Ads

Jul 272003
 

FREE BEER!

Now, obviously, I am not offering free beer or ever going to on this website or any other. However, I have placed this web page here for educational purposes to guide my readers in understanding the various Social Engineering techniques that are out today, and attempt to get you to do something you would normally not do. Please, read on…

Introduction

Social Engineering has been around since the dawn of time. The whole idea is to trick people into doing something that they would never wish to do if they actually knew what was going on! These types of attacks on unsuspecting users have caused people to go to web sites they would not normally do, give up their passwords, delete files they should not, or even purchase products that they would never need.

Virus Attacks

One of the largest Social Engineering attacks today is regarding viruses. Viruses normally propagate to other users by having the recipient execute malicious code and, in turn, infect their computer and send it to other people around the globe. Many viruses of recent history have used Social Engineering tactics to ensure a large number of unsuspecting people spread the virus payload. Two examples include the Anna Kornicova virus and the “I love U” virus. Each prey on peoples desires to see a candid picture of a celebrity or the human desire to find out the identity of an anonymous person with a crush. The best defense against such an attack is knowledge. Do not open attachments from people that you do not know and questions the content from people that you do know. Many viruses, such as the Klez virus, make it look like the content is from someone you have already had dealings with. Before sending any E-Mail attachment, I send a different E-Mail first explaining the contents. If that particular E-Mail is not there… the E-Mail with the attachment never came from me. More information on how you can protect yourself and examples of these E-Mail viruses are located on my Email filtering guide. Plenty of security awareness information is available at http://www.cert.org/ and http://www.symantec.com/.

Banner Advertisements

A disturbing trend in the online advertising market is to disguise banners and pop-up ads as system messages. From “You are broadcasting your IP address” to “Pay $20 to stop these ads forever!” Each rely on the user to click the ad and travel to a site asking for your personal information or even for you to send them money. If everyone ignored these false indications, they would no longer be effective and naturally, they would go away. An example would be that a spammer sends a messenger service message to your system claiming that they would “remove these ads” and that you would “never receive them again” if you go to X web site and even on occasions, send them money for a program to disable the messenger service. However, you can do the exact same thing in little time using the tools you already have available. Visit this page for more information.

Telemarketer

Telemarketers have been around, seemingly forever. I tend to find this particular marketing technique more intrusive then many advertising schemes of today. I screen all of my calls with an answering machine and, when I so desire, I pick up the phone to tell them to “put me on your do not call list and never call this number again!” I have been hung up on more than once. Some telemarketers’ even claim that they know “how much your long distance bill is” and many other false statements. When questioned as to what it “really is” or attempt to substantiate their claims, many telemarketers back peddle (sic) and say anything from “we cannot release that information” to “it is confidential.” If it is so confidential, how did they get it?!?

A National Do Not Call List is available for everyone to use as well as several state run listings. More information can be found on the FTC’s web site at and donotcall.gov.

spam

An extremely overwhelming amount of Unsolicited Commercial Email (UCE) is always in my inbox. Each could contain grand claims of “earn $3000 a week at home” and “Lose weight while sleeping.” Spam marketing works because people open the E-mails and head off to the spammers web sites where they in turn, sell your information and valid E-Mail address to other spammers and marketers. Many times, labeling the particular person as “a live one.” Even with the limited amount of response, the cost of sending millions of E-Mails is nothing compared to the commissions spammers get from “leads” dealing with mortgage loans or medical prescriptions. Even though many spammers attempt to fool filters by adding garbage characters at the end of the subject line, you can easily identify and delete them.

Passwords

No legitimate reason exists to require you to send your password to anyone over E-Mail, the phone or any other way. 100% of the time, a means to “reset” your password is available without the need to send anyone your old one… or your new one. Stop this fraud by reporting such instances to your game server administrator, your ISP or your corporate IT department depending on what type of information is under attack. Even the strongest password is useless if easily handed out to the wrong people for any reason. Keep your personal information and your passwords confidential and protect them as you would any valuable documents.

Conclusion

Even though this information only deals with a handful of the possible intrusive techniques of Social Engineering, I hope my intentions of education hold up. Knowledge is power. What you do with that power is totally up to you.

Black Viper

July 27, 2003

Revision History

July 27, 2003: Initial release