Social engineering techniques: 4 ways criminal outsiders get inside
Your security plan goes from locked down to wide open when a social engineer pulls off these techniques to gain insider access
By Joan Goodchild , Senior Editor
June 10, 2010 — CSO —
It doesn't matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? That is the question posed by Lenny Zeltser, head of the security consulting team at Savvis and a SANS Institute faculty member.
"There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat?" said Zeltser. "Once you accept the success of social engineering, you will recognize there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider."
Also get CSO's Ultimate Guide to Social Engineering [13-page PDF - free CSO Insider registration required]
Zeltser, who frequently presents at security conferences around the country, lays out the four ways social engineers compromise a person's security defenses and gain easy access to sensitive information.
1. Alternative communication channels
Scam artists make use of alternative channels of communication because they catch people off guard, said Zeltser.
"Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is use to," he said.
He pointed to the example of a scam that used windshield flyers. The flyers alerted drivers that their car was "in violation of standard parking regulations" and asked them to log onto a site where they could get more information.
"If you got a spam message that said this, you probably would have disregarded it," noted Zeltser. "But when people got this notice in the physical world, outside of the normal channel they are used to being on guard in, they went to horribleparking.com and they saw some pictures of improperly parked cars in their own town. Of course, if they wanted to see their own vehicle parked improperly, they had to download this media player. If they downloaded it, they infected themselves with a fake antivirus tool."
Zeltser also pointed to vishing scams, where victims receive voice mails asking them to contact their bank about fraudulent account activity as another variation of this kind of attack. People call the number and are prompted by a series of voice commands to enter sensitive information, or they are connected with someone claiming to be a bank representative.
Also read Social engineering attacks: Highlights from 2010 [CSO Insider registration required]
Social engineering is the art of tricking security's weakest link (people) into giving up valuable information (like passwords). Learn how social engineers work and how to defend against them.
Social engineering: the basics
Definitions, common forms and tactics, stories and examples of social engineering, and much more
Social engineers' favorite pickup lines
Any email or phone call that starts this way is probably a disguised invitation to trouble
MORE dirty tricks: 5 new social engineering lines
What can a social engineer say to start his deception? Here are 'pickup lines' he loves - because they work
How to rob a bank | How to sneak into a security conference
3 tips for using the Social Engineering Toolkit
CSO's ultimate guide to social engineering
A 13-page PDF loaded with examples, defensive ideas, and more [free Insider registration required]
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Modernizing Wireless Infrastructure for Today's Mobile and Data Driven Enterprise
- Data loss prevention: Refreshing data security to meet an evolving threat environment
- Two-Factor Authentication
- DLP Is Not Just Good for Business, It's Vital for Business
- Expert Help to Assess Your Data Loss Risks
- Harvard Business Review: How Mobility is Changing the World
- How Mobility is Changing the Enterprise
- #FFSec: Infosec pros who bring value to Twitter
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - B-Sides Boston is Saturday
- Leaving CSO, Heading to Akamai
More Salted Hash with Bill Brenner
