Social Engineering is the attempt to gain access to sensitive data (such as
password, usernames and credit card numbers) by gaining trust. This method
of gaining access to a system is very popular among hackers. It is often
surprisingly easy and even more often successful. THIS IS PROBABLY THE MOST
SUCCESSFUL AND MOST USED METHOD OF GAINING ENTRY TO ACCOUNTS!
Here’s how it works. You might receive a phone call from a representative of
your computer company claiming there is a problem which requires immediate
attention. He may offer to come right over and fix it (or, in a variation,
he might send you a disk in the mail). Of course, while he is there, he
reboots your system with a “diagnostic” floppy inserted into the drive. When
the “tests” are done you will be relieved to find out from him that nothing
is wrong with your system. Naturally, you were just infected with a Trojan
house which gives this stranger complete access to your system and all of
your data files.
A more common social engineering scheme (especially on America Online) is to
send out an email which says there is a problem with your account. Would you
please send your username and password by return email so it can be fixed?
Or perhaps you are asked to visit a web site, which naturally requires you
to log in with your username and password. You might be asked to call a
phone number, where the very official sounding person on the other end will
just want to verify that your account is yours by getting your credit card
An example of a standard social engineering attack is shown below.
We have detected a major security breach to several accounts
on our network. While we do not believe that your account was
among those compromised by hackers, we recommend that you check
your account data immediately.
To verify your account, just visit the following URL:
Login to your account and check your data. Make special note of the
last login data and time. If anything appears to be incorrect,
please send an email to security using the link at the bottom
of the page.
Thanks for your immediate attention.
When you visit the site it shows a username and password prompt. You enter
your username and password, which sends you to an “incorrect password – try
again” screen. You hit the “continue” button, which places you on the REAL
ISP site. Now when you enter your username and password, you are, of course,
logged in. You are greatly relieved to find that your account data has not
been changed and think nothing else of the issue. Of course, you just gave
your username and password to a hacker!
And that’s all that social engineering is about – gaining your trust,
getting your vital data, and abusing that data.
How do you protect against this? Be aware that it exists and don’t respond
to these kind of things. If someone asks you for your password, then tell
them to buzz off. Nobody needs to know your password for any reason. Let me
repeat: DO NOT GIVE OUT YOUR PASSWORD TO ANYONE FOR ANY REASON. THERE IS NOT
A VALID REASON FOR ANYONE TO NEED IT. If the person who asked really works
where he says he works, then believe he, he can ALREADY get to your account.
Why on earth would he be asking you for your username and password?
If you think the email or whatever might be accurate, then call the ISP or
navigate to their site yourself (don’t use anything from the email or letter
that your received – use the menu’s and screens provided by the ISP). For
example, say you get a letter from your ISP saying to change your password
immediately. It has a phone number and URL. Throw the letter away without
reading either. Now, find your ISP phone number and URL yourself – perhaps
in your browser help menu or in the manual or letter that arrived when you
signed on. This bypasses anything that might be wrong in the letter or email
that you received.
If you do suspect that you’ve received a social engineering attack, be sure
that you notify your ISP, MIS department or whoever needs to know. The only
way this kind of criminal can be caught is if the crime is reported quickly