Thursday, May 28, 2015

Social Engineering

Let's say you're sitting at your favorite coffee shop working on your laptop when a friendly but frustrated patron comes over to your table. He had a coupon for the cafe, he tells you, but it's in his email and he forgot his phone at home. Could he bring it up quickly on your computer to get the coupon code?

Being the kind, helpful person that you are, you readily agree. You are also cautious, however, and make sure that you can see the computer screen the whole time as the man brings up his email and opens a PDF for a quick look at its coupon code. He then thanks you and logs out of his email, allowing you to get back to work.

A good deed done? Or....

Imagine that you're at the office and a call comes in from a familiar charitable organization that's raising money to fight a disease that has affected your family. There's a walkathon happening, they explain, and a prize drawing for donations. You express your interest and are pleased to hear that the prizes include tickets to your favorite musical group. The caller offers to send you some more information on the event and you agree. A PDF arrives several minutes later with the date and time for the walkathon, as well as more details on parking for the event and how the money will be used.

An opportunity to help a cause near to your heart? Or....

Something else.

Both of these scenarios are actually examples of social engineering, the relational aspect of hacking in which the criminal relies more on human nature for their attack than on cracking a password or penetrating a firewall. Perhaps while reading this you recognized the con right away, but place yourself for a minute in these situations and think about what you might have done.

The good deed was actually just a way for the criminal to open up a malicious PDF - via their email - that would infect your laptop and allow them to gain access to your data. The "charitable organization" was actually a criminal posing as a volunteer. He had learned personal information about you from Facebook and other social media (including details such as the disease which had affected your family and your taste in music) and used it to make you more interested in supporting the walkathon, which was really just a virus that you willingly opened in your own email.

Devious, isn't it? But hackers know that often the weakest link in a family or organization's Internet security is the people not the firewalls and security systems. The people.

So let's not be one of those people. For more information on social engineering and helpful tips for protecting yourself, check out the following sites and articles:




No comments:

Post a Comment