So you’re sitting at your desk and the phone rings. “Hey this is Mark from information security. We are noticing that your computer is creating a lot of traffic out to the internet. Are you noticing that anything on your computer is out of the ordinary lately?”
What would you say? Well, in the average Social Engineering test we perform, the answer is quite honestly a, “yeah my computer is slow… can you guys finally come and fix it?”
That’s when we say, “Sure! We’d be glad to *cough* help! Go here, download this patch, and run it…” and a couple minutes later we have fully compromised a system sitting behind a firewall in a corporate environment and easily getting past the antivirus software as well.
On average, we are able to get over 70% of end users to comply with anything we want them to do in “fixing” their computer, by just dialing their number and talking to them. How would you feel knowing that your end users are freely giving their computers and data away to attackers over the phone?
So what can you do to stop it? Well, a lot actually. Depending on your budget (which these days is low for everyone) you have the option to proxy all of your outbound connections, close down your firewall, install HIPS/NIPS protection, and the list goes on.
Sure you can do a lot to MASK the problem, but when are you going to stop the problem at its source? No, I am not advocating firing everyone you work with, but I am saying that there should be policies, procedures and MOST of all, end user training to teach people about these attacks.
People are most always willing to help, lend a hand and be polite and courteous to others on the phone. In reality, this type of attack could happen to virtually any company. In fact, the larger the company is, the easier it is to exploit.
The moral of the story is that unless you have some type of training involved for employees, they are very susceptible to Social Engineering. Even these days. Next time, it just might not be a pen tester on the other end of the phone, it could be someone with some serious malicious intent.
var _gaq = _gaq || ; _gaq.push(['_setAccount', 'UA-37302584-1']); _gaq.push(['_trackPageview']);