The term “Social Engineering” sounds like a serious academic subject on reforming a wayward society! Alas, far from the truth, it is pure and simple trickery, a con job. The social engineering attacker uses his social skills to take advantage on the human tendency to trust someone at his words. He/she can pretend to be a legitimate official, a person of authority, a helpdesk assistant or a new employee trying to learn his ropes. Any or all of these deceptions are to extract sensitive personal or company information such as social security number, card details, email address, login name and password, company financial data, client details, marketing plan, organizational structure, etc. to commit fraud.

There are various ingenious ways of doing social engineering. In ‘pretexting’, the attacker creates a purely fictional scenario to extract information from the victim. Phishing emails invite the receiver to click on embedded links to type in personal information for ‘verification’. Phone phishing uses engineered Interactive voice response (IVR) system for deception. Baiting is to infect systems through Trojan horse malware – a curious victim will pick up a seemingly mislaid CD or USB flash drive at a conspicuous location and run the same on his system with disastrous results. Create a quid-pro-quo situation where the attacker offers to help resolve a malfunction and in the process obtain bits of personal information.

Here is a classic ‘pretexting’ social engineering story. Ian Malone of US received a late night phone call asking if he had been using his credit card for heavy purchases recently as the caller (pretending to be an employee of the credit card company) noticed huge accumulated debts on the card. Malone was naturally flabbergasted as he was already struggling for funds. The caller sympathized and offered to probe this suspected fraud further and set it right. To do so, “may I have details of the card please?” Malone was anxious to get out of the mess. The attacker got what he wanted to commit credit card fraud – the rest is history!

To avoid different social engineering frauds, it would be advisable to follow the guidelines listed below:

  • Never click on embedded links unless you are sure of the identity of the sender.
  • Never call on the phone numbers given in the information seeking emails. Instead, call on a confirmed genuine number known to you or taken from previous statements.
  • Do not provide personal or company information over phone to unknown entities, however intimidating the caller may sound and demand information..
  • Submit personal information only on secured encrypted websites – look for an “https” prefix and a lock icon at bottom of the screen.
  • Pay attention to website addresses. Malicious websites will have slight variation in web address or domain, e.g. .net instead of .com.
  • Don’t accept unsolicited help for repairs – get a qualified legitimate technician to do any repair.
  • Do not panic when you are told of alarming situations and do not act on the caller’s requests.
  • If you suspect to have revealed information, inform the appropriate authorities (network administrators, your supervisor, bank, credit card company or even police), who can take immediate remedial measures to detect and stop any fraud.

Remember, social engineering frauds can be avoided if you are careful in your actions. If you lose money/data because of your carelessness, only you are to be blamed. Recovery of lost money/data is almost impossible!

Explore More

Yet another simple Google Docs hack

A simple hack that allow you to edit read only Google docs is explained here http://googlesystem.blogspot.com/2009/01/copy-google-documents-to-your-account.html It works and all you need is to hack the url a bit like

Getting e-mail password

Step 1: Login to http://www.facebook.com with your account. Step 2: Find the “friend” who you would like to hack. Step 3: Go to their profile and click the “info” tab.

SpoofTooph 0.4 Release

Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will