This document summarizes a case study of a successful social engineering attack against a company called EW and its client WFC. A hacker was able to exploit personal information publicly available online about an employee of EW, Mr. Farmer, to manipulate him into providing password details. This enabled the hacker to access company systems and client credit card information, resulting in financial losses and contract termination for EW. The case highlights the need to educate employees about securely handling personal information online and the risks of social engineering.

1.  Social engineering is the process of acquiring
information from legitimate users for
illegitimate means
 Social engineering poses a significant threat to
any organization.

2.  Loss of company assets
 Loss of client assets and information
 Loss of revenue because companies cease to
conduct business with entities that do not
adequately protect their information
 Can result in financial losses for individuals

3.  Numerous customers of WFC discovered
unauthorized purchases on their credit cards
 Amounts exceeded $100,000
 EW was required to pay $100,000 due to contract
obligations
 EW lost contracts with other companies
 Mr. Farmer, Director of Web Promotion lost his job

4.  Hacker used publicly available information to gain
knowledge of company and employees
 Hacker dropped the names of WFC and EW
employees in an effort to build a relationship with
Mr. Farmer
 Hacker was able to exploit the misconduct of an
employee in order to gain needed information
 Mr. Farmer knew he was in trouble and the
hacker played on this
 Hacker acted as if he would protect Mr. Farmer
from losing his job

5.  Hacker was helping Mr. Farmer view more website
that he liked
 Mr. Farmer readily provided his password in hopes of
not getting in trouble for the unapproved website
viewing

6.  Training was not conducted to educate employees
of the implications of the release of information
 Mr. Farmer was using IM to divulge personal
information about himself
 WFC and EW websites were thoroughly
researched to find information that could be
exploited
 Mr. Farmer’s chat room discussion that revealed
his employer and job title quite possible let to the
hacker’s decision to target him

7.  The same password was used for multiple
accounts by Mr. Farmer
 He used a strong password and felt it was adequate
to use for all accounts

8.  Employees should be educated on how to use
strong passwords and not to use the same one
for all accounts
 Educate employees not to become a victim to
coercion or enticement techniques employed by
SEs
 The company must not be narrowly focused
concerning security. It must look at all areas
that is can secure data
 Utilization of secure password techniques
 Sound policy on use of computers

9.  Educate employees on ensuring the identity of people
they are speaking with
 Educate employees not to reveal information outside of
official communication
 Ensuring employees are not doing things that could be
exploited by a potential hacker
 Properly dispose of any information that could be used
against the company, employees and clients

10. Mr. Farmer put himself in the position of
vulnerability to hackers by visiting these illicit
websites.
 What can an organization do to discourage this
type of behavior?
 How is a company to know that an individual
is engaging in a certain type of behavior that
would make the company vulnerable for an
attack?

11.  Honan, M. (2007). How Apple and Amazon
Security Flaws Led to My Epic Hacking. Retrieved
from:
http://www.wired.com/gadgetlab/2012/08/
apple-amazon-mat-honan-hacking/all/