Social Engineering and your users

All my customers want to talk about security these days. So much of our day to day work is done on the internet now, and the security landscape has changed significantly over the last 5-10 years. Our perimeter is no longer restricted to our LAN and firewalls, but instead lives with the users identity. Users are highly likely to use their corporate network password on other sites; who knows whether this other site has been breached or not?

Things like this scare us IT admins, and even scarier now is the gargantuan amount of misinformation and misdirection on the internet. From that advert that looks like a “next page “button to the link to an article which promises to show you the most amazing thing you’ve ever seen a koala do, users will literally click on anything. Today I want to share one of these examples. I noticed this morning that a friend of mine had shared this post on Facebook:

Post offering a free Recreational Vehicle!

Wow! A free RV. Amazing right? But this post looked a little strange. Who can afford to give away an RV, let alone 15 of them? And what did “can’t be sold because they have been stock this year” mean? My curiosity got the better of me and I decided to click through. This is what I found:

RV Main Page

Now let me give you a few facts:

  • This page only had a single post. This one.
  • It has 83,045 shares and 35,015 comments. In 3 days. Both of these numbers have gone up by around 1,000 while I have been writing this.
  • The page had nothing in the about section. No website, no contact details, nothing. Nada. Zip. It was basically an empty page with one post on it.

This was clearly a ruse and nobody was going to get themselves a free RV. I mean hey, maybe I’m wrong and an awful cynic who has been scarred by the internet. But in reality, this was a more than likely a social engineering experiment or phishing scam. Maybe the “lucky winners” would be contacted and asked for some personal details so that they could claim their free prize? Maybe they were directed to a fake Facebook login page? And maybe their Facebook login password was the same as their corporate network password?

This post shows us all just how easy it is to get people to click on something, or believe something, on the internet. And this stuff is everywhere we look. As an internet user, we are faced with a constant stream of misinformation and misdirection, never quite knowing when something is real and when it isn’t.

Security has never been more important. Using web filtering, multi factor authentication and implementing features for mail scanning like Safe Links and Safe Attachments (found in Exchange Online Protection) can help to a certain degree,  but a very large part of this fight is user education. People should be taught that their first response should be one of doubt, not of excitement about the amazing thing they are about to see, or the prize they will never win.

It’s a dangerous world we live in. But at least I’ll have a new RV to protect myself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s