This document summarizes a case study of a successful social engineering attack against a company called EW and its client WFC. A hacker was able to exploit personal information publicly available online about an employee of EW, Mr. Farmer, to manipulate him into providing password details. This enabled the hacker to access company systems and client credit card information, resulting in financial losses and contract termination for EW. The case highlights the need to educate employees about securely handling personal information online and the risks of social engineering.
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Social engineering power point
1. Social engineering is the process of acquiring
information from legitimate users for
illegitimate means
Social engineering poses a significant threat to
any organization.
2. Loss of company assets
Loss of client assets and information
Loss of revenue because companies cease to
conduct business with entities that do not
adequately protect their information
Can result in financial losses for individuals
3. Numerous customers of WFC discovered
unauthorized purchases on their credit cards
Amounts exceeded $100,000
EW was required to pay $100,000 due to contract
obligations
EW lost contracts with other companies
Mr. Farmer, Director of Web Promotion lost his job
4. Hacker used publicly available information to gain
knowledge of company and employees
Hacker dropped the names of WFC and EW
employees in an effort to build a relationship with
Mr. Farmer
Hacker was able to exploit the misconduct of an
employee in order to gain needed information
Mr. Farmer knew he was in trouble and the
hacker played on this
Hacker acted as if he would protect Mr. Farmer
from losing his job
5. Hacker was helping Mr. Farmer view more website
that he liked
Mr. Farmer readily provided his password in hopes of
not getting in trouble for the unapproved website
viewing
6. Training was not conducted to educate employees
of the implications of the release of information
Mr. Farmer was using IM to divulge personal
information about himself
WFC and EW websites were thoroughly
researched to find information that could be
exploited
Mr. Farmer’s chat room discussion that revealed
his employer and job title quite possible let to the
hacker’s decision to target him
7. The same password was used for multiple
accounts by Mr. Farmer
He used a strong password and felt it was adequate
to use for all accounts
8. Employees should be educated on how to use
strong passwords and not to use the same one
for all accounts
Educate employees not to become a victim to
coercion or enticement techniques employed by
SEs
The company must not be narrowly focused
concerning security. It must look at all areas
that is can secure data
Utilization of secure password techniques
Sound policy on use of computers
9. Educate employees on ensuring the identity of people
they are speaking with
Educate employees not to reveal information outside of
official communication
Ensuring employees are not doing things that could be
exploited by a potential hacker
Properly dispose of any information that could be used
against the company, employees and clients
10. Mr. Farmer put himself in the position of
vulnerability to hackers by visiting these illicit
websites.
What can an organization do to discourage this
type of behavior?
How is a company to know that an individual
is engaging in a certain type of behavior that
would make the company vulnerable for an
attack?
11. Honan, M. (2007). How Apple and Amazon
Security Flaws Led to My Epic Hacking. Retrieved
from:
http://www.wired.com/gadgetlab/2012/08/
apple-amazon-mat-honan-hacking/all/