Read previous: The Future of Social Engineering
Proceeding with her talk, Sharon Conheady creates a historical timeline hundreds of years back to outline the origin of today’s Nigerian scams, and speaks on the prevalent present-day frauds which aim at tricking money from credulous people.
So I am just going to give you some thoughts on the future of social engineering as I see it. First of all, we’ve seen with the pilot thing, we’ve seen with the selling the Eiffel Tower – it’s the same tricks that work over and over in history. We’ve got the same scams, the same cons repeated again and again. It’s just they change with technology. So 10 – 15 years ago, phishing attacks appeared. They took place over email, they took place over social networks. Now we’ve got Vishing, that uses the VOiP technology, we’ve got SMiShing that uses SMS. I am sure we will get whatever ‘ishing’ comes next.
So Eugène François Vidocq published his memoirs, you can read them on Google or you can buy the book. And he mentioned a scam called ‘The Letter from Jerusalem’ (see image). And again, it was very, very similar. They’d target a member of the aristocracy or someone with a lot of money. They’d write them a letter giving them some reason to advance some cash to them. It might be something as silly as saying: “We are the assistant to this aristocrat, and he lost a box of jewels. We need to find them somewhere, so we need to pay the searchers. If you give us the money, we will share the jewels with you.” So I like the statistics that Vidocq mentions, he says of 100 letters, 20 were always answered. Because they were very, very targeted attacks, possibly the first example we saw of spear phishing.
And my favorite quote from Vidocq is that sometimes even the Parisians would fall for this scam. So it was very, very serious. Throughout history, again, they repeated, and we skip forward to the 1980s – that’s when these scams first started appearing out of Nigeria. The oil based economy was in decline. So some Nigerian students thought maybe they could get advantage of this. And they’d contact usually U.S. businessmen, sending them letters or sending them faxes, or even telexes, saying: “We can get you in this really good business deal if you just let us have a little bit money in advance.” So the same thing over and over. And of course it eventually turned into email attacks.So this is the typical 419 scam that we see today (see image). Attackers will often try to make their victims feel some kind of emotion, because when we are emotional – whether it’s being angry because Facebook is starting to charge for account access, or whether it is because you are feeling obsessed or sympathetic because this guy’s clients all died in a plane crash – once you feel that emotion, you are more open to suggestions. So this guy says his bank clients and his entire family died in a plane crash and he needs some money, and actually if you click through or even type in the URL provided in the email, it shows a story. So this might not work for people in the security industry, but it could work for a lot of other people. So this is the Concord crash that happened in Paris about 10 years ago.
So it’s old attacks reworked, and when the request comes in form your friend, of course you are more likely to comply with it. So they are getting very effective.
The latest one appears to be the London mugging. This comes in via social networks or via some kind of chat. Your friend will say: “I am sorry I forgot to tell you I was visiting London, but when I was there I was mugged, they stole my money and stole my wallet, so I need you to give me some money, again, to pay for the hotel.”
But I thought I was surprised that year when we got the whole volcano thing going on. Everybody was stranded across the world. That was the ideal time for social engineers to take advantage. And you can imagine if you were after a particular organization, most global organizations had people stranded somewhere because of the volcano. So find who these people are, offer them a lift, offer them some kind of assistance. There were tons of carpools set up. People disclosed their email addresses, they disclosed their telephone numbers.
This guy here writes: “I am in Amsterdam and I need to get to Dublin. Can anyone help?” He is going to accept a lift with anyone going that way. I didn’t hear of any attacks that used this, but you know it was the prime ground for social engineers.