Give the gift of a social engineering demo this Christmas

Wondering what gifts to give your coworkers this Christmas?

Here’s an idea: scare the bejesus out of them!

With any luck, your bosses will be grateful* if you launch a social engineering attack on them, or on employees in the call center, or on anybody who’s got anything that a crook could trick them out of for criminal use.

[*For the love of all things silicon, first get your higher-ups’ permission!]

Even with security checks in place and supposedly trained employees, there’s a dizzying array of organizations and individuals who’ve been snookered via social engineering. A very brief list would include:

Last week, “timeddilation,” a Redditor who claims to be the manager of IT at that CEO’s company, posted about the aftermath of the phishing attack.

The CEO approved timeddilation’s proposal to give social engineering training to the management team.

There are many ways to deliver this kind of training. Timeddilation posted their notes and the slideshow on a Google drive. Wait. Is that meta, you well may ask?

Could an invitation to open a file on Google Drive be social engineering? Hopefully not: Google scans files for viruses before allowing them to be shared, at any rate.

He or she also put the materials in a ZIP file and dared us to open it, but, um, no. The threat of a potentially malicious JavaScript attachment sounds a bit too much like ransomware.

At any rate, timeddilation said that the most effective thing was to show them this video, which depicts a live demonstration of a social engineering attack that wound up with a reporter’s account password being changed and with him being locked out of his own account.

Nothing like a recording of a baby crying in the background to lend credence to a cooked-up story, eh?!

There are plenty of other ways to social engineer, of course. Here’s another from Redditor OtisBIT, who says they’re a manager and senior sysadmin.

OtisBIT says they got HR’s approval to trick a purchasing worker out of the password to one of the organization’s systems. Tricking her was “amazingly easy” and required “no admin privileges as all”.

All the social engineering artist used was a Gmail account and some personal information found on her Facebook page to impersonate another IT worker (with whom she’s friends on Facebook, as her public profile showed). Posing as her friend, they talked her into sharing a login.

Facebook itself has launched attacks on its own employees. Click on a rigged spreadsheet, and you’d be sent straight to hell: also known as further training. In that writeup, I provided plenty of other scenarios for staged social engineering attacks, if you want more ideas.

A few things to note before you go commando with security training:

Make sure you’ve got permission 
You really don’t want to wind up in jail over a well-intentioned experiment that you didn’t give anybody a heads-up about.

We can’t emphasize that enough. You don’t just put yourself at risk legally; social engineering stunts can have tragic results for others.

Don’t expect a shower of rose petals
Or to be listened to, even. OtisBIT says the powers that be dismissed the stunt, management-splaining it as a case of computer illiteracy – that’s code for “stupid”, OtisBIT said – and saying that it wouldn’t happen to them.

Be ready to provide more of the same
Timeddilation’s experiment was Mission Success: “Scared the ever-living **** out of them.” The organization is putting together a set of rules and training for every hourly employee.

What’s more, support staff have been asking for one-on-ones regarding how to practice better security. And Human Resources decided to send a phishing email to new hires, still in training, to see if they’d swallow the hook and send their passwords.

They did.

If you do wind up scaring your bosses’ or coworkers’ pants off this holiday season, please do brag about it in the comments section below.

We love gory details!