Veracode has a great track record for producing compelling infographics. And they have a great attitude about sharing. The Hacking the Mind infographic I've inserted here explains the art and threat of social engineering quite thoroughly:
Infographic by Veracode Application Security eBook download
Playing on Emotion
Quiz time: identify what emotion or motivation attackers use in the following scams. Choose from {fear, greed, empathy, curiosity, anger, interest...}.
- Stranded traveller scams are emails from a colleague, relative or friend who claims to have lost wallet, passport, etc. and is desperate for you to wire money so they can recover from the loss. The scam emails often come from your personal contacts list that the scammer has accessed by having infected your PC with malware that locates and uploads email contacts to the attacker.
- Advanced Fee Fraud scams (a.k.a., Nigerian or 419 scams) claim that you are a beneficiary of a compensation payment or offer you a fee or assisting in a money transfer. The scammer typically contrives a situation where you must provide a small sum of money to execute the transaction, to complete official paperwork, or to bribe an official.
- Lottery or Sweepstake scams try to entice you to disclose personal data or bank account information to "facilitate" the deposit of winnings. If you disclose this information the scammer withdraws rather than depoists funds from your account.
- Diploma mills claim you can earn a high school diploma or advanced degree based on your life or work experience. The attacker then steals the personal and credit card information you submit for payment.
- Tax or IRS scams phish for identity information, using either a refund or notice of audit.
- Online pharmacy spam advertises sites that sell "life-style" pharmaceuticals or scheduled drugs (controlled substances) without prescription.
- Disaster spam campaigns solicit contributions for survivors of a natural disaster (hurricanes, sunamis, earthquakes), a shocking crime (Newton Elementary, Virgina Tech), ethnic cleansing, hunger victims, etc.
- Online credentials phishing message may warn you of suspicious activity observed in your account, or they may contain a notice of a credict or loan account past due, an overdraft or an account discrepancy.
- Employment (money transfer) spams offer opportunities to earn a lucrative salary working part time. The job often involves participating in fraudulent transfers of goods or money.
- Fake IT support spam messages impersonate your organization's IT or ISP customer support and request that you change your password, confirm your personal contact information, etc. Fake HR spam is similar: one HR spam asks to log in or confirm more personal data such as social security numbers or bank routing information (for direct deposit of your paycheck).
Next time you check your email, keep your emotions in check!
tseretni (01) deerg (9) ytisoiruc ro raef ro regna (8) yhtapme (7) ytisoiruc (6)
raef ,ytisoiruc (5) ytisoiruc (4) deerg (3) deerg (2) yhtapme (1) :srewsnA
Thanks for the kind words, Lori. And right after I published this I found a Nigerian/419 scam among my Facebook messages. FB may have to re-think their "new" messaging settings.
Posted by: The Security Skeptic | Sunday, 10 March 2013 at 03:49 PM
Your added quiz was very creative and a nice treat! I'm adding your post to both newsletters (the typical user and the infosec pro) this week. I think there is something for everyone to learn here.
I always look forward to your posts. :)
Posted by: Lori Williams | Friday, 08 March 2013 at 11:24 AM