Social engineering techniques: 4 ways criminal outsiders get inside
Your security plan goes from locked down to wide open when a social engineer pulls off these techniques to gain insider access
By Joan Goodchild , Senior Editor
June 10, 2010 — CSO —
It doesn't matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? That is the question posed by Lenny Zeltser, head of the security consulting team at Savvis and a SANS Institute faculty member.
"There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat?" said Zeltser. "Once you accept the success of social engineering, you will recognize there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider."
Also get CSO's Ultimate Guide to Social Engineering [13-page PDF - free CSO Insider registration required]
Zeltser, who frequently presents at security conferences around the country, lays out the four ways social engineers compromise a person's security defenses and gain easy access to sensitive information.
1. Alternative communication channels
Scam artists make use of alternative channels of communication because they catch people off guard, said Zeltser.
"Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is use to," he said.
He pointed to the example of a scam that used windshield flyers. The flyers alerted drivers that their car was "in violation of standard parking regulations" and asked them to log onto a site where they could get more information.
"If you got a spam message that said this, you probably would have disregarded it," noted Zeltser. "But when people got this notice in the physical world, outside of the normal channel they are used to being on guard in, they went to horribleparking.com and they saw some pictures of improperly parked cars in their own town. Of course, if they wanted to see their own vehicle parked improperly, they had to download this media player. If they downloaded it, they infected themselves with a fake antivirus tool."
Zeltser also pointed to vishing scams, where victims receive voice mails asking them to contact their bank about fraudulent account activity as another variation of this kind of attack. People call the number and are prompted by a series of voice commands to enter sensitive information, or they are connected with someone claiming to be a bank representative.
Also read Social engineering attacks: Highlights from 2010 [CSO Insider registration required]