Jeff Holden CISSP
Manager Network & Data Security
Term sociale ingenieurs introduced in an essay by J.C. Van Marken, a Dutch Industrialis in 1894
At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.
It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information
Victor Lustig 1925 – Sold the Eiffel Tower….
Several time!
2007 Anthony Lee tried to sell the Ritz hotel in London for £250 millon
Advanced fee fraud The Spanish Prisoner, 16th Century
The Letter from Jerusalem, 18th Century
Nigerian postal/fax scams (419)
Con Man approaches British nobles, often accompanied with a beautiful woman, and explains that a fellow noble, this women's father has been imprisoned in Spain.
Letter smuggled from the prisoner was shown as evidence
Prisoners name was with held so the Spanish don’t find out they have such a valuable prisoner.
If British noble will pay the ransom, the jailed father would issue a reward on his release and his daughters hand in marriage
Eugène François Vidocq
The sender would pretend to
be the assistant of a noble man
that had lost a large number of
jewels and if they gave them
money they would split them
when they were found.
Of 100 letter Vidocq claims that
20 were always answered.
In early 1980’s Nigeria’s oil based economy declined
Unemployed university students devised this scam to get visitors to Nigeria interested in shady oil deals
Went on to target businessmen in the west sending messages via letter or fax, and eventually email
From: Avis Eyadema <[email protected]> Subject: Help Date: Thu, 17 Jul 2008 06:46:04 +0100 (01:46 EDT) PRIVATE AND CONFIDENTIAL From: Avis Eyadema, Dear Sir, This proposal may come to you as a big surprise, but I believe it is only a day that people meet and become great friends and business partners. It's my pleasure writing you this mail, I am a Togolese by Nationality. My name is AVIS EYADEMA, I am one of the numerous sons of Late GNASSINGBE EYADEMA, with so many wife and children which am one of them, former President of Togo who rule for 38 years and later was succeeded by my half brother and the first son FAURE EYADEMA. Before my father died he deposited huge amount of money in a security company here in Accra, Capital city of Ghana. Before my father died, he instructed and confined in me as his son about his business and secrecy. As a matter of fact, my father gave me some documents bearing the name of a Security company in Accra capital city of Ghana, which he told me was the place he deposited huge amount of money, Gold and Diamond when he was assigned for special duty. Armed with this documents that my father gave to me, I flew to Accra , Ghana where I confirmed the documents. The Company showed me two sealed trunk boxes with the inscription "FAMILY ARCHIVE" with my name being used as the next of kin in the deposit form. However, my father had earlier informed me that he cleverly packed the Fifteen Million, Five Hundred Thousand US Dollars ( $15.5 Million ) in one sealed trunk box the second box contains Gold and Diamond and told the Company that they contain the works of art. This he did in order to conceal the money from being detected. Now with my father exit, I need a foreign partner with the image of God in him who will assist me to receive this proceeds in abroad , and who will equally not sidetrack me when this money get into his possession. On completion of this transaction, I wish to offer you 25% of total sum for your assistance,10% for unforeseen or miscellaneous and 65% for I and my family and my family will also come over to your country for a joint investment according to your directives. I am here in Ghana because of a treat of my life by my half brother, FAURE , the current President now, who is trying all means to confiscate the funds from me after knowing that my late father made a huge deposit with my name as his next of kin. Contact me with the above mentioned information's if you know with can work together for more details. Yours truly, Avis Eyadema.
"How are you doing? This has had to come in a hurry and it has left me in a devastating state. My family and I had a visit to Wales unannounced some days back for a short vacation, unfortunately we were mugged at the park of the hotel where we stayed, all cash, cell phones and credit cards were stolen off us but luckily for us we still have our passports with us. We've been to the Embassy and the Police here they're not helping issues at all and our flight leaves tomorrow but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills. Please I really need your financial assistance. Please, Let me know if you can help us out?"
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Easy!
“You could spend a fortune purchasing
technology and services...and your
network infrastructure could still
remain vulnerable to old-fashioned
manipulation.”
Kevin Mitnick
Phishing Impersonation on help desk calls Physical access (such as tailgating) Shoulder surfing Dumpster diving Stealing important documents Fake software Trojans
Use of deceptive mass mailing Can target specific entities (“spear
phishing”) Prevention: Honeypot email addresses Education Awareness of network and website
changes
Calling the help desk pretending to be someone else
Usually an employee or someone with authority
Prevention:
Assign pins for calling the help desk
Don’t do anything on someone’s order
Stick to the scope of the help desk
Tailgating Ultimately obtains unauthorize
building access Prevention Require badges Employee training Security officers No exceptions!
Someone can watch the keys you press when entering your password
Probably less common
Prevention:
Be aware of who’s around when entering your password
Looking through the trash for sensitive information
Doesn’t have to be dumpsters: any trashcan will do
Prevention: Easy secure document destruction Lock dumpsters Erase magnetic media
Can take documents off someone’s desk
Prevention:
Lock your office
If you don’t have an office: lock your files securely
Don’t leave important information in the open
Watch what information you put online
Quizzes
Friends
Vacations
Employer
Fake login screens The user is aware of the software but thinks
it’s trustworthy Prevention:
Have a system for making real login screens obvious (personalized key, image, or phrase)
Education Antivirus (probably won’t catch custom
tailored attacks)
Appears to be useful and legitimate software before running
Performs malicious actions in the background
Does not require interaction after being run
Prevention: Don‘t run programs on someone else’s computer
Only open attachments you’re expecting
Use an antivirus