Social Engineering And Its Derivatives--The Underrated Threat

I've recently been chatted up on Facebook by someone using the username of a good friend of mine from my first year in law school. I was astonished to hear from him for two things: one he's a highly secretive person who has never used FB chat with me before, and two, I'd hadn't heard from him in a while.

Things got sketchy though when he started asking for money because he was mugged in London and his family could not get home. Immediately it became evident that he wasn't the friend I knew but some hacker that had compromised the account. One, this friend of mine was not stupid and well travelled, and had it truly been him, he would rush straight to the Philippine embassy instead of beg for money from someone halfway across the globe. Two, a traveller prioritizes his passport over his wallet, and this guy obviously was more intent on getting money from me. Three, this is the one of the most common spam messages I know of.

But I must admit, for a moment, I was worried the message might be genuine. Computer fraud is a growing problem, and now I see why people can easily fall for these things. In my case, the mixture of genuine concern and alarm at the purported mugging of a friend I hadn't talked to in months, coupled with generous helpings of Colt .45 and San Miguel Super Dry almost made me want to believe the scam. These messages tug at our heart strings and disturb us to the very core of our consciences, tempting us to bite. But this is precisely what we have to learn to resist. In Cyber Crime, one must defend not only against direct hacking and cracking attacks, but more importantly these so-called Social Engineering nad related attacks attacks--attacks which (according to Wikipedia) are calculated into making people unwittingly divulge confidential information, and this, not even the most secure firewalls can defend against. We must remember that one of the most successful hackers of all time, Kevin Mitnick, was not the best at compromising networks through direct attacks per se, but he was very adept at fooling people into giving him their passwords and sensitive info. Technically my experience is not really Social Engineering but fraud since the hacker was not after my passwords, but the techniques are similar, and the effect the same. Had the attacker succeeded, I would have given him money--which he would have done anyway had I give him, let's say, my bank account number. Good thing I was too smart to be fooled, and too drunk to get off the chair.

Miguel Tensuan
Entry 14