10 Social Engineering Predictions for 2014

social engineering resized 600

Here are 10 predictions for 2014, all cyber attacks using social engineering to penetrate the network. Have fun reading, and I will try to report back in 12 months which ones came out as real.

---1) The Registry Hack---

A mid-size Credit Union's controller shares on Facebook that she is expecting a baby. She has a detailed profile on LinkedIn, and also creates a baby registry at Amazon. She receives an email from Amazon's marketing department that they want to interview her about the registry and that she can choose one of her registry items for free. She clicks on the link. Her workstation gets infected with a Trojan and the bad guys transfer $495,000 to the Ukraine over a long weekend.

---2) Legal File Corruption---

In-house counsel of a large defense contractor, working long days on a corruption lawsuit against a former VP Sales works closely with their outside attorneys when the case comes to trial. She receives an email from her counterpart who complains the email server of his office is down and if she can email him the case file immediately as he's on his way to court. The file is used by the competition to steal away a large deal.

---3) PCI Compliance Failure---

A system administrator gets an email from their credit card merchant account processor that his company has failed their PCI compliance and that their card processing will be shut down in 24 hours unless he immediately reports on the recent vulnerability scan what was done. A link is provided to confirm which patches have been applied. The system admin clicks and his workstation gets infected with a zero-day exploit that gives the bad guys the keys to the kingdom: admin credentials!

---4) Underperformance Review ---

Dozens of employees in a healthcare company get an email from their CEO who is asking to participate in an anonymous "How Are We Doing?" survey. The CEO explicitly asks for feedback on herself, and also if the employee please rate the performance of their direct supervisor. 65% of the employees click on the link and all of their workstations get infected causing the IT team four days of twenty-hour frantic wipe & rebuild time.

---5) iPhone Pwned ---

A CEO of a non-profit shares on LinkedIn he really likes the new iPhone with fingerprint recognition. A few weeks later he gets a text message from Apple that there is an important update of the fingerprint software, and that he should do that as soon as possible. It will require a reboot of his phone though. He complies right away, but what gets installed is mobile malware that steals the credentials of his office VPN. Bad guys add phantom employees to their payroll and they lose $15,000 to money mules in Direct Deposit the next Friday.

---6) Celebrity Trap---

The VP Sales of a large online ticket reservation site gets an email from the lead singer of his favorite band, inviting him to meet & greet backstage after the coming gig they have in his town. He's all excited and clicks on the link. That one click is enough to let the bad guys in, and exfiltrate their database with 275,000 full customer credit card transactions. Cha-Ching!

---7) Credit Card Security Con---

The wife of a mid-size bank's President gets a phone call from their credit card company. The rep explains they are offering a new security service, to make sure their account is resistant against cyber attacks. This service will send a text to her phone if there is a fraudulent charge, so she can tap "no" on the phone if she wants to dispute the charge. The rep asks her to type a domain name in her browser so she can get her cell phone subscribed to the new service. The domain is malicious and drops a Trojan on her PC which allows the bad guys to take over the home network, and infect the laptop of her husband who plugs it in the bank's network during the week. The bank itself gets penetrated that way, and $2 Million gets transferred to Russia out of the bank's customer accounts.

---8) Broken Cloud---

A few years ago, Chinese government-sponsored hackers opened a front office in the US and carefully developed it into a well-funded, up & coming cloud consultancy firm. They keep working at it, impressing cloud providers with whitepapers showing their in-depth knowledge of cloud security. They even hire unwitting US employees that have security clearance.
Finally they get invited by Amazon for a possible contracting job. They get access to the premises, are invited for a tour of the data center and manage to plug a small device in the ethernet jack of a conference room phone for a few seconds. That allows them to subtly sabotage that data center and write another whitepaper describing the specific problem. Next, they sit back and wait until they are called. Finally the call comes, they move in to "assist" and obtain full ownership of the cloud.

---9) PDF Deception---

The CIO of a large insurance company gets a call from an attractive sounding recruiter, stating that he's been selected for an interview to discuss a CEO position at an online competitor. He has not heard of the recruiting firm but checks out the rep on LinkedIn. It all seems legit and she's a looker. As part of the procedure, the CIO gets a PDF with a description of the company that is interested in him. The PDF does not open up for some reason and he closes the reader. He retries but the PDF fails again. You guessed it. There was a Trojan inside and his workstation is pnwed, allowing very valuable confidential information to be exfiltrated.

---10 Top Dog Social Engineer---

A man crafts a new web portal and establishes trust with new users, helping them to get ahead socially by sharing personal and work details, habits, and preferences. He collects all of this data, allows targeted advertising, and even goes public. It's unbelievable that he gets away with this when identity theft has become rampant and not giving out personal information is top priority. In case you did not guess, the Top Dog social engineer is Mark Zuckerberg, founder and CEO of Facebook. A billion people fell for his ruse. Remember, if you don't -pay- for the product you -are- the product.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews