|
Information Security Tips Series |
||
|
0 Photo |
||
Further to the previous topic about Social Engineering Attack, we introduce some cases to make you more aware of risks. In Social Engineering Attacks, a swindler will act as "authorised person" to make a victim less alert. It is more difficult for the victim to identify an "authorised person" than the party posing as relative or friend. Once, a tester called 12 employees of a company to request their system login names and passwords by acting as a network administrater, and nine of them gave their login names and passwords without any consideration. We may learn from the following example how an intruder hacks into other computers by using Social Engineering Attacks. Steve was tasked to hack into a company that had an almost nonexistent footprint on the Internet. After searching on the web, he found a senior company official used his corporate email account to register on a stamp-collection forum and expressed interest in stamps related to Chinese zodiac. Steve registered a URL similar to this theme. Then, he collected some Chinese zodiac stamp photos from the web to make a stamp collector website. He sent an email to the company official to say that his grandfather passed away recently and left some Chinese zodiac stamp-collection to him. As the company official was interested in the stamps, Steve would like to sell the stamps to him. The email was attached with the URL to show the stamp-collection. Before sending the email, Steve wanted to convince the company official that the email was authentic. He therefore called the company official by phone to talk about the selling. As a result, when the company official received the email, he clicked the web link without consideration. Steve embedded a malicious frame on the website with the code that would exploit a vulnerability in Internet browser. Finally, he took control of the computer of the company official when the web page was visited. After reading the above intrusion process, you may think the email is similar to normal spam email that will not be opened by you. You will not do as the company official had done in clicking a web link from a stranger. The computer of the company official was hacked because the intruder collected information from the social networking sites, understood the targeted person's interest and used this information to create a "real" email to make the hacking successful. From the above scenario, we may ask why Steve built the website but not hack the victim directly from the email and the link. It is because most Internet security suite will detect and filter the malicious code in email or link. And the targeted persons may search the related information and content of the website before visiting. If they fail to locate the relevant information from the search engines, they may become alert and the attack may not be successful. Therefore, besides using advanced computer hacking skill, Steve applied social engineering attack in this case. Please take note of the following points: 1. Don't use official email address for private use; 2. Don't trust any "net friend" easily; 3. Do update computer software frequently, using legal software so that you may have the official update for the software; and 4. Do not post personal information that might be used by other sites such as bank site to verify your identity. Although some of this information may seem harmless (e.g. your pet's name), they actually may provide rich pickings for criminals. Malicious people might be able to gather this information to impersonate you to gain access to your sensitive information. As members of the Force, we have higher alertness to this issue, but not our family and friends. Thus, we should have more discussions with them about Social Engineering Attack to reduce risks and enhance their awareness. We will study another social engineering attack case in the next issue. |
||
| <<Back to Features>> <<Back to Top>> |