Mitnick In The News
How to recognize social engineering
The dangers of social engineering make even experienced IT professionals. Although there is no standard antidote, it is primarily about understanding the methods of the attacker. Then the battle is already half won.
Kevin Mitnick "invented" - social engineering. The IT security strategy of a company may not be as good - but if employees fall for cheap tricks, phishingopen -mails, alleged support staff give away passwords on the phone and slide lying around USB sticks into the first available computer, helps all nothing; then you are helpless as a company and condemned to data loss.
But who knows the (inscrutable) methods of social engineering, which has at least hope that he is not as directly affected by such attacks. Our US colleagues from CIO.com the best compiled 7 of the social engineering tricks for you:
Social Engineering: Methods of cyber criminals
combat social engineering
The dangers of social engineering make even experienced IT professionals.Although there is no standard antidote, it is primarily about understanding the methods of the attacker. Then the battle is already half won. We show seven perfidious ways through which social engineering to their data and want their money.
The "forgotten" USB stick
Oops, there was smooth but someone left lying a stick. Well, let's quickly look who it belongs to - so best just plugged to the computer ... This old farmhouse trick is still one of the most successful attacks on companies. Although Microsoft example suppresses the automatic launch applications on USB drives under Windows, help creative, curiosity awakening filename enormously to move careless employee to click. Companies remains to block only USB ports completely or - more meaningful - to train their employees accordingly.
Perfect Fake phishing emails
Most phishing emails sees its origin: Poor formatted cruel expression, cheap To-Click-prompting. Nevertheless, there are always specimens that pretend to come from the bank, the insurance company, the insurance company or the HR department and the anxious employees quickly hooked. Then just click, un the entire corporate network is infected. It is not difficult to recognize phishing emails - be they ever so well done. Once the objective of the mail is to click a link to verify personal data or enter the mail should quickly end up in storage.
Mails from "friends" and "colleagues"
Unlike the generic phishing is spear phishing directed specifically at individuals or a small group of people. Popular among attackers to keep in social networks for victims out, they spy on her hobbies and activities is. Subsequently customized phishing emails are designed and shipped - here determines the title, name of the addressed company and often the Annex, which is disguised as a letter from a colleague or casual acquaintance. The success of this action is of course higher than the generic phishing. What helps? Consistent distrust, personal demands the sender alleged and ignoring all e-mail attachments,
Talented attacker manages easily tease out via phone personal information from a person without that it will notice at all. So who will call the "IT department" to verify a password or to confirm his address from the "insurance" should mainly do one thing: oneself write down the number and provide the immediate recall.Alternatively, the caller questioning about the things that the would already know if he is who he claims to be. Basically: Sensitive information, especially passwords, never give over the phone!
Webmail accounts are so exciting because they often serve as a document archive. Once cracked, attackers have access to year-old correspondence and can steal a large piece of a digital identity. The "Forgot Password?" along with Security check is a popular gateway, but can be guessed only with social WebResearch many answers to this query. And if that does not work, the staff of the webmail provider with popular social engineering tricks are brought to surrender certain user information. Smaller companies not running your own mail server and rely on webmail providers should, therefore, consider carefully who select them. Who is responsible for its mail server itself, should see that address Ownerchange and DNS changes can not go so easily from equip.
Physical security of the office
Drag the typical clothes of a company to, you pretend you belonged to it and smuggle yourself in the employee group, the buggers just from smoking break back inside the corporate building. Zack, you're in it! Because the technique can not be so sure, against such intrusion especially large companies are often poorly filed, because there just is not everyone knows each other. . Blueing your (receive) a staff that they look for fake identification badge out and look straight unknown persons accurately
The friendly support staff
Him we already had at point "phone calls". The fake-call from the IT support or directly from the manufacturer, because the last update of the operating system still has to be final verified, something with the system configuration is incorrect, or his new computer is the same, and before anything else is to be done on the old system. Once someone wants to have the unauthorized access (Remote Access) on your computer, it should have a good reason. And no, Microsoft is calling anyone personally to correct something in Windows. Tell that to the staff!
But even if you know the methods of social engineering by heart, you are not immune to them. Therefore, make always the question: Am I already affected? We'll tell you speak what evidence:
Social Engineering: Are you affected?
Eye on the Web
Social engineering also provides IT professionals with challenges. The methods of the attackers are well known - but to protect themselves is especially true: keep your eyes open. We'll tell you which speak signs that you are already affected by social engineering.
.ru is certain, right?
Perhaps. However, implies a URL that ends with .ru, already a certain dubiousness. Therefore, you should check inbound links, which are not at first glance to be harmless verifiable, in any case. To this end, recommend the many free online tools - for example URLVoid. Suspicious They should also be at Shortlinks behind which possibly could hide malicious websites
If orthography becomes a nightmare
Stands out an email already made in the subject by outrageous spelling crimes that social engineering alarm bells should shrill
A trusted source
Receive news or emails from a trusted source, at first sight - for example, by colleagues with a company's internal address - then you prefer to watch again very closely. To play it safe, you waive the answer button and reply to the sender simply with a new e-mail
Source Search Part 2
Another indication of social engineering "attack": Your name appears neither in the recipient line nor in the CC list. Although many - or all - are colleagues in the recipient list, you should look closely.
To request email is a scam by cybercriminals and hackers. No reputable company will ask you to send an email, notify your bank, credit card or address information. Who responds to such a message, can be prepared to be the next social engineering victims
made password change slightly
Some hackers have started to send emails with forged Password Request Links.These messages are distinguished primarily by the fact that they look deceptively genuine at first glance. If you are prompted for a password change via a link and are not sure whether it is a fake, just visit the page of the respective portal, log in and change the password directly in your account.
The big money
They were randomly selected to receive a million profit, and all that's missing for monetary happiness is to click on the link in the email? Then the probability that you are currently being targeted by social engineering professionals, extremely high. Also requests for donations, "cries for help" alleged acquaintance and similar items to be served by wearing my email, as a rule are the work of cybercriminals