Comp-U-News from Comp-U-Talk
July  2013

“We can’t help everyone, but everyone can help someone.” - Ronald Reagan 

This newsletter is the first of a two part series educating about the dangers of social engineering. The original article can be found here:  My smaller "chunk size" versions can be found here:  Read. Learn. Practice.

You may not be aware that there is a scale of seven deadly vices connected to social engineering. The deadliest social engineering attacks are the ones that have the highest success rates, often approaching 100%. What is the secret of these attacks, how come they succeed so well?

Your own observations show you that people are very different. Some are always enthusiastic and willing to learn something new. Others are more conservative but courteous to their co-workers. A bit further down this scale are people that always looks like they are bored with life and then at the bottom are those who just don't care and basically are in apathy about everything.

Successful social engineers first determine where their target is on this scale, and then select an attack that will have the highest degree of success with that person, trying to closely match their target's look on life.

This scale of vices can be approached from either a negative or positive side. You can either call it gullibility or you can call it trust, call it greed or self-interest, but since we're talking vices here we'll stick to the negative labels.

Here are seven social engineering attacks that I hope are a good example of each one of the deadly vices, but note there is always overlap and things are not that clear-cut. We are dealing with humans after all!

Curiosity: The attacker left a USB stick next to the washing basin in the restroom of the floor that had the executive offices and their administrative assistants. It was clearly marked 'Q1 Salary Updates'. The USB drive had modified malware on it that installed itself and called home from any workstation it was plugged into. This attack was 90% effective.

Courtesy: The attacker focused in on the CEO of his target company. He did his research, found the CEO had a relative battling cancer and was active in an anti-cancer charity. The attacker spoofed someone from the charity, asked the CEO for his feedback on a fund-raising campaign and attached an infected PDF. Mission achieved, the CEO's PC was owned and the network followed shortly after. And of course holding the door open for a stranger with his hands full of boxes is a classic 'Courtesy' piggybacking example that we all know.

Gullibility: Attackers identified the proper managers at two separate branches of their targeted bank. They bought a domain name that looked very similar to the bank's domain. They spoofed the bank exec's emails and sent bogus emails to the manager authorizing transaction. They walked in with a counterfeit check and a fake driver's license, and walked out with 25,000 in cash...repeatedly!

Did you know that the Nigerian 419 scams these days use the word 'Nigeria' on purpose to qualify their targets up front? It's now utilized as a filter to weed out people and grab the uneducated ones that are greedy enough to take a risk and answer the 26 year old orphan girl that has $12,500,000 in the bank, needs a guardian and some help transferring the funds...

Watch for part two coming next month. Until then, have a Safe & Happy Summer.