Dear Social Engineering Diary March 9, 2016

Dear Social Engineer Diary,

A person or group of people focused on a social engineering attack in general has the benefit of experience and being keenly aware of the human character.

The social engineering attacks use many tools to mislead the target into believing their script. The commonality with the attacks is the human factor. As a member of humanity, one common attribute most of the population internalizes is to be helpful or provide assistance when asked. We tend to be social creatures and if one of the groups needs assistance, one of the groups would offer to be there.

Recently this has been applied to rather high profile services. A widely respected info sec author/blogger’s PayPal account was also compromised. The social engineer used the general attack methodology. As the target was well-known, the attacker was able to search general and social media for his background data. With this in hand, the attacker could call the service, and assume his identity. This clearly is not optimal.

Social engineering is about targeting someone on a human level
Social engineering is about targeting someone on a human level

In yet another highly publicized example, an Amazon customer also was victimized. In this instance, the user had an account at Amazon, like so many others. Here, however the attacker depended on the customer service representative’s good nature and willingness to help the “customer” who seemingly needed it. Here the “customer” did not have the product that was purchased, did not have the last four digits of the credit card number (as it was his work credit card), he really needed to get the report back to his manager, did not have access to the account, did not know the expiration date of the card, etc. The only thing the person knew was the card was a VISA. In utilizing statistics, there was in the least a 33% opportunity to choose correctly. Given the  prior conversation,
the customer service representative would probably have allowed the “customer” to guess until correct.

Lessons to Apply

This contact is yet another example of why there needs to be a better training program. These need to consist not only of the usual presentation on the negative aspects of when social engineering is a success. The people need not to be fearful of asking simple, direct questions. If the wrong or inconclusive answers are presented, the conversation should go no further.

Red Flags

There were several read flags with their exercise in mental gymnastics. First, chronologically, the “customer” wanted a refund even before the product arrived. On its face this is exceptionally odd. As a rule of thumb and industry, the person orders the product, receives it, decides it just will not work, and asks to return it. This should have been a red flag.

Regarding the credit card, the “customer” did not have it, did not have the last four numbers on the card, could not even give the last two digits of the card, and asked for the expiration date on the card. If the “customer” did not have the card to verify the last four or two digits, how would the “customer” be able to verify the card from the expiration date? The “customer” would not as this was a farce.

The “customer” said at one point the customer did not have the access to the account. It only takes two pieces of data to do this with a computer. Clearly the “customer” should have known the login and password.

Best Course

There is a distinctly different course of action that should have been followed. By following this the customer service representative should have used a bit of common sense in comparison to bending over backward to give the “customer” every opportunity to commit fraud and then helping the “customer” to log in. When something starts to smell, much like what happened here, the representative should start to review the situation and ask questions.

Lessons

Sys Admins, please provide the training the staff needs. At times people can get too caught up in their jobs and forget what they are also responsible for info sec and keeping other’s data safe. If not, your organization may be breached and getting a call from the government agencies.

Learn more about social engineering and how to protect yourself and your business in Chapter 7 of NCI’s book Protecting Our Future: Cybersecurity in Our Digital Lives

Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.