Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

The Art of Social Engineering

on September 19, 2011

Years ago, at a company I used to work for, a large group of employees, myself included, were the target of a spam email that had been deliberately sent through the corporate network and encouraged us to click on a link within the email.

The following day, we received another email with details of the spam ‘test mail’. The IT department had sent the email around as bait to see if those working for a security company – and supposedly aware of what is happening in the security world – would fall victim to the scam email and click on the link.

Although few people took the bait, it was still interesting – actually unnerving – to realize that working in the security industry does not really mean one “knows all, avoids all”. In reality, even those of us who have extensive knowledge of security and the threat landscape can fall victim to malicious social engineering schemes.

“Know Thy Enemy”

To be able to protect ourselves from similar scams, we need to be familiar with the various types of social engineering tactics that the bad guys use. Here are a few of the most common:

  • Holiday / Love eCards. This is a classic type of spam sent out to random recipients in an effort to infect systems with malware.
  • Delivery Notifications / Receipt. This type of spam email appears to come from your service provider. The email may have a receipt of a delivered item attached – usually a malicious file – or notice of a purchased item and a request for personal information, such as name, address and home phone number.
  • The New Friend / Invitation. These invitations, including email notifications from social networking sites you may or may not be a member of, generally have links to phishing pages that imitate legitimate websites.
  • IM Spam. Instant Messengers (IMs) have evolved from a stand-alone executables to web-based platforms. Meebo and Facebook’s IM are two examples. The ease with which communication is made possible through social networking sites makes IMs a target for scammers who infect messages from someone on your contact list or an outsider with links to malicious sites or infected pages.
  • The “Viral Video”. A lot of video clips on YouTube and other online streaming sites are great entertainment material and can go viral within hours. Scammers take advantage of this by creating URLs that purportedly point to these ‘viral videos’ but actually redirect the user to a malware download site or expose their social network profile to spammers.

“Know Thyself”

We are all at risk and, in turn, we can be a risk to others. We can only do so much to protect ourselves from others. The key, however, to protecting ourselves from our own actions is to have a better understanding of what the threats are, what tactics are used, and how to be vigilant. Education is important and even people with little technology or security knowledge should learn the basics and heed experts’ advice. As always, using a solid antivirus solution and a firewall is a must, too.

About the Author:

Jovi Umawing is Communications and Research Analyst at GFI Software. With 10 years in the antivirus industry under her belt, this decorated technical documenter has written research papers, whitepapers, and various threat reports geared towards enterprise and consumer clients. Jovi has also written for eSecurity Planet and is now a regular contributor to the GFI Labs Blog.

submit to reddit
 
Comments
Richard Mensa September 19, 20117:35 pm

Arming yourself with the right information and knowledge will protect you against all types of bad things the Internet has to and will offer. Take for instance spam. If we all know how to distinguish it, then it would be dead by now. I’m not just talking about email spams. Social media, IM, and SMS spams could also be minimized (if not completely eradicated) if we all “know our enemy”.

We should also not forget the power of crowd sourcing. This is one art of social engineering one could never live without.

Alicia Mirin September 20, 20111:11 pm

The policy I always live by is if I didn’t ask to be sent certain kinds of information or I don’t recognize the sender, I don’t open the emails. If somebody wants to get in touch with me about something and they know me well enough to do that, they can call me on the telephone or send something through the post.

Sarah Martin September 29, 20111:08 pm

If the email was from the IT department (and this was explicitly stated in the email), this bears a very high level of trust and probably this is the reason why so many of you clicked it. Of course, the fact that it originated from the IT department isn’t a guarantee it is clean because let’s say the IT department might have got hacked but still this isn’t a random email. Or did I get it wrong? Did the IT guys sent a random-looking email on purpose?

Perry B. October 6, 20112:30 pm

I never knew that social engineering can be a form of art. And why not? With the increasing popularity of the social media and the massive growth of the World Wide Web, social engineering in its entirety is a type of human creativity and wild imagination.

At present, it’s all about email, SMS, and IM spams, online scams, viruses, malwares, phishing attacks, link baits, etc. In the near future, just like all types of art, social engineering will evolve into something else.