Vulnerability Assessment

VVulnerability Assessment

Advanced Social Engineering

A. Memo of Record: Social Engineering Attack

Social Engineering is the acquiring information by any means necessary. In any security or assurance program the weakest link is always people, and hackers will take advantage of this fact. Hackers manipulate users into giving up information or performing task that could jeopardize the company. A social engineering attack to be divided into two stages; physical and psychological. The physical stage is the gathering of information by impersonation, telephone, internet chats, or email. Hackers use the information they gathered in the physical stage and use it in the psychological stage. “Assertions of authority, natural tendency to be helpful, liking and similarity, reciprocation, commitment and consistency, and low involvement are all tools used against victims of social engineering. (Jones, 2003)

As the scenario states, a customer complaints supervisor received an email that a product listing, on the company’s website, was incorrect. When the supervisor clicked on the URL provided in the email the supervisor’s computer became compromised by a script that installed a Trojan Virus (i.e. Back Orifice), provided remote access for the attacker (i.e. Netcat), and cracks user and administrator passwords (i.e. John the Ripper), transfers confidential files from the compromised system to the hacker.

The hacker, while conducting the physical stage, impersonated a customer from information that was found while dumpster diving. The hacker then searched for information (i.e. phone numbers, email addresses) from the company’s website.

When initiating the psychological stage, the hacker contacted Customer Support and talked with an under trained agent. While discussing the problem, of the incorrect information for a product listing, the hacker persuaded the agent to give them the email address for the supervisor. The hacker tells the agent that emailing the...