A Social Engineering Story

Grafitti comic of man jumping Berlin Wall

When pondering the term Social Engineering, my focus is solidly placed on “Social.” These are human, not technical, attacks. Social Engineers are first and foremost masters of manipulation of the social interaction. They identify potential targets, assess them in the first few seconds of conversation, and then launch the attack. A crisis situation is presented and the assault usually occurs with dizzying, intentional speed, such that the victim has no time to think, much less verify what they are told. Victims are quite simply caught off-guard. If the first thrust is successful then follow-on attacks are launched.

These attackers often do a little homework to prepare. They identify a target audience, usually vulnerable groups like the elderly. A crisis scenario is developed that preys on the psychology of the target. Any background information the attacker can gather increases the success of the attack, making the crisis scenario seem more authentic.

And by the way, I am not talking necessarily about the sophisticated professional villain. Many successful attacks are authored by rubes who strive for quantity, with the law of averages supporting their likelihood of success with at least one target. And a few successes is all it may take to make the Social Engineer successful in the “profession.”

Today I present a case in point, that illustrates a typical attack. A neighbor of mine in his mid-eighties got a call from someone who easily found his landline number (yes, you read that right). The person claimed to be a police officer in Las Vegas, saying that the neighbor’s grandson had been arrested for some indiscretion and needed bail money to get him sprung from jail quickly. The neighbor, reasonably upset by the news, asked simply “Which grandson?”, and the response was “The older one.” The caller gave wiring instructions then ended the call with the caveat “Your grandson asked that you not mention this to anyone, including his parents, because he is really humiliated. He said you were the only one he could go to for help.”

The real story behind the story of course is that my neighbor, who had been feeling old and irrelevant, was instantly cast in the role of the hero, having been given a rare opportunity to swoop in and save the grandson from destruction. This was the psychology behind the crisis scenario. Social Engineer called it with 100% accuracy and my neighbor fell for it. He transferred the money to an account in Las Vegas, not even asking the caller to verify the grandson’s actual name.

It worked so well that a few hours later the attack continued. Another call came through—this time from a purported ‘lawyer’, claiming that he represented the grandson and his friend, and who described that the situation was “even worse than had been previously described. The charges were being escalated to something felonious. So of course that meant the lawyer’s retainer would have to be sent immediately so that work could begin without delay to help prevent the situation from getting more difficult.

Attackers know how to be flexible with their story, to keep the attack going. So when my neighbor said he didn’t have the requested retainer sum, the lawyer explained that this was not a problem, that the grandson’s partner in crime was from a wealthy family, and would pay the retainer. But because the family that did not want to be directly identified, they would first deposit the retainer funds into my neighbor’s account and, once he verified the deposit, my neighbor was then to directly pay the lawyer. All the family required of him was to provide his social security number and bank account number, which they explained was completely logical since they were “trusting” him with their payment of the retainer amount. Yes, he fell for it and gave the information.

Now the attackers had far more than the first payment to Las Vegas of easy cash. They had the victum’s confidential financial information, given by the victim himself! In the hands of a Social Engineering attacker such information can easily be used to leverage more information and more cash.

When my neighbor called the bank to verify the transfer, lo and behold, the new money had been deposited into his checking account! How can this all be a fake when money is flowing to him? What he didn’t think to check were his linked accounts, such as savings and retirement. Using the bank information my neighbor provided, the thieves had simply done a telephone account transfer, mimicking my neighbor’s telephone number so it appeared on the bank agent’s caller ID display. It is usually easier to transfer funds between accounts than out of the bank. My neighbor then promptly transferred the ‘retainer’ amount, really his own cash, to another Las Vegas account.

Again, the attack continued. The ‘attorney’ called again to say that the case was more complicated and a higher retainer amount was required. Only then did my neighbor start to feel a little suspicious, and finally called a family member to share the situation. End of story: My neighbor was bilked of thousands of dollars and felt too humiliated to talk much about it.

It is critical that we share news of these incidents to raise awareness of the power of a good story, and a compelling storyteller. These attacks are successful, in part, because victims are too embarrassed to talk about their experience. And it can happen to anyone, individuals and businesses, given the right story, particularly with good background information we all to readily give away in our social media posts. When thinking about your on-line security, it is critical to understand the people factor and to spread awareness of how powerful and successful Social Engineering attacks can be.

Wells Fargo Phishing

Picture of Wells Fargo logo

Always interesting to get and look over a phishing email, as I did today.

The email, purportedly from Wells Fargo, was boldly titled “Important Notice Regarding Your Account”, showed “Wells Fargo” in the From header line, with the official Wells Red square logo below the address block. The email address behind the From line was smrfc@notify.wellsfargo.com. The rest of the email is copied below,

with an asterisk added in the address so you don’t accidentally click it.

The key giveaway feature of these phishing emails is the helpful link you can click on to log in and solve the problem. Everything else in the content is intended to get you to trust and click. So the first rule you should follow is never click the included link. If you want to validate that you really have a problem then open your web browser, navigate to your bank’s site, authenticate, then check for warning messages.

My attention was also caught by the phrase “forced to suspend your account indefinitely”. While a bank may freeze a compromised account, no bank will lock you out of your funds and on verification with you may transfer funds to a different account number. This phase was included to alarm you with a tight deadline and severe consequences, so you’ll be more likely to click.

Don’t fall for these scams. At best they might lead to a software download that would compromise your computer. At worst they will clean out your bank account and try to find linked accounts to do the same.

Stay Safe online!

– Ken


Dear Wells Fargo Member:

We recently have determined that different computers have tried to log in to your account. Multiple password failures automatically places your account on hold.
We now need you to re-confirm your account information to us.
If this is not completed by December 03 2014, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.
We thank you for your cooperation in this manner.

To remove limitations from your account click on the following link:

https://online.*wellsfargo.com/cgi-bin/Logon.aspx?sd

Thank you for being our customer.