Today's top stories

Famous social engineering attacks: 12 crafty cons

Playing nice and doing what you're told makes you easy prey for con artists.

Human beings are essentially social creatures. We like to help one another. We generally defer to people higher up in the hierarchy than we are. We tend to trust that other people are honest, mean what they say, and are who they say they are, because questioning any of those things without good reason is rude.

Unfortunately, these social niceties can turn us into the weakest link in information security. Too often hacks result not from technical flaws but from what's known as social engineering: human beings allowing themselves to be convinced to let down their guard. Many of the techniques are as old as con artistry itself, but have been updated for the digital age.

Consider the social engineering attack examples below cautionary tales.

Kevin Mitnick's wild run

Kevin Mitnick was one of the most notorious hackers of the '80s and '90s computer age. His exploits were driven by curiosity, not profit, and social engineering was his superpower. Here's a classic Mitnick trick: in 1979, at the ripe old age of 16, he made friends with some hackers who had found the number for a dialup modem for the system that Digital Equipment Corporation (DEC) used for OS development, but they told him that it was useless because they didn't have an account name or password. Mitnick simply called the system manager at DEC, claimed to be Anton Chernoff, one of the company's lead developers, and said he was having trouble logging in; he was immediately given a login that provided high-level access to the system. (Mitnick, now reformed, is in the security consulting business.)

Brothers in crime

The most notorious hackers in the Middle East in the 1990s were Muzher, Shadde, and Ramy Badir, three Israeli Arab brothers who had been blind since birth. The Badirs' favorite targets were telephone companies — at one point they were running their own bootleg telecom and charging an Israeli army radio station for all the bandwidth — and many of their scams were achieved via social engineering techniques, like calling into phone company HQs claiming to be engineers in the field, or chatting up secretaries for details about their boss that would help them guess passwords. But the Badirs had skills that were absolutely unique: they could wreak havoc by perfectly imitating voices (of the fraud investigator on their tail, for instance) and could tell a phone's PIN just by hearing someone type it from across the room.

Tarnishing HP's reputation 

In 2005 and 2006, Hewlett-Packard (HP) was roiled by corporate infighting, and management was convinced that a board member was leaking insider information to the media. HP hired private investigators to investigate their own board's communication, which they did via pretexting, a term for a form of social engineering the ensuing scandal brought to national attention. Armed only with board members' names and the last four digits of their social security numbers, the PI's were able to call up AT&T and convince them to provide access to detailed call records for the victims. Though HP's leadership claimed they hadn't authorized these techniques, the fallout resulted in multiple resignations; while pretexting in order to obtain financial records had previously been illegal, the scandal also resulted in a stronger federal law against the practice.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!