In Depth
Social Engineering: Eight Common Tactics
Stealing your company's 'hold' music, spoofing caller ID, pumping up penny stocks - social engineers blend old and new methods to grab passwords or profits. Being aware of their tricks is the first line of defense.
By Joan Goodchild, Senior Editor
"They will get an email that says: 'The site is doing maintenance, click here to update your information.' Of course, when you click on the link, you go to the bad guys' site." Marcus recommends advising employees to type Web addresses in manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update. (For more tips see How to Use Social Networking Sites Safely.)
7. Typo Squatting
On the Web, bad guys also bank on the common mistakes people make when they type, according to Marcus. When you type in a URL that's just one letter off, suddenly you can end up with unintended consequences.
"Bad guys prepare for typing mistakes and the site they prepare is going to look a lot like the site you thought you were going to, like Google."
Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
8. Using FUD to affect the stock market The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market, according to new research from Avert. Researchers studied the impact of events such as Microsoft's Patch Tuesday on the company's stock and found a noticeable swing each month after vulnerability information was released.
"Publicly-released information has an effect on stock prices," said Marcus. "Another recent example is the fake information that was circulated a few weeks ago about Steve Jobs' health. Apple stock took a dive on that. That is a clear example of someone inserting FUD and a resulting effect on a stock." Presumably the culprits held a 'short' position which allowed them to profit from this trick.
The converse approach is to use email to execute the ancient 'pump-and-dump' tactic. A scammer can buy a large volume of a penny stock, the blast out emails under the guise of an investment advisor touting that stock's great potential (that's the 'pump'). If enough recipients of this spam email rush to buy the stock, the price will spike upward. The scammer then quickly 'dumps' his shares at a great profit.
Other stories by Joan Goodchild
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
