- 21 Eki 2015
- 477
- 1
.jpg)
1- Diamonds Are A Social Engineer's Best Friend
Here's one for all the financial services pen testers to remember.
In 2007, a mystery man who remains at large burgled safety deposit boxes at an ABN Amro bank in Belgium, stealing diamonds and other gems weighing 120,000 carats, in all. He visited the bank during regular business hours, overcame all of the bank's exceptional security mechanisms, and walked right out the door with 21 million (roughly $27.9 million at the time) worth of gemstones with no one the wiser, using absolutely no technology whatsoever.
"He used one weapon -- and that is his charm -- to gain confidence," Philip Claes, spokesman for the Diamond High Council, said at the time. "He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.
"You can have all the safety and security you want," said Claes "but if someone uses their charm to mislead people it won't help."
2- Associated Press Twitter hijack
In 2013, the Twitter account of the Associated Press news wire service reported "Breaking: Two Explosions in the White House and Barack Obama is injured." It was false news. AP's Twitter account had been hijacked by the Syrian Electronic Army, one of a series of attacks on media organizations around that time.
Ferrara puts this on his top five list because of the quick aftermath. "It had an immediate impact," he says. Within moments, the stock market dropped.
The tweet was sent at 1:07 p.m. At 1:08 the Dow started the nosedive. It dropped by 150 points before 1:10, when news began to spread that the tweet was erroneous.
This was yet another attack that started with phishing, and even a security-savvy user might fall for it. Here's the message that some AP employees fell for:
Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Subject: News
Hello,
Please read the following article, its very important :
http://www.washingtonpost.com/blogs/worldviews/wp/2013/04/23/
[A different AP staffer]
Associated Press
San Diego
mobile [removed]
With the exception of the name of the staffer in the signature being different than the one in the "From" heading, there's little to indicate that this isn't legitimate.
The cleverness of the phishing message and the immediate market-moving effects make this example an essential candidate for your security awareness program.
3- Michigan Fleeced By Nigerian Prince Scam
Nigerian frogs like this one don't generally turn into princes when you kiss them, and Nigerian princes who send you emails asking for money don't generally turn out to be princes at all. But that doesn't stop people from falling for the scheme.
What we think of as "Nigerian Prince" scams aren't anything new. They go back to at least the 16th century, with the character instead being a Spanish prisoner who's actually innocent (and wealthy).
One of the most embarrassing examples in recent times occurred in 2007. Thomas Katona, the treasurer of Alcona County, Michigan embezzled roughly $1.25 million of the county's $4 million operating budget and paid at least some of it to a scammer. The county had little hope of recovering any of the stolen money.
Katona was sentenced to nine to 14 years in prison for eight counts of embezzlement, one count of attempted embezzlement, and two counts of forgery. As the state Attorney General said, "The defendant's actions are unthinkable and indefensible."
Nigerian prince and "419" scams are definitely not a thing of the past. In 2013, according to recent research, such scams cost victims $12.7 billion worldwide; $82 million in the US alone. As the researchers explain, some of the worst victims of advance fee fraud scams experience something like an addiction, and some experience something akin to the Stockholm syndrome that kidnap victims suffer, defending their scammers, even though they only know them through e-mail communications.
4- Target Third-Party Take-Down
In 2013, attackers lifted an unheard-of 40 million credit and debit cards from retail megachain Target's point-of-sale systems. Ferrara puts the breach in his top not just for the "devastating" scope of the damage, but because it showed just how dangerous an unwary business partner can be.
Investigators suspect the attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning subcontractor Fazio Mechanical Services via a phishing email that included the Citadel Trojan.
Even if a retailer giant makes certain every one of its greeters is as well-trained in social engineering defense as they are in saying "welcome to Target," they aren't entirely safe from phishermen. Target served as a lesson to require better security from third-party contractors and to limit the network access those parties are provided.
5- How To Stay Aware
If you want to keep your organization secure, says Ferrara, "You have to engage the end users. If you don't, then you really have no shot."
Ferrara recommends that you start your awareness training with a knowledge assessment. Find out what your end users really know about security -- not so you can make fun of them, but so that you can decide where to focus your efforts, and so that you can measure their improvement later.
"A lot of what we [at Wombat] think is missing is measurement" of both knowledge and progress, he says.
Ferrara also suggests you give training regularly, in small digestible pieces, instead of one giant overwhelming onboarding process.
He also highly recommends conducting simulated attacks. "It is really a breakthrough moment," he says, "but it's not the end of it. It's the start."
Excerpted
