Social engineering has been thought to be one of the oldest information security tricks known to attackers and hackers. It is attempts to get users to divulge sensitive information to unauthorized persons without touching your systems and without letting the “victim” know they have been exploited. When we conduct penetration testing, it is an important step within our methodology and reconnaissance approach. Typical attack measures are calling the main office and finding out who is on vacation so we can attempt to login in the system by brute force using their user account. Another measure would be to physically get on the premises by pretending to be the employee we know is out of the office, get a visitor’s badge, and gain access to the internal network.
However, within the past few years we have discovered that the usage of social media websites such as: facebook and twitter has increased enormously thus making our social engineering tactics somewhat easier. Think about it, at least 80% (percentage is probably higher…) of employees has an account set-up on a social media website and the majority of them have disclosed information on their status about their whereabouts and their company. For an assessment we conducted in the past we discovered an employee discussing how he/she loves working from home on Mondays and Fridays. Another post stated how he/she loves the new web-based invoice tracking system his/her company put in place, making job easier. Another post, he/she complained to another co-worker who is a friend on facebook that the “anonymous system name” keeps kicking her out and the administrator is on vacation this week. After reading through several of these posts we were able to discover that the company uses a hosted solution for their invoice tracking that is accessible from the Internet and that we had a (1) one week window to run several exploits unnoticed by the system administrator….Golden!!!
Lessons learned…Do NOT use your personal social media accounts to discuss non-public information related to your company! Remember, someone is always watching and on the prowl and can easily disguise themselves as a friend, a co-worker, or an admirer!
c~Sharpe Security Consulting