Social Engineering people via Instant Message
At my work, social engineering is an inherent risk since you work for a large Internet Service Provider. You have access to something others want - ability to reset passwords, in addition to open an account’s information and see all the info on an account and really mess someone over. Now, to the worker, its just customer service. To the caller/attacker its a goal and essentially a game.
Well, it gets to be annoying when you see your own peers next to get their Internal account compromised, and starts IMing you to perform CSR functions like Password Resets - via Instant Message. Its not that hard to master computer security. It is in no place of you to help others on how to get a virus scan, firewall, and spyware protection when you carelessly click links in email and sign in. Then your account is in someone else’s hands. Not to mention having strong passwords. Thats still not a skills with workers of the largest ISP have mastered yet.
Social Engineering via IM is fun - so long as the other person being targeted doesnt do anything for real, and just plays along. I love it. Its thrilling to “pwn” them back. Excert from a friend toying with them
Lamer [8:29 PM]: Hello
Lamer [8:29 PM]: Are you currently in call center?
Worker [8:29 PM]: Call center? What are you talking about?
Lamer [8:30 PM]: ***** Call center.
Lamer [8:30 PM]: i am in jacksonville
Worker [8:30 PM]: I’m just going to verify your employee status, one moment please.
Lamer [8:30 PM]: ok
Worker [8:31 PM]: I am unable to verify your employment. Please provide your first and last name, employee ID, and supervisor’s name for verification.
Lamer [8:31 PM]: look up my name in keyword *******
Lamer [8:31 PM]: by screenname
Worker [8:32 PM]: As I said. Please provide that information.
Lamer [8:32 PM]: No ty
Worker [8:32 PM]: Okay. Thanks for IMing me. Ta-ta.
Anyhow. The sad thing is, is that once they trick someone, they take full advantage.
I ought to run a seminar on account security - since obviously many people need it. There is no excuse for any internal accounts to get compromised - especially for someone who’s “trained” on not getting compromised. It doesnt matter how much encryption or passwords you have - its the human variable that will determine if your are penetrable. Just as my favorite shirt says “There is no patch for human stupidity.”
DONT CLICK LINKS IN EMAIL!! How many times does this have to be reiterated. As much as you may think - you WILL NOT get fired via email or IM. Its that odd meeting they have with you, only you, that you gotta get worried about.
Uncategorized
Humans alway want somthing for nothing, and always want to cooperate with the boss.
I can see why somone would click on a link (wrong) and then provide passwords if they think it came from the boss. Somdsy the use of password should be done away with.
Dale