Tag Archive: social engineering

This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.


Social Engineering

After I wrote my last post on the callous nature of people exploiting the Japanese Tsunami and subsequent problems at the Fukushima nuclear plant, it occurred to me that I haven’t really written much on social engineering.

The easiest way to get someone’s password is to ask for it.

It’s quite simple: people want to be helpful and don’t want to be seen to be a problem in the organisations. So, when someone phones them up, saying they work for “IT” and they need their user ID and password, most people simply provide it. In many cases, phone-lists are available online so it’s easy to come across as authoritative. It is vitally important to get the message across to all staff that they must never share their passwords. If there is any doubt, people will provide it to whoever asks as they don’t want to get into trouble.

There have been several studies into how much people value their personal information. One such study was done at LSE, as part of Project FLAME (pdf) where different types of user information were requested for different levels of incentive (in this case, varying qualities of chocolate) and then verified. The results can be found here.

So, even when people are being blatantly asked for information probably more personal than their work password, they are happy to divulge it.

The Art of Deception

Kevin Mitnick is a former hacker, turned computer security consultant, who knows a lot about social engineering. At the age of 12, he figured out a way of riding the bus system in Los Angeles for free, re-using tickets others had thrown away by modifying them with a hole-punch after a friendly conversation with an LA bus-driver. He subsequently went on to use his ability to convince others to part with information to gain access to a number of high profile systems, including Digital Equipment Corporation (now part of HP), Pacific Bell, Motorola, Nokia, Sun and Fujitsu Siemens.

Much of this activity was done with the unknowing complicity of the staff at these organisations. He has gone on to write a best-selling book, called “The Art of Deception“, which makes for chilling reading and is essential reading for those in the information security industry.

Years ago, I remember listening to something on the Hackers News Network, a quasi-radio station on the Internet, that would publish mp3s of sessions that they held. One of these was to phone a Blockbuster Video store in the US somewhere, pretending to be someone they had found in a phone-book. The session was fascinating: the poor shop assistant was trying to be as helpful as possible, but ended up revealing a credit-card number and address of someone who the callers intrinsically didn’t know anything about.

There are people out there who are more than willing to abuse the trust of good-natured people. It’s always worth being a little suspicious.

It’s a sad fact that many people exploit human nature for their own ends. The BBC reports that there is a text message circulating in Asia suggesting that radiation has “leaked” [sic] across Asia from the Fukushima power plant in Japan. Sophos’ Graham Cluley has blogged about malware spreading across the globe in the guise of videos supposedly coming from Japan with subject lines like: “VIDEO: The village that escaped the tsunami”, “VIDEO: Struggle for normal life in Japan”, “VIDEO: Woman talks about tsunami escape”, and “Japan tsunami touches New Zealand”.

Other examples include the fake Japanese Tsunami charity appeals, fakes CNN footage of the tidal wave, and a Facebook “clickjacking” scam that entices people with the bizarre claim of showing viewers a whale stuck in a building after the Tsunami.

This goes to show that everyone needs to be extra careful when tragedies such as the one in Japan happen, as people will try to hijack the event, appealing to people’s curiosity or good nature for their own purposes. Even viewing a video or clicking on a site may reveal more than you want.

If you want to donate to the relief effort, go directly to a reputable charity.

%d bloggers like this: