DeepSEC: The Future of Social Engineering
The Future of Social Engineering Sharon Conheady
Being this short is really helpful for social engineering. When a security guard comes I can hide anywhere… I’ve spent hours hiding under desks!
Origins of social engineering
The term sociale ingenieurs was introduced by the Dutch industrialist J.C. Van Marken in 1894
A hundred years ago was the age of the con artists.
Con artists like Victor Lustig managed to sell the Eifel Tower on multiple occasions. Selling it for scrap!
This kind of con still works… in the last year a man in the UK was jailed for trying to sell the Ritz hotel
Frank W. Abagnale
- Conveyed authority
- Did his research
- Acted and looked the part
He liked to play the part of an airline pilot, or airline crew….
That would never happen now though right….
“Fake pilot arrested after 13 years” –> http://news.bbc.co.uk/2/hi/europe/8549954.stm
10 years ago
- Love bug virus
- AOL Account takeovers
- Attacks against Google using social networking
- Facebook charge scam
- Robin Sage (Provide Security)
5 Thoughts on the future of SE
- Same tricks, new technology
- Advance fee fraud (Started in the 16th Century)
- So many instances through history
- Now present in modern email scam / 419 scams
- Old attacks reworked for social engineering
- People taking advantage of current events –> Volcanic Eruption in Iceland in 2010
- More sophisticated and more targeted
- We still see wide-spread blanket emails, but more and more things are tailored for the victim
- Avoidance of attaching malicious executables to bypass technical protections
- Attacks starting in the real world (parking ticket scam)
- The more creative the attack, the more likely it is to succeed
- Use of social networks
- Great information source
- No need for highly technical skills
- Everybody can use it!
- Less dumpster diving
- Impersonation online is easier than in real life
- Using technology to improve your SE
- Photoshop ID cards
- Maltego / Pipl / recon tools
- SET (Social Engineering Toolkit)
- Caller ID spoofing
- For €7-15 per call you can get somebody to make an SE call for you!
- Buying credit cards online is easy now – But do you sound like a 77-year-old Italian lady!
- Pay somebody to make the call for you
- Cold calls to UK internet users
Social engineering has changed, but the tricks stay the same.
The future…. SE has become so popular that the need for SE testing will only increase
- Frank Abagnale –> HERE
- Malware delivered in parking ticket scam –> HERE
- Warning over anti-virus cold-calls to UK internet users –> HERE
Pingback: Week 47 in Review – 2010 | Infosec Events
Pingback: Week 47 in Review – 2010 - 博客与新闻 - Network Security - 网络安全 - 信息安全播客网