The Seven Deadly Sins of Social Engineering

The Seven Deadly Sins of Social Engineering

Social Engineering has always been one of my favorite attack vectors when doing any penetration test. A big reason why our firm succeeds is that we as human beings forget the “Seven Deadly Sins”.

As I thought about social engineering attack vectors for previous engagements, I noticed I always had a few common attack vectors I utilized, but they always focused on a few key vectors that can always be attributed to the Seven Deadly Sins.

The Seven Deadly Sins, for those not familiar with them, are: Lust, Gluttony, Greed, Sloth, Wrath, Envy, and Pride. Let me give some examples:

  • Lust – Those wonderful emails promising a wonderful time with beautiful women or a sexual temptation
  • Gluttony – Free Gift Cards to some retailer in some huge sum
  • Greed – Nigerian emails or those wonderful email scams promising lots of money (gift cards to retailers can also fall under this category)
  • Sloth – Easy money by working at home
  • Wrath – Maybe not so much outrage or anger towards an individual, but a situation or outcome, like poor orphans, or a major disaster situation like the recent Typhoon Haiyan
  • Envy – Free iPads, iPhones or some beautiful electronic device
  • Pride – Involves stroking one’s ego in the email, calling them a valuable person or asset and that they are needed. Insecurity is a form of pride, where rather than building one’s ego, they tear them down and make one feel insecure about themselves.

In all cases, they are all emotional outbursts that can motivate someone to donate in the spirit of aid such as Typhoon Haiyan, or play on someone’s envy because a friend has nice shiny toys that they desire.

Either way, be conscious about these social engineering attempts, in your business and personally. These seven social engineering attack vectors will always net at least one win and the adversary only needs a single win.

 

See how easily Hackers can take over your life

See how easily Hackers can take over your life

Cyber security awareness month is coming to a close, and I wanted to close with this new video. It is a follow up to “Amazing mind reader reveals his ‘gift’“.

In this followup video, it features a gentlemen assuming the identity of a random man he selects as his mark on Facebook. Using social media, he acquires information about his personal life, including people his mark knows in real life.

Using movie stage makeup, he assumes his mark’s complete physical attributes. He later physically stands before his mark. See the entire video below:

Be vigilant on who you add as a friend on social media. Moreover, do not overshare information. It is amazing what one can find on the internet. Anything you say on the internet can and will be used against you.

Remember, if you give a hacker a cookie, he (or she) is going to want a glass of milk

Amazing mind reader reveals his ‘gift’

Amazing mind reader reveals his 'gift'

Now that I have your attention, over the weekend, I remembered this video that debuted back in 2012.

It was a great public service announcement piece from Belgium. What made the video such a hit was the eccentric individual was no ordinary mind reader – he gets all his information from Facebook, Twitter, Social Media, and the web.

He is also warning you against sharing too much private information.

[The video] begins with random people being selected from the streets of Brussels.  They are asked if they would like to participate in an upcoming TV program featuring Dave, described as a gifted clairvoyant.  Once they agree, they are ushered into a white tent to meet Dave. He hugs them and dances around as he seemingly tries to get a sense of the person’s energy.  As people are seated across from him, Dave tells them random facts about them, from the color of the motorcycle they own to their bank account number and even the types and locations of their tattoos.

As the unassuming subjects become absorbed in Dave’s trance and the factual information he is providingthe truth behind his magic is revealed.  A curtain drops, and behind it is a group of computer hackers dressed in all black searching the Internet for information about each of the individuals.  In fact, a large monitor sits in front of the hackers, displaying pictures and personal information about the subjects.  Each person seems astonished, first at the curtain dropping and then at the reveal as they realize what has taken place.  [Emphasis added]

Over here at Net Force, we still see too much over sharing of information on social media sites. Even the most harmless and innocuous pieces of information individuals share on social media is worth its weight in gold when combined with other pieces of information.

We all need a little reminder to “Be vigilant, because Internet fraudsters can (and will) use information against you.”

See the entire video below: