Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DeepSEC: The Future of Social Engineering

2 Comments Posted by on November 26, 2010

The Future of Social Engineering Sharon Conheady

Being this short is really helpful for social engineering. When a security guard comes I can hide anywhere… I’ve spent hours hiding under desks!

Origins of social engineering

The term sociale ingenieurs was introduced by the Dutch industrialist J.C. Van Marken in 1894

A hundred years ago was the age of the con artists.

Con artists like Victor Lustig managed to sell the Eifel Tower on multiple occasions. Selling it for scrap!

This kind of con still works… in the last year a man in the UK was jailed for trying to sell the Ritz hotel

Frank W. Abagnale

  • Conveyed authority
  • Did his research
  • Acted and looked the part

He liked to play the part of an airline pilot, or airline crew….

That would never happen now though right….

“Fake pilot arrested after 13 years” –> http://news.bbc.co.uk/2/hi/europe/8549954.stm

10 years ago

  • Love bug virus
  • AOL Account takeovers

Now

  • Attacks against Google using social networking
  • Facebook charge scam
  • Robin Sage (Provide Security)

5 Thoughts on the future of SE

  • Same tricks, new technology
    • Advance fee fraud (Started in the 16th Century)
    • So many instances through history
    • Now present in modern email scam / 419 scams
    • Old attacks reworked for social engineering
    • People taking advantage of current events –> Volcanic Eruption in Iceland in 2010
  • More sophisticated and more targeted
    • We still see wide-spread blanket emails, but more and more things are tailored for the victim
    • Avoidance of attaching malicious executables to bypass technical protections
    • Attacks starting in the real world (parking ticket scam)
    • The more creative the attack, the more likely it is to succeed
  • Use of social networks
    • Great information source
    • No need for highly technical skills
    • Everybody can use it!
    • Less dumpster diving
    • Impersonation online is easier than in real life
  • Using technology to improve your SE
    • Photoshop ID cards
    • Maltego / Pipl / recon tools
    • SET (Social Engineering Toolkit)
    • Caller ID spoofing
  • Outsourcing
    • For €7-15 per call you can get somebody to make an SE call for you!
      • Buying credit cards online is easy now – But do you sound like a 77-year-old Italian lady!
      • Pay somebody to make the call for you
    • Cold calls to UK internet users

Social engineering has changed, but the tricks stay the same.

The future…. SE has become so popular that the need for SE testing will only increase

Links:

  • Frank Abagnale –> HERE
  • Malware delivered in parking ticket scam –> HERE
  • Warning over anti-virus cold-calls to UK internet users –> HERE
Conference, Security , , , ,