Social engineering is a threat that faces organizations from small business to large enterprises. As we’ve explored multiple times on this site, there are few organizations that are truly prepared to address these types of threats. Social engineering attempts to coax, cajole, and manipulate others to take an action or divulging information they otherwise wouldn’t. It is hacking the human via a variety of manipulative methods & it’s extremely successful. These attempts come via all manner of communication medium, in-person, over the phone, via email, text message, etc. Social engineering is behind most of the biggest hacks and data breaches you read about every day. Herein we’ll explore some real world examples of social engineering in action.
Examples of Exploitation
In my first year working as a systems administrator at a large technology firm, I encountered a perfect example of social engineering. Sitting at my desk I picked up the phone, on the other end was a friendly and gregarious voice with a thick eastern European accent. After short exchange of pleasantries and self-identifying statements he launched into his ask. “I am a student of technology at the local university and I’m doing a paper on Internet routing.” “Would you be able to tell me about what routers you use and how you configure them up?” “No”, I said, acknowledging that I’d not share this information as it would violate the policy and security of my organization.
Fake Tech Support
Fake tech support social engineering is a when a receive and out of the blue call from ‘support’ itself (someone pretexting as official support) offering to help you with an issue they claim you have on your computer or network. This social engineer will exploit your automatic trust of a hardware/software vendors such as Microsoft, Dell, HP or others. They will call and claim they have “found a piece of malicious software on your computer” and require that you allow them remote access to your machine to ‘fix it’. Once they remote in they will infect your machine with malware or attempt to sell you a software ‘solution’ which is most likely trojan or other malware (malicious software).
If your organization processes credit card payment or has an online store, PCI compliance applies to you. Doubtless you’ve spent both time and money in efforts to maintain PCI compliance. For the untrained staffer, getting a call from the ‘PCI department’ might seem like a serious and legitimate inquiry. When asked to download and install software that will scan your network an untrained employee might put the entire enterprise at risk. There is no telling what malicious software they might install at the behest of the social engineer. The consequences can be a ransomware attack, data exfiltration or worse.
The ‘C0mcast’ guy
In a business setting its common for 3rd party vendors, suppliers and service providers to visit your offices. Social engineers can take advantage of this with a simple purchase of an official shirt or (falsified but official looking) badge. When they arrive at the front desk they simply have to say they are here to ‘fix the Internet’ or do a required upgrade. Untrained staff members might allow them entrance without following proper security protocols. This cybercriminal then is given full reign to install a remote access box on your network, install malicious software or install physically steal assets.
In all of the social engineering examples above, an employee without proper training might trust the requests of a social engineer. Unfortunately this leads too many otherwise preventable cybersecurity incidents, and data breaches. Training is an important option to address these types of risks and the very real threats it represents. Threats evolve and training must address these evolving threats. End user security training can only be successful if it is an ongoing effort. Are you ready to deal with these social engineering threats? Evolutionary IT can help. If you have questions contact us or leave a comment below. We’d love to hear from you.