Social Media Engineering

This week at a Big 4 Bank there was a presentation on Cyber Security. The presenter who was an ethical hacker started by saying that he would introduce himself and he rarely does that. In the spirit of that I will leave him unnamed.

Let’s call him Bob. Bob talked about his experiences in collecting 18 flags at DEFCON at Las Vegas a few years ago. This is the largest event for hackers in the world.

Just for background on DEFCON, there was an article just two days ago that talked about how DEFCON hackers were able to crack a new physical Brinks safe in 60 seconds.

These guys are seriously good……

I don’t use any Social Media

Bob started by saying this, which brought some grasps from the audience. He then went on to say that he does have a few hundred social media accounts that use aliases.

So much for the concept of Real Names, which I note is getting challenge from some countries like Germany on Facebook recently.

For the DEFCON event Bob had a challenge to penetrate this large multinational soft drink name and collect a series of information.

But first Bob, spent a few weeks setting up and doing reconnaissance. This included setting up a fake Linkedin account as IT Analyst for this organisation.

Linking In

On assuming this alias on Linkedin, Bob was able to gain access to other persons in that organisation. He noted that a CFO, that he connected with on Linkedin also suggested that as his PC was not working could he fix this?

You can see, how amazingly easy it would be for a hacker to use social media engineering to gain access.

Just observe and listen

Bob was able to learn that there is a favorite pub that was near the headquarters and it was easy to just learn information from being there. One snippert that he learnt was that there was a KPMG audit that was just completed.

These small pieces of information provide Bob with the material that can enable the deception.

Bob, then called the Helpdesk.

Hello this is Fred, What’s your Employee Number?

Fred, how’s your day? Fred mentioned that actually it’s not that great as I’ve had an argument with my partner. Bob added after the chatter that he would be happy to be a sounding board as he had really screwed up himself over the years.

Once warmed up, Bob went on…..look I’ve been asked by Tony to followup on the KPMG Audit. Tony used to be the Manager in this area and Bob had researched him on Facebook and noted that he had a new baby and a really cute puppy.

On mentioning the Baby and the Puppy, Bob could sense that the trust was increasing. So could you help me out with a few questions??

Collecting Flags

Bob’s goal was to collect 18 pieces of information about this organisation. This included:

- What company is used for File archives? - What days are pay day? - Is there wireless on site? - What about the caferia?

The trick was that Bob, was careful to listen to Fred’s voice for any pauses and sense if there was any reluctance on the other end of the line. Bob noticed that Fred may be getting suspicious and added. “Hey I’m going to be in town next week, can I buy you a beer at the pub?”

That was the clincher as Bob had researched the types of craft beers and in mentioning his favorites, there was a rewarming of the conversation.

A little scary

The question is what’s stopping this happening at your organisation? Does your team realise how Social Media Engineering attacks happen??

I know that most Help Desk staff tend to be younger and usually active on Social Media. Thus this formula would work in most enterprises.

Yes, you should be concerned and perhaps a mock social media engineering attack is in order. There are Bob’s out there that can help you.

Join the CSO newsletter!

Error: Please check your email address.

Tags Opinionskpmgengineeringtwittersocial mediaCSO AustraliaFacebookcyber securityLinkingInDefcon

More about BrinksFacebookFredKPMG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place