Social Engineering - Christopher Hadnagy [184]
I want people who read this to also think of how they give out information over the phone. Con men and scam artists use many avenues to steal from the elderly, those having hard economic times, and everyone else. The phone still remains a very powerful way to do this. Being aware of the vendors’, banks’, or suppliers’ policies on what they will and will not ask for over the phone can help you avoid many of the pitfalls. For example, many banks list in their policies that they will never call and ask from a Social Security number or bank account number. Knowing this can safeguard you for falling for a scam that can empty your life savings.
Calling security awareness a “program” indicates that it is something ongoing. A program means you schedule time to continually educate yourself. After you obtain all this useful information, then you can use it to develop a program that will help you to stay secure.
Being Aware of the Value of the Information You Are Being Asked For
Referring to the Defcon 18 social engineering contest again, in it we learned another valuable lesson—when the information is perceived as having no or little value, then little effort is placed on protecting it.
This is heavy-duty statement, but was proven true with how many targets willingly handed over information on their cafeterias, waste removal, and so much more. You must realize the value of the data that you have and be aware of a tactic a social engineer might use to reduce the value of this information in your eyes.
Before giving out information to someone, determine whether the person who is calling or interacting with you deserves it. Humans have this built-in desire to want to help and to be helpful to those whom we perceive need it. It is a major way a social engineer manipulates a target into handing over valuable information. Analyzing the person with whom you are interacting and determining whether she deserves the information she is asking for can save you the embarrassment and damage of falling victim.
For example, in the social engineering contest at Defcon one contestant had a pretext that he was a customer of a major antivirus company. He called in with a serious problem—his computer couldn’t get online and he felt it was due to something the antivirus was doing and wanted the technical support representation to do one simple thing—browse to a website.
Malicious SEs often use this attack vector. By driving a victim to a website embedded with malicious code or malicious files they can gain access to a target’s computer and network. In the case of the contest, the website was not malicious at all, but it was to show that if this were a malicious attack it would have been successful.
The first attempt was laid out like this by the contestant: “I cannot browse to my website and I think your product is blocking me. Can you check by going to this site so I know for sure whether it is your software or not?”
The technical support representative answered well by saying, “Sir, our product would not block you from going to that site; it wouldn’t matter if I can go there or not.” He declined the request.
The contestant did not give up there; after talking a bit more he again tried, “I know you said your product would not block the site, but it worked until I installed your software, so can you please check for me?”
Again he was declined his request: “Sir, I am sorry for that inconvenience but again our product would not block you and my going to the site will not help you fix the problem.”
It seemed as if the request was going to be rejected for good when the contestant tried one last-ditch effort and said, “Sir, it would make me feel better if you would just try going to this site for me. Please, can you help me out?”
This simple request put our technical support rep over the edge and he opened his browser and went right to the site. He had the right idea, he even had the right security awareness answer, but in the end he wanted his “customer