A person
or group of people focused on a social engineering attack in general has the
benefit of experience and being keenly aware of the human character.
The
social engineering attacks use many tools to mislead the target into believing
their script. The commonality with the attacks is the human factor. As a member
of humanity, one common attribute most of the population internalizes is to be
helpful or provide assistance when asked. We tend to be social creatures and if
one of the groups needs assistance, one of the groups would offer to be there.
Recently
this has been applied to rather high profile services. A widely respected info
sec author/blogger’s PayPal account was also compromised. The social engineer
used the general attack methodology. As the target was well-known, the attacker
was able to search general and social media for his background data. With this
in hand, the attacker could call the service, and assume his identity. This
clearly is not optimal.
In yet
another highly publicized example, an Amazon customer also was victimized. In
this instance, the user had an account at Amazon, like so many others. Here,
however the attacker depended on the customer service representative’s good
nature and willingness to help the “customer” who seemingly needed it. Here the
“customer” did not have the product that was purchased, did not have the last
four digits of the credit card number (as it was his work credit card), he
really needed to get the report back to his manager, did not have access to the
account, did not know the expiration date of the card, etc. The only thing the
person knew was the card was a VISA. In utilizing statistics, there was in the
least a 33% opportunity to choose correctly. Given the prior conversation, the
customer service representative would probably have allowed the “customer” to
guess until correct.
Lessons to Apply
This
contact is yet another example of why there needs to be a better training
program. These need to consist not only of the usual presentation on the
negative aspects of when social engineering is a success. The people need not
to be fearful of asking simple, direct questions. If the wrong or inconclusive
answers are presented, the conversation should go no further.
Red Flags
There
were several read flags with their exercise in mental gymnastics. First,
chronologically, the “customer” wanted a refund even before the product
arrived. On its face this is exceptionally odd. As a rule of thumb and
industry, the person orders the product, receives it, decides it just will not
work, and asks to return it. This should have been a red flag.
Regarding
the credit card, the “customer” did not have it, did not have the last four
numbers on the card, could not even give the last two digits of the card, and
asked for the expiration date on the card. If the “customer” did not have the
card to verify the last four or two digits, how would the “customer” be able to
verify the card from the expiration date? The “customer” would not as this was
a farce.
The
“customer” said at one point the customer did not have the access to the
account. It only takes two pieces of data to do this with a computer. Clearly
the “customer” should have known the login and password.
Best Course
There is
a distinctly different course of action that should have been followed. By
following this the customer service representative should have used a bit of
common sense in comparison to bending over backward to give the “customer”
every opportunity to commit fraud and then helping the “customer” to log in.
When something starts to smell, much like what happened here, the
representative should start to review the situation and ask questions.
Lessons
Sys
Admins, please provide the training the staff needs. At times people can get
too caught up in their jobs and forget what they are also responsible for-info
sec and keeping other’s data safe. If not you may be breached and getting a
call from the government agencies.
No comments:
Post a Comment