Tales of a Professional Social Engineer
Opinion: Nobody thinks it will happen to them, but social engineering is the way the pros use to compromise your security. And you'll invite them in.Jim Stickley robs banks, government offices and other allegedly secure locations. And he does it the unorthodox way. Stickley doesnt go in like Edward G. Robinson with a Tommy gun. He gets you to like him and trust him and leave him alone while he steals your confidential information and other assets that you should be guarding unceasingly. His is a field that has come to be known as social engineering. Read more here about social engineering.
His firm, Trace Security Inc., is hired by organizations like banks to test the security of their offices the only right way there is, by challenging it. Faceless National Bank will hire him to see if the Podunk branch is paying attention to security policy. The bank may even say, "Go in and try to steal these specific corporate account records."
- Its easy to determine who works in the branch. Sometimes its on the Internet, or you can just walk in and look at the names on the desks and badges. The names of people at headquarters are often as available on the Internet.
- The social engineering team sends innocuous probe e-mails to some of these people in a variety of styles, like email@example.com and firstname.lastname@example.org and so on to determine what everyones address is.
- Then the team registers a one-off domain name like facelessnationa1.com (notice the 1 at the end instead of an l).
- When an e-mail comes in from the regional VP @facelessnationa1.com saying, for example, that an exterminator is coming, people are likely not to notice. And in fact, the "from" address of the message can actually say facelessnational.com with an "l" since thats easy to spoof, but if someone were suspicious enough to check headers they would quite possibly miss the "1."