Social engineering: the easy way to get into a company
- 15 November, 2017
- Amsterdam Security
"The easiest way is to go and stand close to the smokers outside an office building. When people go inside, you simply follow them closely. 'Sorry, I've forgotten my access card. Can you let me through the gate?' Then you will be in. After that you can take your time to find a suitable workstation where you can simply stick a usb stick into a computer or printer." These are the words of Marcel van der Velde, ethical hacker and social engineer during the Amsterdam Security Convention in RAI Amsterdam.
Van der Velde gave a keynote speech about safety awareness and social engineering. The latter is a technique used in the hackers' world which involves abusing human character traits like curiosity, trust and greed to acquire confidential information, or to make the victim perform a certain action.
Van der Velde urged his audience to be careful at all times and aware of the dangers. It is not just unimaginative passwords which make it easy for cyber criminals to hack or blackmail companies but also, and above all, the employees themselves. "It is very easy to deceive people. Certainly when you take advantage of their vanity." Which is why he refers to the example of a manager at a large bank who is keen on sports. "He is also chairperson of a tennis club, as I observed on his LinkedIn profile and Facebook and I decided to approach him, pretending to be a journalist from a tennis website. I asked him if he wanted to cooperate on an article about developments in the tennis world. He was, of course, extremely flattered. After the interview we agreed that I would mail him the finished article so that he could read it. However, the pdf contained malware. He never knew what hit him. And I quickly had access to the bank in question."