Sometimes, there are random pieces of information we never forget. Important information, such as birthdays, or even validation that you turned off the oven or locked the front door, can be replaced by an IP address used years earlier or a funny video you saw on YouTube, writes Raj Samani, VP CTO Emea McAfee.
For me, this video was quite frankly the most remarkable pieces of social engineering I have ever seen. (Note: of course, being a security professional I have to maintain a natural level of scepticism so I use these brackets as a get-out clause that the entire video may of course have been staged).
An individual had just broken out of prison and was running away from the prison. He happened to be stopped by a police officer who was aware someone had escaped. What happened then was all captured by the onboard camera of the police car, where the escapee happened to talk his way out of generating enough suspicion to lead to an arrest.
Despite claiming to be out jogging in incredulous heat, and getting his "fake" name wrong in the discussion, the escapee was allowed to go.
People are susceptible. In this scenario, simply because the officer appeared to like the individual and trust his words he allowed an escaped convict to continue on his morning jog. Unsurprisingly, there are many more subconscious levers that can be used to influence individuals, and what is worrying is that many cyber criminals are leveraging these techniques when sending e-mails to your employees, friends, family, as well as you and me.
Sign up to Computer Weekly to download a special report from Raj Samani on social engineering
- Social engineering against information systems: What it is and how it works
In the good old days we were promised photos of attractive celebrities in uncompromising positions in an attempt to entice a double-click. Now many of these influencing levers can be seen within malicious e-mails. A walk along the high street will also reveal similar techniques used by retailers to increase sales.
Some of these techniques include the use of the "scarcity" principle. Last weekend, my niece and I went to an out-of-town shopping centre, and passing a well-known furniture store her response to me was that they always have a sale.
Well that's the trick; convince people that there is only a limited time to buy that sofa, or use a cleverly crafted e-mail to trick the user into validating their details before their account is suspended and you have access to their bank account. If you combine that with the "authority" principle - making it appear that the request is coming from a valid source - then the attack is likely to be even more successful.
Even in the real world, if you happen to watch The Real Hustle, it is remarkable what can be achieved with a yellow fluorescent jacket and a clipboard. Better still, have a colour printer, laminator and some utility company logos, and you then have access to most buildings around the world.
Today, phishing e-mails are using cleverer techniques to entice user interaction. Equally, such attacks happen on a regular basis through other channels such as the telephone, face-to-face interaction, even fax machines. As we get more aware of threats, the attackers will continue to look at newer ways to exploit these subconscious levers in this constant game of cat and mouse.
Sign up to Computer Weekly to download in-depth reports and research on IT security
- Identifying and mitigating man-in-the-middle attacks
- Using consumer mobile devices at work: who is liable?
- Trust and security in the cloud
- AVG security threat report Q2 2011
- Seven tips for securing mobile workers
- Security: A Computer Weekly Buyer's Guide