This Is Your Attacker Calling

Computerworld - It's a network that connects over 98% of the population. It extends to every country on the planet and occasionally even into outer space. No, it's not the Internet. It's the telephone network. The phone system is a vital part of my company's information infrastructure, but it also offers a nearly perfect venue for attack.
It's possible to spoof your Internet address, but not if you want packets to make their way back to you. In that case, you have to include your real address, and that means everyone between you and your target -- and the target itself -- can get your address.
On the computer network, our intrusion-detection systems can shift through gigabytes of data every second, plucking out malicious behavior. With attacks by telephone, we don't have any easy way to trace the origin of malicious callers without involving the legal system, and we must rely on our staff to spot and report incidents.
E-mail and Web-based attacks can be automated and launched against thousands of targets. But the phone is the weapon of choice if you have just one target in mind.
Buffer overflows and password-guessing don't work over the phone, so a more devious type of attack is required -- one that involves so-called social engineering. In a social-engineering ploy, the attacker tries to trick someone into doing something he wouldn't normally do.
It might take the form of an appeal from an authority figure. Someone could call and say he needs confidential information for a senior board member. Everyone wants to look good in front of the bosses, so a staffer might provide the requested information without giving it a second thought.
Advertising is a good training ground for picking up approaches to social engineering. We get many callers who try to use peer pressure, dropping the names of colleagues who have supposedly performed a certain action already. If everyone else is doing it, how bad can it be?
A Cry for Help
Some attackers play upon the sympathies of their victims.
One scammer who targeted us claimed that she lost her laptop and needed confidential company information for a presentation she was giving in a few hours. Who couldn't help but feel sorry for someone caught in such a situation? But would you feel enough sympathy to send spreadsheets and organizational charts to her Yahoo e-mail address?
Some tactics are just plain weird. We've had many calls from people who pretend to work for an IT integration company. The company doesn't exist, but