|
Information Security Tips Series |
||
|
0 Photo |
||
We gave an example of social engineering attack in the previous issue. We now share another example with you. A salesman, Tony, attended an industrial seminar in order to improve his sales volume and communication with the potential customers in this event. After sitting alone for a while, a man suddenly sat beside him and introduced himself. The man gave him a business card that showed he was called Peter and came from a major competitor of Tony's company. Tony exchanged a fake business card with Peter, hoping he would get the competitor's sale plan and so on. Tony's name and phone number on the business card were real but the company name and address were those of a company of his friend. After exchanging a few words, Peter left behind a USB thumb drive on the seat. Tony did not return the USB thumb drive to Peter at once because he thought it might contain some important information. After the seminar, Tony brought the USB thumb drive home. As it had been encrypted by software base, Tony could not access it directly. To prevent Peter's suspicion and any data destruction, he copied all the contents before returning it to Peter. Tony tried to crack the encryption with the copy, using the existing information to guess the password. Without too much effort, Tony made a right guess of the password because Peter used his company's direct line phone number and the short form of his company name to be password. In the encrypted content, besides the company's product information, there was useful information on contacts with customers and links with some companies. Tony opened some strange links to see the companies' information. The most surprising finding was the income record of Peter. He found Peter's sales volume was higher than his figure, and also higher commissions. He thought if he joined Peter's company, he would get higher income. The story seems to have come to an ending. The main player, Tony, is not the social engineer, but rather Peter. Peter's identification is a fake. He is an agent from an executive-hunting firm. He set a trap to hunt for some top sales persons from client's competitors, according to client's order. Tony fell into the trap when he opened the USB thumb drive. The encrypted content is a trick so that Tony would trust the content inside. The strange company links are used to create data connection from Tony's computer. Tony was trapped because of the "high" commissions. If Peter's hunting firm asks Tony to join their client, Tony will agree more readily. Also, as Tony stole the fake business secrets inside the USB thumb drive, he would be forced to act as an inside attacker to attack his company more seriously before resigning. From the above story, there are several points we should note: (1) Don't believe the identities listed on business card without further evidence. (2) Social Engineering Attacks do not just focus on collection of information. They will complete their mission by delivery of information. The fake income and commission information inside the USB thumb drive in the above story is one of the tools to set a trap. (3) One often falls into a trap because of greed. If Tony did not covet the content inside the USB thumb drive, he would not have been trapped. Greed made Tony unable to reject the order to betray his company, and even he himself was used as a business attack tool. Hope you will remain more wary after reading the story. It is also worthwhile for you and your friends to take it as a good lesson. |
||
| <<Back to Features>> <<Back to Top>> |