 One of the biggest social engineering scams in New Zealand at the moment is the infamous cold calling computer-virus scam. In case you've been lucky enough to evade these annoying scammers, they originate mostly from India and phone you at home claiming that you have a virus on your PC.
In many cases, they direct you to the event logs on your computer and cite errors contained therein as evidence that you're infected. I've been phoned by such a scammer and humoured the caller by following his instructions to view my logs. Apparently the serious-looking red exclamation marks were proof positive that I had a bad virus. It was at this point that I informed the caller that over the last decade I had performed more Windows installations than he'd had hot curries and even a brand spanking new install had at least several errors in the logs.
Thinking I'd dissuaded him from continuing his hard-sell techniques, I was amazed when he then tried to convince me that my years of experience were wrong and in fact this was a "brand new and not well known" virus.
The persistence of these cold callers may partly explain why they are attributed with convincing New Zealanders to part with as much as ten million dollars to fix the non-existent viruses, but it also suggests a worrying fact: that many kiwis are simply too trusting and gullible. If so, there are significant implications for your company's online security, specifically in regards to social engineering.
Social engineering attacks can have a high success rate because they rely on the trust of naïve individuals. The modus operandi can range from telephone calls from cyber criminals posing as help desk staff, to actual tailgating through security doors and lifts pretending to be contractors. One interesting technique is that they fake long telephone calls whilst doing this, thus creating an invisible barrier that many people feel is a social faux pas to break.
Once inside they can be ballsy enough to ask to use computers in order to perform routine maintenance, or just access terminals that are unattended but still logged in. Some cyber criminals have even been known to swipe entire laptops within seconds, placing foam between the screen and keyboard (so as to keep it logged in), before bolting for the doors. And if you think that you could spot one of these crims a mile away, you might be surprised; it's amazing how a uniform or Pierre Cardin suit can make strangers blend in seamlessly.
Although this might sound like the stuff of high-level secret service espionage, we're seeing more and more social engineering attacks on unsuspecting New Zealand companies. They're usually completely unexpected and don't leave much of a forensic trail so often they're harder to investigate than digital cyber attacks.
Yet with a little awareness training, these types of attacks are also some of the easiest to prevent. Training can consist of just an hour seminar with all staff, teaching them basic physical security such as always challenging unidentified people, never writing down or disclosing passwords (even to other staff) and never allowing people to follow them through security doors. Also company-wide policies such as always requiring a sign-in process and ID badge for visitors, requiring authentication before resetting passwords and recording access points by CCTV are important.
Therefore, educate your staff that there really are bad people out there who are capable of doing bad things. Although New Zealand is undoubtedly a trustworthy place to live and work, there are still a very small minority who can and will exploit us because of it.
Andy Prow is Managing Director of Aura Information Security, a leading IT security consultancy based in Wellington.
« Previous Article (Elective dysfunction)
Next Article (Exploring SFIA (3 of 3): SFIA in action at Simpl) »« Return to Contents
Contributed content is the opinion of the author only, and not necessarily the view of NZCS.
Comments:
|
