It's human nature to think that it's unlikely you're being deceived in any
particular transaction, at least until you have some reason to believe
otherwise. We weigh the risks and then, most of the time, give people the
benefit of the doubt. That's the natural behavior of civilized people.., at
least civilized people who have never been conned or manipulated or
cheated out of a large amount of money.
As children our parents taught us not to trust strangers. Maybe we should
all heed this age-old principle in today's workplace.
At work, people make requests of us all the time. Do you have an email
address for this guy? Where's the latest version of the customer list?
Who's the subcontractor on this part of the project? Please send me the
latest project update. I need the new version of the source code.
And guess what: Sometimes people who make those requests are people
your don't personally know, folks who work for some other part of the
company, or claim they do. But if the information they give checks out,
and they appear to be in the know ("Marianne said . . ."; "It's on the K-16
server..."; "... revision 26 of the new product plans"), we extend our circle
of trust to include them, and blithely give them what they're asking for.
Sure, we may stumble a little, asking ourselves "Why does somebody in
the Dallas plant need to see the new product plans?" or "Could it hurt
anything to give out the name of the server it's on?" So we ask another
question or two. If the answers appear reasonable and the person's manner
is reassuring, we let down our guard, return to our natural inclination to
trust our fellow man or woman, and do (within reason) whatever it is
we're being asked to do.
And don't think for a moment that the attacker will only target people 'ho
use company computer systems. What about the guy in the mail room?
"Will you do me a quick favor? Drop this into the intra company mail
pouch?" Does the mail room clerk know it contains a floppy disk with a
special little program for the CEO's secretary? Now that attacker gets his
own personal copy of the CEO's email. Wow! Could that really happen at
your company? The answer is, absolutely.
THE ONE-CENT CELL PHONE
Many people look around until the); find a better deal; social engineers
don't look for a better deal, they find a way to make a deal better. For
example, sometimes a company launches a marketing campaign that's so
you can hardly bear to pass it up, while the social engineer looks at the
offer and wonders how he can sweeten the deal.
Not long ago, a nationwide wireless company had a major promotion
underway offering a brand-new phone for one cent when you signed up
for one of their calling plans.
As lots of people have discovered too late, there are a good many
questions a prudent shopper should ask before signing up for a cell phone
calling plan whether the service is analog, digital, or a combination; the
number of anytime minutes you can use in a month; whether roaming
charges are included.., and on, and on. Especially important to understand
up front is the contract term of commitment--how many months or years
will you have to commit to?
Picture a social engineer in Philadelphia who is attracted by a cheap
phone model offered by a cellular phone company on sign-up, but he
hates the calling plan that goes with it. Not a problem. Here's one way he
might handle the situation.
The First Call: Ted
First, the social engineer dials an electronics chain store on West Girard.
"Electron City. This is Ted."
"Hi, Ted. This is Adam. Listen, I was in a few nights ago talking to a
sales guy about a cell phone. I said I'd call him back when I decided on
the plan I wanted, and I forgot his name. Who's the guy who works in that
department on the night shift?
"There's more than one. Was it William?"
"I'm not sure. Maybe it was William. What's he look like?" "Tall guy.
Kind of skinny."
"I think that's him. What's his last name, again?
"Hadley. H--A--D--L--E-- Y."
"Yeah, that sounds right. When's he going to be on?"
"Don't know his schedule this week, but the evening people come in about
five."
"Good. I'll try him this evening, then. Thanks, Ted."
The Second Call: Katie
The next call is to a store of the same chain on North Broad Street.
"Hi, Electron City. Katie speaking, how can I help you?"
"Katie, hi. This is William Hadley, over at the West Girard store. How're
you today?"
"Little slow, what's up?"
"I've got a customer who came in for that one-cent cell phone program.
You know the one I mean?"
"Right. I sold a couple of those last week."
"You still have some of the phones that go with that plan?"
"Got a stack of them."
"Great. 'Cause I just sold one to a customer. The guy passed credit; we
signed him up on the contract. I checked the damned inventory and we
don't have any phones left. I'm so embarrassed. Can you do me a favor?
I'll send him over to your store to pick up a phone. Can you sell him the
phone for one cent and write him up a receipt? And he's supposed to call
me back once he's got the phone so I can talk him through how to
program it."
"Yeah, sure. Send him over."
"Okay. His name is Ted. Ted Yancy."
When the guy who calls himself Ted Yancy shows up at the
North Broad St. store, Katie writes up an invoice and sells him
the cell phone for one cent, just as she had been asked to do
by her "co worker." She fell for the con hook, line, and sinker.
When it's time to pay, the customer doesn't have any pennies in his
pocket, so he reaches into the little dish of pennies at the cashier's counter,
takes one out, and gives it to the girl at the register. He gets the phone
without paying even the one cent for it.
He's then free to go to another wireless company that uses the same model
of phone, and choose any service plan he likes. Preferably one on a
month-to-month basis, with no commitment required.
Analyzing the Con
Its natural for people to have a higher degree of acceptance for anyone
who claims to be a fellow employee, and who knows company procedures
,d lingo. The social engineer in this story took advantage of that by
finding out the details of a promotion, identifying himself as a company
employee, and asking for a favor from another branch. This happens
between branches of retail stores and between departments in a company,
people are physically separated and deal with fellow employees they have
never actually met day in and day out.
Tidak ada komentar:
Posting Komentar