CSO - You may now be savvy enough to know that when a friend reaches out on Facebook and says they've been mugged in London and are in desperate need of cash, that it's a scam. But social engineers, the criminals that pull off these kinds of ploys by trying to trick you, are one step ahead.
Social engineering attacks are getting more specific, according to Chris Hadnagy author of Social Engineering: The Art of Human Hacking.
"Targeted attacks are earning social engineers better results," he said.
[Also read the original 9 dirty tricks: Social engineers' favorite pickup lines]
What that means is they may need to do more work to find out personal information, and it may take longer, but the payoff is often larger.
"Attacks now are not just a broad spam effort, sending out a million emails with an offer for Viagra," said Hadnagy. "These are now individual attacks where they are going after people one by one."
Here are five new scams circulating that employ much more individual involvement.
Hadnagy says a new kind of attack is hitting many people lately. It starts with a phone call from someone claiming to be from Microsoft support, calling because an abnormal number of errors have been originating from your computer.
"The person on the other end says they want to help fix it because there is a bug and they have been making calls to licensed Windows users," explained Hadnagy. "All of the pretext makes sense; you are a licensed Windows user, you own a machine with Windows on it and she wants to prove it to you."
The caller tells the victim to go to the event log and walks them through the steps to get to the system log.
"Every Windows user will have tons of errors in the event log, simply because little things happen; a service crashes, something doesn't start. There are always errors," said Hadnagy. "But when a non-experienced user opens it up and sees all these critical errors, it looks scary."
At that point, the victim is eagerly ready to do whatever the alleged "support" person wants them to do. The social engineer advises them to go to Teamviewer.com, a remote-access service that will give them control of the machine.
Once the social engineer has access to the machine through Teamviewer, they then install some kind of rootkit or other kind of malware that will allow them to have continual access, said Hadnagy.
Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, Hadnagy says a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.
[Learn more about social engineering tricks and tactics: 4 ways criminal outsiders get inside, 3 examples of 'human hacking,' Exploiting 5 security holes at the office (includes video)]
In this example, Hadnagy says about 8-10 hours after the incident occurs, web sites pop up claiming to help find those who may have been lost in the disaster. They claim to have access to government data bases and rescue effort information. They typically don't ask for financial information, but do require names, addresses and contact information, such as email and phone numbers.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
