SE

Search for:


Archive for May, 2010

Social Engineering and Facebooks Privacy Rules

Thursday, May 20th, 2010

Social Engineers have a field day when it comes to any social media site that is talking about security. If you read the news at all, you have heard about Facebook’s recent barrage of security announcements and the feelings many have on their “security”.  Social Engineering attacks are on the increase in the social media world and this is a serious problem.

Many have claimed that Facebook is cavalier about security and their attitude is one of not viewing it as important. Then some major news organizations posted a private IM of the CEO of Facebook, Mark Zuckerberg and a friend.

Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Friend's Name]: What? How’d you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don’t know why.
Zuckerberg: They “trust me”

We have all joked with our friends online and said things we would not want repeated. And if all the “ammo” against Facebook stopped at this IM I would actually feel sorry for him, but the facts are that Facebooks computer privacy epic failure Social Engineering and Facebooks Privacy Rulessecurity policies continually get worse and worse and eventually will lead to many more compromises in the future.

How do we know?

Just a few hours ago a story was released that has some very damaging information regarding Facebooks security policies.

We can boil the story down in one word: Simplify.

Too many users said their increased security was too complicated, so the answer? Make the security rules more simple. Dumb them down. Make them not so hard to comply with.

Why not? Its only users personal data.

And this is only 3 days after Alert Logic found a massive flaw in their security protocols.

The purpose of this blog post is not fully to blast Facebook and their inherent lack of security but to talk about what we can learn from this.

There are 3 lessons I think we can glean from this story:
1) Anytime you put your personal information in the hands of someone else, you better trust them. Before you handed your wallet to someone you would probably have some level of trust with them. Why? Even if there was no cash or cards, you might have your license or ID in the wallet. You don’t want someone you don’t know getting your DOB, address, full name – yet when you trust someone online that you don’t really know, with this data you are asking for trouble.

2) Simplification is not always better. We are not saying that for security to work it must be complicated. Yet there has to be a level of complexity to the security protocols. If your password protocols and user education programs are so simplistic that anyone can guess it is obviously not going to be effective.

3) If you must use social media sites, research. Even with Facebook there are 3rd party apps that can help you to secure up your account. Do not just trust in the fact that everything is secure because they “said so”.

Social media has its place and it can be useful, but as you hopefully have discerned through our other articles, it is a danger too. It allows for social engineers to gather information on people, sometimes information that we don’t even tell our closest friends.

It allows the social engineer to plan a pretext that will work based on that knowledge. Then launch an attack that will have the maximum effect on us.

These things are a reality and until the users demand more serious security protocols these companies are not going to provide.

Tags: , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Interesting SE Articles | 2 Comments »

How To Prevent Social Engineering Attacks by Chosing the Right Security Auditor

Monday, May 17th, 2010

It is logical that with all the information we release on prevention of social engineering attacks, employee deception, fraud and identity theft we would receive questions on how to choose a good auditor. Requests have been coming in to have us perform social engineering audits and how to choose a good auditor.

I think what we need to discuss first is the different types of social engineering audits and then from there you will clearly see how to choose a good auditor.

We can break social engineering audits into two main categories, Internal and External, then from there break them down into smaller sub-categories.

Internal
Internal Audits are just what they sound like, the auditor may simulate the attacks from the position of a very low level employee. They are given the rights, permissions and access as a new employee. From there the social engineer will attempt certain attacks and see how successful the attempts are and how devastating they could potentially be for the company. This is not to be confused with “Internal Audit” that exists in many companies, which primarily deals with financial and technical auditing, normally in support of a compliance effort.

In one company we worked with they had horrible policies for when they had to lay someone off. We told them numerous times when we would consult that their written policies needed to change. When they would terminate employment they would let them go back to their office unsupervised and pack up their office, download personal files from the computers then leave.

One day they had to fire one of the Chief Financial Officers in the company as he was moonlighting and he chose to do it with a competitor. The meeting went great, “John” understood their position and with a smile on his face made the firing very easy. He then shook their hands and said he would clean out his office, hand in his key card and then leave.

The management all patted themselves on the back for a job well done. The next morning when they came into the office it was chaos. It appears that someone decided to schedule a job on the 13 servers that would shut down all back ups, then format all servers. 13 servers and about 11 million USD in damage, why? Because they allowed a disgruntled and now, fired employee to have full access to the network after they fired him.

This is not a lone story or something new. Unfortunately these things occur all too often. Auditing the internal policies for needed change is a very important aspect of an audit.

• How easy is it for an employee to copy sensitive information and take it “home”?
• Can an employee bring in personal media and use it to take files home?
• Do they have the ability and permissions to set up file sharing or access from outside?
• What software do the employees run on their computer that can make them vulnerable?
• Do the employees use their corporate emails for personal things?

All of these and more questions need to be discussed and answered during a social engineer audit.

External
This type of audit has many angles, but it is really where the heart of the social engineering audits exists. Lets discuss this in the three levels of external audits.

Remote/Text Only:
These type of audits focus on email, web cloning and phishing scams. The auditor will do heavy amounts of information gathering and decide what avenue might have the biggest effect. Whether it is a charity, fantasy sports league, club, or just social sites – the auditor will work on perfecting a message that will have the maximum effect.

It may include cloning a website and then sending an email from that website to try and trick the employees to visit. In one such audit we found that 20 employees where all part of a fantasy basketball league, lets just say the site was www.basketballleague.com we cloned that site and registered the domain www.basketballlleague.com almost indiscernible from the real one. We found out that the domain manager was Mike and he regularly sent emails with specials to the members. We sent a mail from mike@basketballlleague.com to all members in that company stating that by just visiting a new site and testing it out we would give them a free month.

Every single one clicked and went. The site presented them with the same logos and headers and look and feel as the real site (as it was cloned) and they were presented with a user id and password box. They were asked to log in and check it out then give us feedback. Almost all people will use the same password for their mail and websites and bank accounts. We also embedded a malicious iframe on the page that would feed us reverse meterpreter shells. In the end we harvested 20 passwords, of which 11 where the same as their mail passwords and gained access on 7 different computers.

All of this was done via email without having to pick up the phone or visit the site once.

Remote with Phone:
Basically this type of audit will be all of the above type of services but we will mix in some phone social engineering. One account we captured shows how 60% of IRS agents fell for a simple scam when audited.
“Hi this is Larry from IT we are running a password security program and going to be resetting everyone’s passwords to something a lot more secure. Do you have a pen handy?”

“Yes”

“Ok write this down p$5gLp9@nc%. That is your new password, I will need your present password so I can log and replace.”

“Ok it is fluffy123”

“Great, give us 30 mins then log out and log in with your new password. Thanks”

60% fell for that, and I can tell you that much more fall for that in our audits also.

The telephone is a devastating tool when used by social engineers. With a lot of information gathering and a little bit of work a very successful telephone SE Program can be generated.

The goal with mixing the phone in the audit is to see if the target will give out information over the phone that can facilitate a social engineering attack. Many times this part of the audit is very successful.

Onsite Audit/Red Team:
This type of audit will mix all of the above aspects of other audit types but with a special mix of onsite work too. Onsite work can be as simplistic as a fake pizza delivery guy or the UPS man that is dropping off a box and leaves a few carefully placed CD’s or USB keys. Or it may be a sales guy who is having a meeting with the boss and needs a print out of his ruined resume or sales proposal. Or it can be an after hours red team break in where we infiltrate the perimeter and steal company secrets.

An audit that includes onsite work will truly show the security holes clearly. The reason onsite work is becoming more accepted in social engineering audits is the way it shows the ability for a real hacker to gain access. Companies generally will spend hundreds of thousands on firewalls, IDS, anti virus systems and the like, but then protect those investments with a $20 lock.

Policies on how media is handled, cameras, visitors and other such matters are all tested and exploited to see where an attacker could potentially gain access. While some may argue that actual red team testing is not realistic we argue that point by asking how much your intellectual property is worth?

If your company contains secrets, files or data that could ruin your business to land in a competitors hands then nothing is too far fetched. It costs companies over $25 billion per year in loss, so it is a serious threat.

With that in mind auditing is essential for many companies especially if they want to ensure their clients they are doing all they can to be secure.

End Results
This is a very short overview of a very serious topic. The question that might come up is how to use this information?

Audits and penetration tests are becoming more common parts of everyday business life. Sit down and decide what it would cost to be down for 1 day, 1 week, 1 month? Is it worth the time, effort and money to not only audit your company and people, but then to make the changes needed really be secure.

Each year social engineering becomes a bigger and bigger threat with the average costs of a data breach coming in at over $3.43 million USD.

The only real way to be sure something is secure is to test it. And don’t fool yourself into thinking it won’t be tested in some manner. By a controlled test such as described here, or by a real attacker that has malicious intent.

Every day we are bombarded with news of controls that failed and the unexpected and often catastrophic results that occur when they do. A social engineering penetration test can identify these situations before then occur in an uncontrolled environment. However, the results are only as good as auditor you pick to conduct the work.

When you are picking the auditor for this sort of work, be sure to consider the reputation of those that are conducting the work as well as their experience and knowledge. Consider the types of services you need in order to truly test your company and feel out the auditor. Don’t be afraid to ask a lot of questions.

Get a clear picture of the methodology and practices of the company you are considering. What information, research or tools have they contributed about social engineering? Can they truly simulate a viable and realistic attack that will identify the areas that need to be secured?

Some companies run a few automated tools and track how many clicks targets make on phishing emails or malicious websites and claim that is a social engineering audit. Keep in mind to be a real audit they must simulate the actions of a malicious social engineer.

It is not an easy job but it is imperative to make sure you choose the best social engineering company to fit your needs. Think of it this way, if you were sick and needed to see a doctor would you want to choose just any doctor? If you had a serious illness and wanted needed to route out the problem you would want the best. A doctor with a world renowned reputation, a doctor that has a track record of being the best and a doctor that has demonstrated real actual expertise in their field, not one that just wrote papers and talked to other doctors.

That is not too different when it comes to a social engineer auditor. It is important to remember that the objective of the audit is to evaluate the security of the people in your company. Getting the best possible evaluation is your goal.

How to Find a Good Auditor
Sometimes companies feel like they must go with a large company for these assessments. They assume a larger company size and well-known reputation means a better job. That is not always true.

Here is a list of questions you may want to ask:

• How long have the auditors been performing social engineering security audits?
Often time’s larger organizations will sell off the reputation of the organization but then staff with junior level employees that do not have field experience. Not to say that if someone has been doing it for years they are automatically good, but someone who demonstrates a few years in the field probably has skills that kept him in the field for so long.

• Can you explain your methodology?
Many outfits will not give out a detailed methodology right off the bat, but by at least getting an outline you can understand what will and will not be tested. This can also give you a clear picture of what to expect.

• Can you give me some realistic scenarios for a company like mine?
Like the above point, the auditor might not want to give away all his secrets before the audit, but can you get a clear picture of what he is and is not willing to do? Some past scenarios will help you to also see what type of audits they have performed in the past.

• What reporting method do you use? Do you have a sample report?
At the end of the assessment, the report is your only hard deliverable. It needs to be quality. Seeing a sample report can also help you determine if they take pride in their work and if you will be happy with the end product. The reality is that you can have the best social engineer on earth but if his reporting techniques are terrible then you have gotten nothing from all that work and expense.

• Can you provide any testimonials or references?
Due to the secure nature of the work many companies do not want to be put on a contact list for other customers, but many times you can see some testimonials from past clients that will help you see what others had to say about their work.

This is just a short list of questions that will give you a better idea on what you are looking for. Anytime we have been asked questions like this it helped us to see that the company was serious about their request. Choosing the right auditor is important, not just because of the cost, but because you are putting the testing of the security of your company in their hands.

Conversely, a quality auditor will always be pleased to be asked these types of questions. Quality assessors want to do work that matters, and an organization that cares enough to screen their service providers demonstrates to the social engineer that this will be a serious assessment, not just going through the motions to meet a requirement.

Results matter. Choose wisely and if you need help, have questions or comments I encourage you to write in.

Tags: , , , , , , , , , , , , , , , , , , , ,
Posted in How-Tos | 11 Comments »

Analysis of the Lower Merion School District Remote Monitoring of Students

Wednesday, May 12th, 2010

Simply typing “Lower Merion County WebCam” into Google brings back 35,000 websites and “Lower Merion County” 185,000. This is no small news story. Yet, the focus of many is on the ability the IS department had to take unsolicited and private pictures of minors/students in their homes using school issued laptops.

On February 16th, 2010 a civil suit was brought against the Lower Merion PA school district which, in short, charges the school of spying on students and in some instances taking photographs of students in their homes using the embedded webcam in the school issued Apple MacBooks, without their knowledge. Previously social-engineer.org had blogged on the initial disclosure. Analysis of the Lower Merion School District Remote Monitoring of Students

The information for these articles is based on the recently released report of an independent investigation retained by the school district and preformed by Ballard Spahr, L.L.P. with the use of L-3 Services, INC., an independent computer forensic consulting firm. During the course of this 10 week independent investigation, 500,000 pages of documents and 19 terabytes of data was voluntarily given by the school district to be analyzed by the investigating parties resulting in a very long report. There were also several interviews with school district staff and local law enforcement.

Social Engineer.org sent out a plea for help and a security enthusiast and penetration tester, Nick “nick8ch” Hitchcock, stepped forward to help us analyze and decipher this large report. What we came up with was a two part blog post that will analyze this story from some unique perspectives.

Part 1: Technical Analysis: what technology was used, how, when and to what extent. Part 2: What we can learn from this case and protect ourselves against privacy violations from so-called “trusted” sources.

Part 1: Technical Analysis.

First, let’s look at the background of the school district’s technology setup. In the fall of 2007, the school district purchased a computer management software to handle the ever growing size of their network infrastructure. They chose a software product by the name of LANrev. It’s important to note that since the time of initial purchase of the software, the company that previously created this software package, Pole Position, was purchased by Absolute Software. The name of the software has changed as well as some features, but for the case record, I will use the original naming of the monitoring software and named components. LANrev’s features included features such as software deployment and updates/patches, hardware/software inventory management, cross-platform compatibility (meaning Windows and Apple computers were supported) and a “Theft Recovery” feature called TheftTrack. For obvious reasons we will be focusing on the aspects of the last feature.

What exactly did TheftTrack do? In the event of a laptop theft, this service could be remotely activated on the laptop. The TheftTrack service was not active at all times. It had to be manually started. Within the school district, only two individuals of the 18 IS staff members had TheftTrack administrative access, Carol Cafiero – IS Coordinator and Michael Perbix – Network Technician.

What was TheftTrack capable of? Three things could be selected to be collected. Any one or all of these features could be selected or deselected when TheftTrack was activated. 1) The IP address of the computer 2) A still photograph or snapshot from the embedded webcam taken at a certain time interval, as short as one minute. 3) A desktop screenshot of the computer taken at a similar time interval as the webcam snapshot.

Some points to note from these features is that TheftTrack was incapable of recording video or audio from the computer. Also, it could not access the camera if it was in use by another application for instance, video conferencing. It was found that remote snapshots were not available “on-demand” but available only after TheftTrack was activated and then sent at the time interval in which LANrev was set to check-in or “call home” to the school’s main LANrev inventory server. This obviously could only take place when the specified computer was connected to the internet. The information was then uploaded and stored to the LANrev inventory server. This information would then need to be manually purged from the server and reviewed.

Here is a video of Michael Perbix talking about this tracking feature:

One discrepancy in the internal investigation that I found is that, although only two individuals had sufficient credentials to activate or deactivate the service, I see documentation to support that any LANrev administrator could view collected data from TheftTrack.

From a social engineering perspective, the usefulness and relevance of this independent report ends here. One critical aspect of this case goes ignored……

The entire focus of this investigation rests in the fact that the TheftTrack module was the only method able to remotely breach the privacy of students and teachers.

The standard install of LANrev allows remote administrator access to the client and allows much more to be done to monitor, track and collect data from its client computers.

The following information can be found via the LANrev website. Theft tracking was officially available starting with version 4, but as far back as Version 1 of LANrev the administrator had the ability to interact with the shell or command line of any monitored computers. Any information security specialist or hacker will confirm this alone is the “Holy Grail” or the ultimate goal in compromising a computer system. This, by default, was available at ANY time to the administrators. Notice other highlighted revisions in the life of this software:

- LANrev version 2.0 implemented remote desktop integration with Mac and Windows, allowing remote graphical user interface interaction.

- LANrev version 3.0 added integration of VNC, PC Anywhere and Timbuktu. VNC takes remote graphical user interface interaction to another level, because it allows stealth remote monitoring of the computer desktop undetected and without interaction from the remote user. This contradicts the claim that the school district did not have the means of viewing live feeds of the students activity.

- LANrev version 4.51 added support to search and display any text file from client computers on the administrator’s workstation using the new View Text File command. Also added in this release was the ability to request LANrev to try to wake up a computer that is presently suspended and to discard all commands that have been run from the remote computer.

- LANrev version 4.6.2 decided to sacrifice security for ease of use. Directly from the release notes: “New preference setting for Agent Deployment Center (Mac OS X only): You can now instruct LANrev Administrator to disregard SSH host keys for identifying clients on which to install the Agent. This has the advantage of not requiring re-authentication when the operating system of the client has changed, e.g., because of reinstallations. Note, though, that this option also causes a slight reduction in security that makes it possible in principle for an unauthorized device to appear as a legitimate member of the network to the Agent Deployment Center and capture the SSH password.”

- LANrev version 5.1.1 added a feature when executing AppleScript scripts, you can choose between executing them in the context of the current user or in the context of another user.

Another part of this case is that one of the two members of the IS department that had TheftTrack credentials, Michael Perbix, was active on certain technical forums discussing remote activation and deactivation of the built-in webcam on Apple MacBooks. One such post on his own blog gave instructions on how to do this, as well as providing a simple script to make such a process easy.

Remember the last feature mentioned above ,where “you can now choose between executing them in the context of the current user or in the context of another user.”? This particular feature comes into play with a possible “stealth” use of the built-in webcam.

During normal operation, if the internal webcam is activated on a MacBook, a small green light appears next to the webcam, letting you know it is active. For instance, at times during the past few years at the Lower Merion school, several students reported their green webcam lights momentarily turning on and then off. One such case was even reported by a 9th grade teacher by the name of Christine Jawork. She even mentioned it to her students that the school could “activate their laptops’ webcam”, and she had taped over her webcam because of this. She also confirmed to the independent investigation that some of her students discussed seeing the green light when not using the webcam.

This would make sense if the monitoring software took a single snapshot. But if there was any prolonged use of the webcam it would not be “stealth” because the light would stay on constantly. But, what if, there was a way to disable the light? This is where our research becomes speculative but still raises serious concerns. As mentioned, Michael Perbix posted a method to disable the built-in webcam. Why would he do this if the TheftTrack software relied on this hardware for taking snapshots? His own words in another forum has the answer.

He says: “You … can simply change permission on 2 files…what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking etc)…I actually created a little Applescript utility and terminal script which will allow you to do it remotely, or allow a local admin to toggle it on and off. The info and links to a DMG are in my blog.“

Interesting. So the method of disabling the webcam he used was a permission change. Remember, the LANrev software gave administrator rights on the remote machine, allowing them to activate the webcam. Continue to watch our blog for updates on this research.

In addition, here is Michael Perbix’s personal blog where he mentions installing software directly on to a users computer and executing commands via scripts.

It would appear that the IS department knew what the LANrev software was capable of. They knew how to use it officially, meaning activating TheftTrack. Our research leads us to believe this is just the tip of the iceberg. LANrev itself was capable of much more. The extremely scary part about this is that anything manually pushed out or installed remotely using LANrev may not have been logged. At least TheftTrack, when activated, left a paper trail. If any one of these LANrev administrators, not just the two TheftTrack administrators, wanted to remotely install a malicious application, such as a program to capture keystrokes or screenshots, they could at any time. In addition, they had the ability to remotely view the computer desktop of any user in real-time without the user’s knowledge.

In conclusion, the independent report, although seemingly thorough, was narrow in focus. It did not take into consideration the abilities of the LANrev software, but solely dwelt on the TheftTrack module. I’d also like to highlight the fact that they retrieved 19 terabytes of electronic data. To put this in perspective, they say you would be able to fit the entire library of congress on roughly 20 terabytes. So in the span of 10 weeks all 19 terabytes of data were thoroughly investigated?

I believe this “independent” investigation is not enough to persuade anyone of the school district’s innocence in this matter. In fact, at face value, it appears that this report distracts from the real issue, that of the personal privacy of the students and family. The report simply places blame on the previous IS director who is no longer employed by the school district and the TheftTrack software which is no longer in use. However, ANY monitoring software that allows remote access to a computer in the privacy of your home without your knowledge is the same thing. Privacy issues are still being violated. Just because the “official” tracking software does A, B & C, this doesn’t mean that LANrev cannot accomplish the same when in the hands of an unethical network technician. Privacy and human decency should always be put above any network infrastructure process. There is so many intricate details in this case that we simply couldn’t write about all of it. Although the independent report lacks a full scope into this case, it does have very good information about some of the specifics. I suggest you take a look at it.

Have we heard the last of this? Probably not. There are ways you can protect yourself and your family. Look for a follow-up to this article about ways and methods of protecting yourself from a technical perspective and using common sense techniques against privacy threats from “trusted” sources.

Posted in Interesting SE Articles | 20 Comments »

Social-Engineer.org on FBI Access in Lower Merion Web Cam Scandal

Tuesday, May 11th, 2010

How would you feel if someone hacked into your computer or business and illegally captured screenshots or even camera images of you, your employees or even your family using social engineering? Now to extend that even further, what if in one of those screenshots they caught you doing something you should not have been doing, something illegal?

Would you expect to be brought up on charges, considering that those images where obtained by an illegal hacker? Most of us would probably think that we are quoting scatman Social Engineer.org on FBI Access in Lower Merion Web Cam Scandalome conspiracy theory movie… but the sad truth is that this may very well be the reality.

As you know the team at social-engineer.org has been following and blogging on the crazy story that continues to unfold in regards to the Lower Merion Web Cam Scandal. I can’t say much because as of this second we have a dedicated researcher scouring through the all of data, reports and information that has been gathered on this topic. Recently there has been in depth research into the terabytes of pictures and data collected to determine the real culpability of the school and the employees of the school.

As we have been preparing this story for release we saw a news story that just forced us to blog some information early. Here is the snippet that caught our attention:

“Plaintiffs’ counsel’s concern centers around the 50,000+ photographs and screen shots taken of other students and parents that Plaintiffs’ counsel has not examined,” Haltzman’s response reads in part. “Since the Government has not agreed to immunize all students and their parents from prosecution for criminality that could possibly be depicted in the data collected, and since it is conceded that the data collected by LMSD, a government entity, was illegally obtained in violation of the Fourth Amendment, there is concern that the Government will target, or worse prosecute, students and parents based upon the illegally obtained evidence.”

There are still parents who haven’t even seen their pictures yet and the government may intercede and grab the photos, catalog and possibly prosecute – WOW.

Previously on May 3rd the FBI asked why so many images where taken without regard for privacy of families and especially minors. So the question comes in, who gave Lower Merion the right to intrude on those communications? Regardless of whether a student stole a computer, whether a student is a problem student or whether the parents missed an insurance payment – does it not seem inexcusable for the school to violate the privacy of minors, students and families?

What if whoever is in front of the camera is not a student or part of the school, friends, family or someone not related to a late payment or bad student? One article used a very good analogy, what if you were late on your cable bill and the cable company decided to just turn on a camera on your cable box to see if you were using the TV and for what? If we had this type of “luck” in a social engineering audit we would feel blessed, but this breach of privacy has only victims.

The lawsuits would be filed so fast it would spin your head off, and rightly so. That kind of privacy invasion is something we just can’t handle, nor should we have to.

This is just the tip of the iceburg and really doesn’t cover the real meat of this story. Our researcher is polishing the story as you read, so stay tuned and we will posting more in the next day or so.

Thanks to nick8ch for sending us the link and helping us with the research for this story.

Posted in Interesting SE Articles | 13 Comments »

The US 2010 Census may lead to increase in Social Engineer Attacks

Monday, May 10th, 2010

The time has been upon us here in the USA where the US Government sent out census form. More than 100 million were mailed out to many households in the USA. Seems innocent enough? Social Engineering Attacks may become more prevalent due to this.

These census forms are designed in a way that all of us should be aware:
* There are only 10 questions on this form
* The form does not request ANY personal information like bank accounts and/or social security numbers or other financial/personal info scam alert The US 2010 Census may lead to increase in Social Engineer Attacks

Even armed with this knowledge there are some things we must be aware of to avoid falling prey to a scam that can lead to identity theft. It is not private knowledge that 100 million surveys are being sent this week. You know it, I know it and all malicious scammers and social engineers know it too. Be aware of these attacks:

Email Attacks
The census bureau will never send an email requesting more info, financial info or contact via a link or response to an email.
If you get such an email, do not reply, do not click on the link – delete it and be happy you didn’t fall victim.

Phone Attacks
There is a chance that you will receive a call from a census representative, but it is slim. If they cannot understand your answers they may call. Even if they do, they will never ask for personal or financial information to verify your identity. Be aware that con artists love the phone.

In-Person Attacks
As of May 1st over 800,000 part time workers will begin descended upon our towns to knock on doors and follow up on those who have not mailed in their census forms. If someone visits your home or business ask for official ID and a secondary ID to prove they are who they say.
Do not give out ANY information until verified.
They will never ask for money, donations or other financial information.

It is an unfortunate aspect of this world, that whenever something like this is going on, the chance for a social engineering attack goes on the rise. It happened at 9/11, the earthquake in Haiti and basically every other major event in the last decade.

Do not let your guard down and don’t forget to fill out that census forms or you may be giving away $5000 as a fine – and that is no scam!

Posted in Social Engineering | 27 Comments »




SE Polls

SE CTF

Brad Smith