Blaggers And Your Business – Why Helpful Staff Are Your Biggest Danger!

Tweet

We’ve all received those lame emails asking to check our bank details or urging us to enter some personal information or other because we’ve won a $645 million prize in some South American lottery.

And who hasn’t laughed at the ridiculous Nigerian bank scam (also known as the 419 fraud)?

I bet you, like me, have often wondered how anyone can be so gullible that these emails work. But of course some people are fooled, that’s why the emails keep coming.

These scams are crude; but there are far, far more subtle versions out there of techniques that will persuade people to carry out unwise actions.

And the people operating them are smart.

Here’s when I believe a business is at most risk of being compromised: It’s when you start to believe that scammers, blaggers or phishers (whatever name you want to give them), can never get to you and your business. You and your people are just too savvy.

That’s when you’re in real danger.

Many of us perhaps focus too much on hi-tech defences – the anti-malware, anti-virus software – to protect our business networks against malicious software invasion.

The real danger often comes, though, not from some geeky hack, but from the fact that your staff are probably too unsuspecting and too helpful.

Welcome to the scary world of Social Engineering.

What social engineers do – let’s call them criminals in this context – is extract small pieces of information from various sources about your company.

These tidbits, in isolation, will almost certainly seem totally innocuous. They only become a powerful tool when added together to create a profile.

The information comes from Google searches, and lots and lots comes from social media, especially Facebook and Linked In. Some will come from simple phone inquiries to your staff.

A favourite technique might involve a call to your company from a blagger claiming to be carrying out a survey – that way people are predisposed either to answer the questions or simply to say they’re too busy. No suspicion is aroused.

Any information gathered will be pieced together to help create a believable lie.

At a later time, a member – or members – of staff will be selected, a phone call made, a letter posted or an email sent and the trap is sprung.

Here’s a good example as illustrated in the US magazine, PC Today.

A scammer phones a company pretending to sell some type of equipment and learns in the course of an apparently casual and harmless conversation that the company has recently bought some new photocopiers. For a skilled blagger, finding out which company the copiers were bought from won’t present a problem.

Shortly afterwards – and some fake letterheads later – flash drives arrive in the post as a gift for everyone associated with the purchase of the copiers, apparently from the supplier.

All it takes is for one person – just one – to connect a drive to their PC and the company’s network will be compromised by malware.

Another typical attack is described by security expert Chris Hadnagy, author of Social Engineering: The Art of Human Hacking.

It starts with a seemingly innocent call from someone, again claiming to be a supplier of some kind. During a conversation they’ll discover what browser the person in the company uses and also that they, for example, use Adobe Reader.

They end the call by suggesting they’ll send a proposal in writing, in a pdf, and they are given an email address.

When the email arrives, the innocent-looking (and expected) pdf document is not what it seems, but a ‘reverse shell’ – which allows remote control of, or access to, a computer.

A report produced by social-engineer.org – an organisation that helps reveal the techniques used by malicious social engineers – should ring alarm bells for every business.

If you have time, it’s well worth reading in full and can be downloaded from http://www.social-engineer.org/se-resources/

The ‘Defcon 18 Social Engineering CTF Report’ basically targeted a range of businesses in the US to test how much specific information could be gathered before launching ‘attacks’ on the companies.

Each volunteer taking part in the project had two weeks to collect information about the companies and then just 25 minutes to launch an ‘attack’ on the phone.

Typically, information was gathered by using the pretext of carrying out a survey, pretending to be a customer or a job recruiter.

And here’s the alarming bit – over 85 per cent of companies targeted were persuaded to click on a fake URL as directed.

What the report concludes is that a company is only as secure as its weakest employee.

It also reveals clearly that information that’s perceived not to carry any value will not be protected.

What the test showed repeatedly was that, “Unless employees have been coached in a clear manner as to how to respond to uncommon requests, the default behaviour will be to act as helpful as possible.”

The report drives home the importance of educating ALL staff within a company, including the lowest level of employees – in fact, these employees are probably the most likely to be targeted by blaggers.

“As software is built better and it is more difficult to gain access to data that way, hackers will turn to the easiest path into companies – The Human Vulnerability,” concludes the report.

So, what to do?

The answer must be all about awareness.

There’s no such thing as total security, it seems to me. But creating awareness throughout a company – an awareness of the kind of subtle techniques social engineers, or blaggers, will use – is what we should all be doing.

And, on a more practical level, what the social engineering report also revealed was that some very simple things, like asking for an email address, a phone number, company details that are then checked, can often stop an attack in its tracks.

The best blaggers will probably always find a way around obstacles like these. But making your business a less easy target is bound to make it a less tempting one for these so-called social engineers.