We have been collecting interesting articles and stories from around the Internet that have to do with Social Engineering. This is the start of a blog thread devoted to these stories and what we can learn from them.
Sometimes they will be just funny stories that show how easy it is to trick people and other times there will be some great information for us to delve into.
Our first official blog post for this thread will have a little of both.
The first one is an older social engineer prophecy story from ZDNet. In 2004 they warned businesses and consumers that one of the single greatest threats out there to businesses and individuals is going to be…. (drum roll please)…. Social Engineering.
The article goes on to state that phishing attacks, client side emails as well as Identity theft will become the largest threats to people as the years pass. Are the folks at ZDNet prophets or just really really smart?
Then take a look at this second story that is a little more recent, Nov 23, 2009. This is a post to a bank’s customer base warning them of the different attacks that some have launched agains their customer base. Take a look at some of the emails and messages that have been crafted to these people. My favorite is a mixture of a pre-recorded phone call to a bank’s customer telling them to call this number and enter their 16 credit card number into the system so they can issue a new card due to fraud.
People called it!!! This page is full of text messages, emails and phone calls that were used to duped unsuspecting customers into giving up valuable information.
I guess the question that is asked is, “What can I do to protect against this?”
Heck, if I wasn’t captain paranoid and I was just Susy Homeowner and saw the nightly news report about phishing attacks the grandma in my town who lost her life savings to some evil hacker then I got a call that sounded like my bank and knew I was with that bank and asked me to call my bank at this special number to be protected… I might just do it.
The only mitigation is knowledge. This DID happen to me. I recently bought a laptop and I got a call from my bank telling me they are running some fraud protection program and to allow the charge to go through they needed me to call this number. When I called it, it asked me to enter my account number to verify who I was. I hung up right away, called my bank, got a LIVE person on the line and asked if this was real. It ended up being real… but only when I verified it was real did I feel safe. Even at that point, I asked the bank to authorize the card from that conversation and not having me call that automatic machine.
The only other mitigation is to cancel your credit cards, cancel your bank accounts, hide all your money in a mattress and pay everything with money orders. Then we will have an article on mattress hacking…
On a closing note, we wanted to leave you with a really hilarious piece of Social Engineering goodness. IRC has long been a breeding ground for SE-Script Kiddies and the like… but this one was actually funny. Enjoy this story of the magic invisible password. What we can say is that this guy really was good at thinking on his feet.
Until next time… if you find an interesting article you think will work here come and give it to an OP on the channel or email it to [email protected]