Skip Links

5 more dirty tricks: Social engineers' latest pick-up lines

Today's social engineers are getting very specific in their plans to manipulate their marks

By Joan Goodchild, CSO
September 26, 2011 03:05 PM ET

CSO - You may now be savvy enough to know that when a friend reaches out on Facebook and says they've been mugged in London and are in desperate need of cash, that it's a scam. But social engineers, the criminals that pull off these kinds of ploys by trying to trick you, are one step ahead.

Social engineering attacks are getting more specific, according to Chris Hadnagy author of Social Engineering: The Art of Human Hacking.

"Targeted attacks are earning social engineers better results," he said.

[Also read the original 9 dirty tricks: Social engineers' favorite pickup lines]

What that means is they may need to do more work to find out personal information, and it may take longer, but the payoff is often larger.

"Attacks now are not just a broad spam effort, sending out a million emails with an offer for Viagra," said Hadnagy. "These are now individual attacks where they are going after people one by one."

Here are five new scams circulating that employ much more individual involvement.

"This is Microsoft support --we want to help"

Hadnagy says a new kind of attack is hitting many people lately. It starts with a phone call from someone claiming to be from Microsoft support, calling because an abnormal number of errors have been originating from your computer.

"The person on the other end says they want to help fix it because there is a bug and they have been making calls to licensed Windows users," explained Hadnagy. "All of the pretext makes sense; you are a licensed Windows user, you own a machine with Windows on it and she wants to prove it to you."

The caller tells the victim to go to the event log and walks them through the steps to get to the system log.

"Every Windows user will have tons of errors in the event log, simply because little things happen; a service crashes, something doesn't start. There are always errors," said Hadnagy. "But when a non-experienced user opens it up and sees all these critical errors, it looks scary."

At that point, the victim is eagerly ready to do whatever the alleged "support" person wants them to do. The social engineer advises them to go to Teamviewer.com, a remote-access service that will give them control of the machine.

Once the social engineer has access to the machine through Teamviewer, they then install some kind of rootkit or other kind of malware that will allow them to have continual access, said Hadnagy.

"Donate to the hurricane recovery efforts!"

Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, Hadnagy says a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News