Impersonation: Hacking Humans


Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. The social engineer "impersonates" or plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems.

The social engineer patiently pieces together of all the fragments of information found into a coherent picture. Each victim who gives them information considers what they say or do to be harmless, but the combination of the details gives the impersonator what they need to become powerful. The more information they have, the better they can avoid detection.

 

Impersonators spend time researching their target. They find information about you or your company by:

    • Stalking employees on social networking sites
    • Company websites
    • Email phishing
    • Phone pretexting
    • Dumpster diving
    • Eavesdropping on employee conversations
    • Black market websites or other social engineers

Tailgating

If your organization has more than one door or perhaps a secondary exit to the parking lot, be sure that no one is allowed in through those doors that do not belong. This is known as “tailgating.” An attacker seeking entry to a restricted area, where access is by unattended and controlled by electronic access control, can simply walk in behind a person who has legitimate access.

The legitimate person may fail to ask for identification for many reasons, or may accept an assertion that the attacker has forgotten or has lost the appropriate identity token. The attacker may also fake the action of presenting an identity token or approach the door carrying a large box of books and relying on people's propensity to hold the door open for others in that situation. There are any number of tricks they can use to gain entry. If you notice someone hanging around the building that shouldn't be there, you may have a social engineer on your hands waiting for the right opportunity.

Shoulder surfing

Impersonators can gain access to information by simply watching what you are typing or by seeing what is on your computer screen. This is known as "shoulder surfing," and can also be done by looking through a window, doorway, or simply listening in on conversations.  Be aware of your work environment and know who is around you when you are working with confidential information, or even when you are typing in your password.  Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas, by the way, should not have the monitors facing outward.

USB devices loaded with malware

One of the best technological tools at the disposal of a social engineer, especially those posing as a technical support person, is a USB thumb drive. They are small, easy to conceal, and can be loaded with different payloads (malware) depending on what task needs to be done. It only takes a few seconds to insert one into a computer to compromise the entire network. They can also be planted in different locations around the workplace in the hopes that employees will find them, use them, and unwittingly install a Trojan on the system. The Trojan can be used to gain passwords and login information or to provide the attacker unfettered access to the network from a remote location. 

How to protect yourself against impersonators

With this knowledge of what impersonation is and how it's used, it's time to discuss how to protect yourself from social engineers who create elaborate scenarios, plan each detail, and are driven to steal. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself, your company, and your customer's information:

  1. When in doubt about the validity of an individual or a request, contact your manager or the manager of the requester, for authority to comply with the request.
  2. Never give out passwords. Technical support personnel do not ever need your password or other information related to accessing your system.
  3. Avoid revealing information, especially out of trust or fear.
  4. Ensure the physical security of your premises. Don’t enable tailgating. Ask yourself, "who is that and why are they here?" If you are unsure about a person's authorization or access permission, report the situation to the appropriate staff.
  5. Be aware of your surroundings.  Make sure you know who is in range of hearing your conversation or seeing your work. Use a computer privacy screen to deter shoulder surfing, especially in public places.
  6. Protect paper documents. Don't leave documents lying around. Use a shredder to discard unwanted documents.
  7. Adopt a healthy dose of skepticism for anything out of the ordinary, especially strangers who endear themselves to you.
  8. Adhere to the policies and procedures within your organization that stipulate how you should manage situations that may be social engineering attacks.

These helpful tips are provided by www.infosightinc.com, an information security consultancy working to help ensure the privacy and security of your corporate, personal and financial information.