Jeff Holden CISSP Manager Network & Data Security€¦ · From: Avis Eyadema Subject: Help Date: Thu, 17 Jul 2008 06:46:04 +0100 (01:46 EDT) PRIVATE

Jeff Holden CISSP

Manager Network & Data Security

Term sociale ingenieurs introduced in an essay by J.C. Van Marken, a Dutch Industrialis in 1894

At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information.

It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information

Victor Lustig 1925 – Sold the Eiffel Tower….

Several time!

2007 Anthony Lee tried to sell the Ritz hotel in London for £250 millon

Advanced fee fraud The Spanish Prisoner, 16th Century

The Letter from Jerusalem, 18th Century

Nigerian postal/fax scams (419)

Con Man approaches British nobles, often accompanied with a beautiful woman, and explains that a fellow noble, this women's father has been imprisoned in Spain.

Letter smuggled from the prisoner was shown as evidence

Prisoners name was with held so the Spanish don’t find out they have such a valuable prisoner.

If British noble will pay the ransom, the jailed father would issue a reward on his release and his daughters hand in marriage

Eugène François Vidocq

The sender would pretend to

be the assistant of a noble man

that had lost a large number of

jewels and if they gave them

money they would split them

when they were found.

Of 100 letter Vidocq claims that

20 were always answered.

In early 1980’s Nigeria’s oil based economy declined

Unemployed university students devised this scam to get visitors to Nigeria interested in shady oil deals

Went on to target businessmen in the west sending messages via letter or fax, and eventually email

From: Avis Eyadema <[email protected]> Subject: Help Date: Thu, 17 Jul 2008 06:46:04 +0100 (01:46 EDT) PRIVATE AND CONFIDENTIAL From: Avis Eyadema, Dear Sir, This proposal may come to you as a big surprise, but I believe it is only a day that people meet and become great friends and business partners. It's my pleasure writing you this mail, I am a Togolese by Nationality. My name is AVIS EYADEMA, I am one of the numerous sons of Late GNASSINGBE EYADEMA, with so many wife and children which am one of them, former President of Togo who rule for 38 years and later was succeeded by my half brother and the first son FAURE EYADEMA. Before my father died he deposited huge amount of money in a security company here in Accra, Capital city of Ghana. Before my father died, he instructed and confined in me as his son about his business and secrecy. As a matter of fact, my father gave me some documents bearing the name of a Security company in Accra capital city of Ghana, which he told me was the place he deposited huge amount of money, Gold and Diamond when he was assigned for special duty. Armed with this documents that my father gave to me, I flew to Accra , Ghana where I confirmed the documents. The Company showed me two sealed trunk boxes with the inscription "FAMILY ARCHIVE" with my name being used as the next of kin in the deposit form. However, my father had earlier informed me that he cleverly packed the Fifteen Million, Five Hundred Thousand US Dollars ( $15.5 Million ) in one sealed trunk box the second box contains Gold and Diamond and told the Company that they contain the works of art. This he did in order to conceal the money from being detected. Now with my father exit, I need a foreign partner with the image of God in him who will assist me to receive this proceeds in abroad , and who will equally not sidetrack me when this money get into his possession. On completion of this transaction, I wish to offer you 25% of total sum for your assistance,10% for unforeseen or miscellaneous and 65% for I and my family and my family will also come over to your country for a joint investment according to your directives. I am here in Ghana because of a treat of my life by my half brother, FAURE , the current President now, who is trying all means to confiscate the funds from me after knowing that my late father made a huge deposit with my name as his next of kin. Contact me with the above mentioned information's if you know with can work together for more details. Yours truly, Avis Eyadema.

"How are you doing? This has had to come in a hurry and it has left me in a devastating state. My family and I had a visit to Wales unannounced some days back for a short vacation, unfortunately we were mugged at the park of the hotel where we stayed, all cash, cell phones and credit cards were stolen off us but luckily for us we still have our passports with us. We've been to the Embassy and the Police here they're not helping issues at all and our flight leaves tomorrow but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills. Please I really need your financial assistance. Please, Let me know if you can help us out?"

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Easy!

“You could spend a fortune purchasing

technology and services...and your

network infrastructure could still

remain vulnerable to old-fashioned

manipulation.”

Kevin Mitnick

Phishing Impersonation on help desk calls Physical access (such as tailgating) Shoulder surfing Dumpster diving Stealing important documents Fake software Trojans

Use of deceptive mass mailing Can target specific entities (“spear

phishing”) Prevention: Honeypot email addresses Education Awareness of network and website

changes

Calling the help desk pretending to be someone else

Usually an employee or someone with authority

Prevention:

Assign pins for calling the help desk

Don’t do anything on someone’s order

Stick to the scope of the help desk

Tailgating Ultimately obtains unauthorize

building access Prevention Require badges Employee training Security officers No exceptions!

Someone can watch the keys you press when entering your password

Probably less common

Prevention:

Be aware of who’s around when entering your password

Looking through the trash for sensitive information

Doesn’t have to be dumpsters: any trashcan will do

Prevention: Easy secure document destruction Lock dumpsters Erase magnetic media

Can take documents off someone’s desk

Prevention:

Lock your office

If you don’t have an office: lock your files securely

Don’t leave important information in the open

Watch what information you put online

Quizzes

Friends

Vacations

Employer

Fake login screens The user is aware of the software but thinks

it’s trustworthy Prevention:

Have a system for making real login screens obvious (personalized key, image, or phrase)

Education Antivirus (probably won’t catch custom

tailored attacks)

Appears to be useful and legitimate software before running

Performs malicious actions in the background

Does not require interaction after being run

Prevention: Don‘t run programs on someone else’s computer

Only open attachments you’re expecting

Use an antivirus