Attackers taking advantage of employees' whims are the hardest to prevent, but there are rules to follow to protect your company from falling victim to social engineering scams.
Have you ever been deceived? Social engineers’ deception techniques are often quite subtle, and victims often fall for the bait without knowing why. Social engineers often exploit human weaknesses rather than technical/software vulnerabilities to invade well-protected networks.
thief, not robber
One of the typical examples of this kind of fraud master is Kevin Mitnick from the UK. He was in and out of prison three times for computer crimes. After he was released from prison, Mitnick decided to change his ways and now runs a consulting company called Defensivethinking, which specializes in protecting corporate employees from social engineering scams.
During his criminal heyday, Mitnick was able to deceive almost anything. He could trick people into leaking all kinds of information, including passwords, Internet accounts, general technical information, etc. We visited Mitnick to see how social engineering scammers call companies to find people.
What information do you most often want to get?
"It's mostly about calling in and finding out their password," he said. "But there are actually more sophisticated attack techniques, just to get all kinds of detailed information."
For example, if you are interested in a certain software company (this is what Mitnick did most often before, first stealing the source code of Dec Company in the 1980s, and later successively looking for Nokia, Sun, Motorola and Nec), you would not directly
I called the IT administrator and asked, "What's the password?"
Skilled attackers will target easier parts of the network, such as a workstation on the company's local network, and exploit common technical vulnerabilities. Social engineering can then come in handy to find out which machines on the network are vulnerable to attack.
It is the target that the attacker really wants, so it can save a lot of time groping around on the LAN, and it can also reduce the risk of accidentally triggering security alarms.
How to crack the attack method?
Train employees to weigh in on unexpected “requests,” especially if they are usually not within their authority. Mitnick said social engineering experts love to give people a thumbs-up, such as, “Only someone as smart as you would do that.”
Help me, I will send you a document later, please open the attachment and take a look." They will also use intimidation methods, "If you don't tell me the password and let me enter my email box, you will be fired."
If you can deny such "out of the box" requests, you'll probably win half the battle. "The key is to train employees to understand which requests are legitimate and which are not," Mitnick said.
Some simple policies are also easy to follow. Almost all social engineers will not display the caller ID. "They will make all kinds of excuses, such as my phone battery is running out of power, etc.," Mitnick said. Companies only need to set rules
It is said that if someone calls to request information that is of a private/confidential nature, the employee must really know that this person is there and then call the person back to confirm. After this level, at least 70% of social engineering deceptions will be exposed.
Whenever someone calls and asks to reset their password, the IT staff must call the employee back for confirmation. Such a policy will definitely help crack down on social engineering scammers.
Mitnick is not an IT security generalist. Social engineering is his specialty. Mitnick has also studied the psychological aspects before committing crimes repeatedly. "Social psychology says that humans have two thinking modes, one is the systemic mode, and the other is the systematic mode.
It is heuristic," Mitnick explained. When you are in system mode, you will be motivated to think. If you are in heuristic mode, you will be lazy and you will be distracted and think about other things.
"We're in this state 90 percent of the time."
It is at this time that we are most likely to become the accomplice of attackers. Social engineers have a way to convince victims so that they have no chance to think carefully. The most powerful thing is that the demands they make are often beyond the daily routine of victims.
outside the scope of work.
"When you are chatting with someone, if you find that the other person is from the same hometown as you, or has the same hobbies and interests, then the attacker will try to cater to your preferences, because in terms of psychology, you will prefer people who are similar to you.
"People," Mitnick said, "and when you like someone, you are naturally more likely to agree to their request."
"Once you find that the other person has too many coincidences with you, you should be alert." He said.
Set red and yellow light warning lines
Mitnick suggested introducing a traffic light system to help employees determine whether they have been deceived.
Human nature is kind. Most people will trust strangers at first and will not deliberately doubt each other. This also gives social engineering scammers an opportunity. Have you ever opened the door for a stranger in the same building? Everyone likes to make a good impression.
This is true even with strangers, so everyone is happy to give small favors. Similarly, if the other party gives something in return, it is also a courtesy. This human tendency has become the biggest vulnerability of attackers, Mitnick believes. He used to be the most
Successful examples are all committed through this method.
"If someone does something good for you, of course you will give something back. This human nature applies everywhere, especially in the United States," he said. "Attackers will pretend that they are helping you solve a problem, or they will
Deliberately causing problems and then pretending to help you."
The attacker may pretend to be the management department to conduct a spot check, first call the IT maintenance department, and ask the original manager to inform the company of the list of repairs to be repaired. Once the details of a certain order to be repaired are obtained, the social engineer can pretend to be a maintenance personnel and call
Wait for the employee who is on call and help them solve the problem. A few hours later, the attacker can call back and say, "Hi, I'm so-and-so in the IT department and I just helped you solve an email problem. I'll send you an email later."
I’ve given you the diagnostic tool, can you help me run it?" Generally speaking, most users will not refuse. This trick seems very simple, but many people will definitely fall for it if they are not careful.
Mitnick said that asking others to leak information or perform certain actions on their behalf is very similar to being a salesperson. "This is just using business or marketing skills in a bad place. Therefore, companies must set up red and yellow light warnings to let employees know
Know what situations are likely to be taken advantage of.”
In addition to training employees, supervision and acceptance are also required. Mitnick said that this risk cannot be completely eliminated, but it can be minimized. Where is the evidence? Even a social engineering master like Mitnick failed in the end?
