Social engineering is a broad term encompassing the many non-technical methods attackers use to gain access to information or systems. Why use brute force to crack passwords when you can charm someone into giving them up? The social engineering operative essentially tricks people into breaking normal security procedures, and the results can be extraordinarily damaging.
A few years ago, a handful high level executives responded to what appeared to be legitimate emails from a US-based, Fortune 500 firm discussing a purported corporate initiative. All it took was one recipient clicking on a link embedded in the message to give the attackers entry into the company’s network, where they proceeded to gain passwords and entry to multiple systems. Nobody at the company noticed, but eventually the FBI sniffed it out and alerted the company that someone was regularly stealing their information. People are more knowledgeable about social engineering than they used to be, but attackers have stepped up their game. Here are 4 social engineering tactics your IT service desk needs to be aware of.
1. Use of Social Networks
Attackers can gain an amazing amount of personal data from public social media profiles, and they use this information to create targeted emails or instant messages that trick people into doing things like opening infected attachments or revealing sensitive information. Criminals can search social media sites to find out who works at which companies, names of top executives, and enough contact information to create a personalized message designed to get the recipient to give up the goods. Not only does the IT service desk have to watch for these, it has to let end users know that the days of misspelled email headers and easily recognizable phishing messages are mostly over.
2. Adding Ransomware to Phishing Messages
The IT service desk is probably aware of what ransomware is, but end users may not be. Phishing messages appearing to be from legitimate companies contain malicious attachments that look like ordinary voicemail transcripts, pictures, PDFs, or MS Office files. But they’re encrypted with RSA-2048 keys and wipe out “shadow copies” made by backup programs. The attackers encrypt files on the recipient machine as well as shared servers, then hold the encryption key for ransom, demanded in Bitcoin, which is untraceable. If the victim doesn’t pay, the data can be erased. Small and medium businesses account for an increasing percentage of such attacks, often because they’re less likely to have the latest in security tools.
3. “Polo Shirt Attacks”
People have an uncanny ability to excuse the guy with the clipboard and “official” company polo shirt (or ID badge on a lanyard). Depending on the setting, he may wear or carry a safety helmet too. By gathering some simple intelligence about a target company and pretending to be someone from an auditing firm, cleaning crew, or other service organization (or even the IT service desk itself), an attacker can often go on-site unimpeded and gain access to hard copies of information or to a company’s network. Make sure your end-users know that IT service desk workers won’t just show up and ask you to log in for them so they can work on a machine.
4. Fake Disabilities
Some people will go so far as to fake a disability to play on people’s desire to be helpful. Customer service or call center agents are often targeted in these social engineering schemes. The attacker may pose as a speech-impaired customer (or as someone calling on behalf of such a person). By playing on the call recipient’s sense of decency and making him or her feel awkward or embarrassed, the attacker convinces the recipient to give up sensitive information. When you think about the pressure that customer service agents work under, it’s easy to see how this type of attack can be extremely effective.
What the IT Service Desk Can Do
Regularly informing end users about new forms of social engineering is important. They need to know that if they receive what appears to be a legitimate phone call or email asking for a password or other sensitive information they need to report it immediately. Nobody wants to appear unfriendly or unhelpful, but that’s exactly what social engineering operatives count on. Let end users know that if you need access to their machine, you’ll follow a prescribed procedure, or will not ask for passwords unless they initiate contact through a help request.
Modern tools can help your IT service desk and your end users avoid social engineering attacks. Self-service portals for things like password resets, and social media integration that can keep end users apprised of threats are just two ways your IT service desk can maintain security.
About John Collier
Read more articles by John