Social Engineering

Are You Cyber Savvy


Identity Theft Examples

WASHINGTON -- U.S. regulators said on Monday they had charged a 17-year-old boy with using "spam" e-mails and a fake AOL Web page to trick people out of their credit-card information and steal thousands of dollars. [...]

 A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment ‘with a picture of the car’. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.” [Social Engineering Fundamentals, Part II: Combat Strategies by Sarah Granger]




Social Engineering Fundamentals, Part II: Combat Strategies
by Sarah Granger
Area of Risk Hacker Tactic Combat Strategy
Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give out passwords or other confidential info by phone
Building entrance Unauthorized physical access Tight badge security, employee training, and security officers present
Office Shoulder surfing Don’t type in passwords with anyone else present (or if you must, do it quickly!)
Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specific to help desk support
Office Wandering through halls looking for open offices Require all guests to be escorted
Mail room Insertion of forged memos Lock & monitor mail room
Machine room/Phone closet Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment
Phone & PBX Stealing phone toll access Control overseas & long-distance calls, trace calls, refuse transfers
Dumpsters Dumpster diving Keep all trash in secured, monitored areas, shred important data, erase magnetic media
Intranet-Internet Creation & insertion of mock software on intranet or internet to snarf passwords Continual awareness of system and network changes, training on password use
Office Stealing sensitive documents Mark documents as confidential & require those documents to be locked
General-Psychological Impersonation & persuasion Keep employees on their toes through continued awareness and training programs


This website is protected by copyright 1996 Dolphie and its licensors. All rights reserved.
A link is included on each page for non-author created graphics used, if required.
Last Update: 10/21/2005 11:23:59 AM