9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines
By Joan Goodchild, Senior Editor, CSO
What the average guy might call a con is known in the security world as social engineering. Social engineering is the criminal art of scamming a person into doing something or divulging sensitive information. These days, there are thousands of ways for con artists to pull off their tricks (See: Social Engineering: Eight Common Tactics). Here we look at some of the most common lines these people are using to fool their victims..
Social networking scams
“I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
Social networking sites have opened a whole new door for social engineering scams, according to Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. One of the latest involves the criminal posing as a Facebook “friend.” They send a message or IM on Facebook claiming to be stuck in a foreign city and they say they need money.
“The claim is often that they were robbed while traveling and the person asks the Facebook friend to wire money so everything can be fixed,” said Cluley.
One can never be certain the person they are talking to on Facebook is actually the real person, he noted. Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
“If a person has chosen a bad password, or had it stolen through malware, it is easy for a con to wear that cloak of trustability,” said Cluley. “Once you have access to a person’s account, you can see who their spouse is, where they went on holiday the last time. It is easy to pretend to be someone you are not.”
“Someone has a secret crush on you! Download this application to find who it is!”
Facebook has thousands of applications users can download. Superpoke is one example of a popular application many users download to enhance their Facebook experience. But many are not trustworthy, according to Cluley.
“It is impossible for Facebook to vet all of the applications people write,” he said.
Sophos, which tracks cybercrime trends, is seeing Facebook applications that install adware, which cause pop-up ads to appear on a user’s screen. The other danger, according to Cluley, is that installing many of these applications means you give a third-party access to your personal information on your profile.
“Even if they are legitimate, can you trust them to look after your data properly?” said Cluley. “A lot of these applications are really jokey. You don’t really need those. People should consider carefully which ones they choose to accept.”
“Did you see this video of you? Check out this link!”
Sophos is also seeing an increase in Spam on Twitter, the popular social network where users “Tweet” quick one line messages to others in their network (Read: 3 Ways a Twitter Hack Can Hurt You).
A spam campaign on Twitter in recent weeks involved a Tweet that said “Did you see this video of you?”
“If you think the link is from a friend, you are much more likely to click on it,” said Cluley.
Unfortunately, users who clicked on the link ended up at a bogus site that only looked like the Twitter web site. Once there, unsuspecting Twitterers entered passwords, which then ended up in the hands of hackers.
“This is Chris from tech services. I’ve been notified of an infection on your computer.”
Before there were computers, email, web browsers and social network sites for communication, there was the phone. And although it may seem archaic now, it is still a handy way to pull off a social engineering scam, according to Chris Nickerson, founder of Lares, a Colorado-based security consultancy.
Nickerson said scammers often take advantage of a timely event to strike. The Downaup worm that is currently infecting many PCs is a good example (Read Downadup Worm Now Infects 1 in every 16 PCs). Nickerson’s firm conducts what he calls ‘Red Team Testing’ for clients using techniques that involve social engineering to see where a company is vulnerable.
“I will call someone and say “I’ve been informed that you’ve been infected with this worm.’ And then I walk them through a bunch of screens. They will see things like registry lines and start to get nervous with the technicality of it. Eventually, I say ‘Look, why don’t I fix this for you? Give me your password and I will deal with it and call you back when I am done.'”
The strategy plays on a person’s fear and lack of comfort with tech, said Nickerson.
“If you can put someone in a position where they think they are in trouble, and then be the one to fix it, you automatically gain their trust.”
“Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
Nickerson recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store (Read: Anatomy of a Hack).
Criminals will often take weeks and months getting to know a place before even coming in the door. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.
Well, cookies can’t hurt either. Nickerson said he always brings cookies when he is trying to gain the trust of an office staff. In fact, a 2007 diamond heist at the ABN Amro Bank in Antwerp, Belgium involved an elderly man who offered the female staff chocolates and eventually gained their trust with regular visits while he pretended to be a successful businessman.
“It was just plain old chocolate,” said Nickerson. “Sweets loosen everybody up.”
Ultimately the bank lost 120,000 carats of diamonds because the man was able to gain enough trust to be given off-hours access to the bank’s vault.
“Can you hold the door for me? I don’t have my key/access card on me.”
In the same exercise where Nickerson used his shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming his team member was simply a fellow-office-smoking mate, employees let him in the back door with out question.
This kind of thing goes on all the time, according to Nickerson. The tactic is also known as tailgating. Many people just don’t ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said.
“I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment. But they often don’t even get checked. I’ve even worn a badge that said right on it ‘Kick me out’ and I still was not questioned.”
“You have not paid for the item you recently won on eBay. Please click here to pay.”
“We see emails impersonating complaints from eBay for non-payment of winning bids,” said Shira Rubinoff, founder of Green Armor Solutions, a security software firm in Hackensack, New Jersey. “Many people use eBay, and users often bid days before a purchase is complete. So, it’s not unreasonable for a person to think that he or she has forgotten about a bid they made a week prior.”
Rubinoff, who was once targeted and almost fell prey to a phishing attack, was inspired to found Green Armor after the incident. She said this kind of ploy plays to a person’s concerns about negative impact on their eBay score.
“Since people spend years building eBay feedback score or “reputation,” people react quickly to this type of email. But, of course, it leads to a phishing site.”
Rubinoff recommends not clicking on any emails of this kind. Instead, if you are concerned about something like your eBay score, go to eBay directly by typing the url into the browser bar on your own.
“You’ve been let go. Click here to register for severance pay. ”
With the economy in the state it is in now, people are afraid for their jobs and criminals are taking advantage of that fear, said Rubinoff. A common tactic includes sending an email to employees that looks like it is from the employer. The message appears to relay news that requires a quick response.
“It can be an email that appears to be from HR that says: ‘You have been let go due to a layoff. If you wish to register for severance please register here,’ and includes a malicious link.”
No one wants to be the person that causes problems in this economy, so any email that appears to be from an employer will likely elicit a response, noted Rubinoff. Lares’ Nickerson has also seen cons that use fake employer emails.
“It might say, ‘In an effort to cut costs, we are sending W-2 forms electronically this year,'” said Nickerson.