Awareness

9 Dirty Tricks: Social Engineers' Favorite Pick-Up Lines

Congrats on your inheritance! Okay, you knew that one's the start of a scam. Here are other come-ons you'll encounter when criminals come knocking

By Joan Goodchild, Senior Editor

Page 2

"Did you see this video of you? Check out this link!"
Sophos is also seeing an increase in Spam on Twitter, the popular social network where users "Tweet" quick one line messages to others in their network (Read: 3 Ways a Twitter Hack Can Hurt You).

A spam campaign on Twitter in recent weeks involved a Tweet that said "Did you see this video of you?"

"If you think the link is from a friend, you are much more likely to click on it," said Cluley.

Unfortunately, users who clicked on the link ended up at a bogus site that only looked like the Twitter web site. Once there, unsuspecting Twitterers entered passwords, which then ended up in the hands of hackers.

Office offenses

"This is Chris from tech services. I've been notified of an infection on your computer."
Before there were computers, email, web browsers and social network sites for communication, there was the phone. And although it may seem archaic now, it is still a handy way to pull off a social engineering scam, according to Chris Nickerson, founder of Lares, a Colorado-based security consultancy.

Nickerson said scammers often take advantage of a timely event to strike. The Downaup worm that is currently infecting many PCs is a good example (Read Downadup Worm Now Infects 1 in every 16 PCs). Nickerson's firm conducts what he calls 'Red Team Testing' for clients using techniques that involve social engineering to see where a company is vulnerable.

"I will call someone and say "I've been informed that you've been infected with this worm.' And then I walk them through a bunch of screens. They will see things like registry lines and start to get nervous with the technicality of it. Eventually, I say 'Look, why don't I fix this for you? Give me your password and I will deal with it and call you back when I am done.'"

The strategy plays on a person's fear and lack of comfort with tech, said Nickerson.

"If you can put someone in a position where they think they are in trouble, and then be the one to fix it, you automatically gain their trust."

"Hi, I'm from the rep from Cisco and I'm here to see Nancy."
Nickerson recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store (Read: Anatomy of a Hack).

Criminals will often take weeks and months getting to know a place before even coming in the door. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.