The following is an excerpt from an article that appeared in the Boston Globe on 18 Dec 2007:
Two special education students at the controversial Judge Rotenberg Educational Center in Canton were wrongfully delivered dozens of punishing electrical shocks in August based on a prank phone call from a former student posing as a supervisor, a state investigative report has found.
School staffers contacted state authorities after they realized they had been tricked on Aug. 26 into delivering 77 shocks to one student and 29 shocks to another, according to Cindy Campbell, a spokeswoman for the Department of Early Education and Care, which drafted the report. Both students were part of a Rotenberg-run group home in Stoughton for males under age 22.
How could something like this have happened? It’s easier than you’d think. The example illustrated above had two people that ended up being the victims, but more and more we are seeing this type of targeted behaviour aimed at businesses in the attempts to dig up sensitive corporate information usually to steal your information, customers, money or just perform some outright shenanigans.
Loosely defined, Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.
Is it something you need to be worried about? It’s something that you should be aware of. It can happen to anybody anywhere. You may think that because you work at a larger company you may have an advantage because they have more resources to throw at the problem and more people devoted to stop it from happening. In fact, I almost go as far as saying that the bigger the workplace you’re in, the bigger the disadvantage you have. You probably won’t be able to recognize everybody’s name, face or voice whereas in a smaller company you know exactly what Dave from finanace looks and sounds like, and you’re probably also painfully aware that he likes extra onions on his sandwiches for lunch.
I’m going to focus on Social Engineering from the business and not personal perspective, but keep in mind with the rise in online shopping and virtual information repositories on sites like facebook and myspace you aren’t safe at home either if you don’t pay close attention.
Here’s a very short list of a few of the more common types of scams that are out there:
Dumpster Diving It is just as it sounds. People hunt through your trash hoping to gain a nugget or two of useful information. If you’re careful though, the only kind of nugget they’ll find however is of the half eaten chicken variety. Common sense reigns here in that if you have any confidential information, make sure it gets shredded. Sensitive information should be kept locked down and/or password protected and access given only to those that need it.
Phishing – I swear it was THIS BIG This is an attempt to gain information by making it appear that the request has come from a legitimate source. This type of scam is usually easy to spot, it can be in the form of an email from your ‘bank’ asking you to go to x website and confirm your account number as well as PIN. Thankfully most of us aren’t silly enough to fall for that. Phishing scams can however be much more sophisticated than that. There is third party software out there that will display the legitimate content of the target website, however any data that is entered is captured by the nogoodniks who are out to drain your bank accounts and charge up your credit cards.
Trojan Horse – Not just for Romans any more This one has been around for pretty much as long as computers have been networked. They mostly come in the form of emails that promise a joke, some racy pictures or even some tasty gossip on your fellow co-workers. You click on the file that’s attached to the email and bad things start to happen that can usually be traced back to you… Fortunately if you have a systems administrator with half a brain, they will have malicious file extensions (things like scripts and executables) blocked before they can even make it to your inbox. The fact that you have a decent spam filter and anti virus program running however, is no excuse to be opening unrecognized emails with reckless abandon. Treat attachments with caution as there are many viruses out there designed to spoof friendly email address that have a nasty attachment surprise waiting for you.
Road Apples – Honest the Trojan Horse Left them Behind… This is variation of the Trojan Horse in that media (CD’s, memory sticks etc) are left out with such interesting titles as ‘Company Wide Salary Breakdown’ and ‘Hot and Steamy Vacation Pictures’. This scam relies on the victim to pick up the media and scamper off to their workstations to view their ill gotten information. When the media is inserted into a computer, it will usually have an autorun feature that will unleash a torrent of viruses and Trojans onto your network. Serves you right for trying to catch a look at your co-workers naughty vacation pictures.
This is by no means a complete or comprehensive list of social engineering scams. They are only limited by the imagination of the people inventing the scam. The only advice to give is to be vigilant and don’t be afraid to question something that you think doesn’t sound quite right. Your legitimate customers will be happy to know that their personal data won’t just be handed out to anybody who calls up claiming to be them or have a standing association with them and the scammers will often get frustrated when they are asked many and varying types of questions.