Sophos Cloud Optix
Wondering what gifts to give your coworkers this Christmas?
Here’s an idea: scare the bejesus out of them!
With any luck, your bosses will be grateful* if you launch a social engineering attack on them, or on employees in the call center, or on anybody who’s got anything that a crook could trick them out of for criminal use.
[*For the love of all things silicon, first get your higher-ups’ permission!]
Even with security checks in place and supposedly trained employees, there’s a dizzying array of organizations and individuals who’ve been snookered via social engineering. A very brief list would include:
- The crooks who posed as bank employees in phone calls to fool real bank employees into handing over confidential information. The spoofed calls led to £60 million ($92 million) drained from victims’ bank accounts.
- A con artist talking his way into hijacking somebody’s Facebook account.
- Ditto for crooks who’ve taken over people’s Twitter accounts with as little as their name and four digits.
- All the celebrities whose logins to their Apple and Google email accounts were phished out of them during the Celebgate nude-photo theft scandal.
- A CEO targeted in a spear-phishing attack where someone posed as him to ask for fund transfers, market data and more.
Last week, “timeddilation,” a Redditor who claims to be the manager of IT at that CEO’s company, posted about the aftermath of the phishing attack.
The CEO approved timeddilation’s proposal to give social engineering training to the management team.
There are many ways to deliver this kind of training. Timeddilation posted their notes and the slideshow on a Google drive. Wait. Is that meta, you well may ask?
Could an invitation to open a file on Google Drive be social engineering? Hopefully not: Google scans files for viruses before allowing them to be shared, at any rate.
He or she also put the materials in a ZIP file and dared us to open it, but, um, no. The threat of a potentially malicious JavaScript attachment sounds a bit too much like ransomware.
At any rate, timeddilation said that the most effective thing was to show them this video, which depicts a live demonstration of a social engineering attack that wound up with a reporter’s account password being changed and with him being locked out of his own account.
Nothing like a recording of a baby crying in the background to lend credence to a cooked-up story, eh?!
There are plenty of other ways to social engineer, of course. Here’s another from Redditor OtisBIT, who says they’re a manager and senior sysadmin.
OtisBIT says they got HR’s approval to trick a purchasing worker out of the password to one of the organization’s systems. Tricking her was “amazingly easy” and required “no admin privileges as all”.
All the social engineering artist used was a Gmail account and some personal information found on her Facebook page to impersonate another IT worker (with whom she’s friends on Facebook, as her public profile showed). Posing as her friend, they talked her into sharing a login.
Facebook itself has launched attacks on its own employees. Click on a rigged spreadsheet, and you’d be sent straight to hell: also known as further training. In that writeup, I provided plenty of other scenarios for staged social engineering attacks, if you want more ideas.
A few things to note before you go commando with security training:
Make sure you’ve got permission
You really don’t want to wind up in jail over a well-intentioned experiment that you didn’t give anybody a heads-up about.
We can’t emphasize that enough. You don’t just put yourself at risk legally; social engineering stunts can have tragic results for others.
Don’t expect a shower of rose petals
Or to be listened to, even. OtisBIT says the powers that be dismissed the stunt, management-splaining it as a case of computer illiteracy – that’s code for “stupid”, OtisBIT said – and saying that it wouldn’t happen to them.
Be ready to provide more of the same
Timeddilation’s experiment was Mission Success: “Scared the ever-living **** out of them.” The organization is putting together a set of rules and training for every hourly employee.
What’s more, support staff have been asking for one-on-ones regarding how to practice better security. And Human Resources decided to send a phishing email to new hires, still in training, to see if they’d swallow the hook and send their passwords.
They did.
If you do wind up scaring your bosses’ or coworkers’ pants off this holiday season, please do brag about it in the comments section below.
We love gory details!
We’ve started using a phishing service to routinely test our users. Many are good at recognizing these as fraudulent attempts to get them to click, but there is a persistent minority that seems to fall for anything.
hmmm, maybe mail out USB sticks with Christmas cards to people I don’t know…. or should I not say that.
Where I work people are generally clueless about e-mail scams. Part of my job is to receive the general e-mail for the organization, and I occasionally receive message that are obviously scams. I warn my coworkers repeatedly about the dangers of opening attachments and clicking on links, etc. We have been fortunate so far and have not had an incident. but honestly I don’t think it’s “if” but when. Since I am actively involved in providing tech support to staff, they usually come to me when in doubt, and yet I have seen staff do some pretty dumb things. Even as the system administrator, I do not access any personal accounts from my work computer.