Will Social Engineering Become the Biggest Risk?

default-featured-image

We have been collecting interesting articles and stories from around the Internet that have to do with Social Engineering. This is the start of a blog thread devoted to these stories and what we can learn from them.

Sometimes they will be just funny stories that show how easy it is to trick people and other times there will be some great information for us to delve into.

Our first official blog post for this thread will have a little of both.

The first one is an older social engineer prophecy story from ZDNet. In 2004 they warned businesses and consumers that one of the single greatest threats out there to businesses and individuals is going to be…. (drum roll please)…. Social Engineering.

The article goes on to state that phishing attacks, client side emails as well as Identity theft will become the largest threats to people as the years pass. Are the folks at ZDNet prophets or just really really smart?

Then take a look at this second story that is a little more recent, Nov 23, 2009. This is a post to a bank’s customer base warning them of the different attacks that some have launched agains their customer base. Take a look at some of the emails and messages that have been crafted to these people. My favorite is a mixture of a pre-recorded phone call to a bank’s customer telling them to call this number and enter their 16 credit card number into the system so they can issue a new card due to fraud.

People called it!!! This page is full of text messages, emails and phone calls that were used to duped unsuspecting customers into giving up valuable information.

MITIGATION

I guess the question that is asked is, “What can I do to protect against this?”

Heck, if I wasn’t captain paranoid and I was just Susy Homeowner and saw the nightly news report about phishing attacks the grandma in my town who lost her life savings to some evil hacker then I got a call that sounded like my bank and knew I was with that bank and asked me to call my bank at this special number to be protected… I might just do it.

The only mitigation is knowledge. This DID happen to me. I recently bought a laptop and I got a call from my bank telling me they are running some fraud protection program and to allow the charge to go through they needed me to call this number. When I called it, it asked me to enter my account number to verify who I was. I hung up right away, called my bank, got a LIVE person on the line and asked if this was real. It ended up being real… but only when I verified it was real did I feel safe. Even at that point, I asked the bank to authorize the card from that conversation and not having me call that automatic machine.

The only other mitigation is to cancel your credit cards, cancel your bank accounts, hide all your money in a mattress and pay everything with money orders. Then we will have an article on mattress hacking… icon smile Will Social Engineering Become the Biggest Risk?

On a closing note, we wanted to leave you with a really hilarious piece of Social Engineering goodness. IRC has long been a breeding ground for SE-Script Kiddies and the like… but this one was actually funny. Enjoy this story of the magic invisible password. What we can say is that this guy really was good at thinking on his feet.

Until next time… if you find an interesting article you think will work here come and give it to an OP on the channel or email it to [email protected]

Offensive Security Exploit Archive Online

default-featured-image

After a short and intense setup, we are ready to present the Offsec Exploit Archive. We’ve recreated the milw0rm database, updated it and are now accepting submissions. The purpose of the site is to provide researchers and security enthusiasts a repository of exploits, and when possible, the relevant affected software. We’ve started the party by Continue Reading >

Interrogation Tactics and Social Engineering

default-featured-image

When we decided to do the release of our first podcast we had many people who were skeptical about Interrogation and Social Engineering actually meshing.  Heck a lot of people where even sure if they could ever be tied in. Well we did it.  We found a willing participant, Matt Churchill.  He was not only Continue Reading >

How To Become A Social Engineer – Information Gathering

default-featured-image

It may be the opinion of some that “Social Engineering is just believing in your lie” or “SE is a matter of who is the best liar” and even “Social Engineering is a matter of just making up a believable story.” Some believe that social engineering is no more than smoke and mirrors and con’ing people. We thought we would reach out and try to dispel some of these myths by writing a small series of articles about this question. The series will be called “How To Become a Social Engineer”

Meet the Team at Social-Engineer.org

default-featured-image

There has been a lot of buzz on the Net about social-engineer.org and the emails into us have been amazing.  We would like to take the time to thank all of you for your support. Quite a few of our visitors have asked aboutthe team and how we are structured. So I figured we would Continue Reading >

Social Engineering Framework Launch

default-featured-image

Just wanted to drop a note to say that www.social-engineer.org was launched today. The site is housing a complete social engineers framework as well as video’s, how-to’s and even some new tools for social engineers. One tool that was made for social-engineer.org is SET (Social Engineers Toolkit), it is an amazing tool that ties in Continue Reading >