficiary of.
The letter asks him to call
809-294-3223 for instructions regarding claiming his prize money.
Sidney figures that a long distance call won’t be too much to pay to
find out about the information, and that the 809 area code is
probably a toll free number since it’s close to 800.
Sidney calls and patiently waits
for “the next available agent”. When someone comes to the phone
after a brief 5 minute wait, they try to sell him a time share
condominium in Florida that he has no interest in.
Sidney politely dismisses the
sales person and hangs up the call.
The Results:
Attack #1
Jane doesn’t realize it, but she has now confirmed her login for the
company and has also given out her password. These are two important
pieces of information that a hacker can use to easily work out an
attack against network resources.
While Jane was trying to keep
from getting in trouble with her company, she just gave information
to a hacker that can really can get her in trouble as the attack
will appear to come from her credentials.
Attack #2
Not surprisingly, John never receives any money in the mail. In
fact, he starts to notice charges on his credit cards that he isn’t
making, as well as money disappearing from his ATM cards that he’s
not withdrawing.
A couple of months later, John
also receives notice from collection agencies that he’s behind on
payments to credit cards that he doesn’t own. John checks his credit
report online to find that there have been multiple attempts to sign
up for credit cards without his authorization.
John realizes at this point that
he’s a victim of identity theft.
Attack #3
Sidney gets his phone bill later in the month and has a charge for
Toll Charges for the 809 number he called. He was billed at $39.95
per minute for a 7 minute call for a total of $279.65.
What Sidney didn’t realize is
that the 809 number he called was in the Dominican Republic and that
the number he called was a “pay per minute” number.
<BACK |
