Social Engineering Part 3

Targets of opportunity are generally chosen at random. I had the opportunity to conduct a security assessment at a large bank here in the United States not too long ago. With the owner’s permission, I attempted to gain access to his office via social engineering to test the strength of their security protocols. The agreement was for me to try to gain access to his office without stealing anyone’s credentials or technically modifying any systems. The bank had 1 guard, 5 floors, 3 access control portals, and 1 executive suite receptionist that stood between me at the front door and the president’s office. Using social engineering techniques and choosing targets of opportunity at random, I gained access to the target office with a box in hand in less than 4 minutes.

Specific targets are chosen in some social engineering attacks because they possess critical information or access to accomplish the attacker’s objectives. Specific targets are also chosen because of predetermined weaknesses in the individual’s character, life style, or habits. For example, it is easier to compromise someone who is in heavy debt, dishonest, lazy, disgruntled, or simply gullible than it is to coerce someone who doesn’t have these issues. Social engineering experts can learn a lot about potential targets by simple observation of the individual performing their normal daily activities. A strong, morale, loyal, and ethical character is important to maintain to decrease the chances of becoming a target of social engineering scams and attacks.

Have a great week and we will continue to explore social engineering next week here at The O including the “theft from a distance” philosophy.