Spotting the Social Engineer

Social engineer in a ski mask
Social Engineering Attack

Something that bothers me, and I often comment about during my presentations is the media’s portrayal of  a “hacker”. Hackers are shown as someone wearing gloves and a ski mask on a computer. I know that this is for effect to show criminal activity, but the issue here is that these sort of ideas stick in people’s heads.

To prove my point, I recently watched a “security awareness” training video on how to spot a social engineering attack. Throughout the length of the video, the attackers were seen wearing ski masks along with their business casual attire, and even a brief case.

"Social Engineer with a ski mask"
“Social Engineer”

The video mentioned a few good points about how social engineers will try to convince you to give out sensitive information, but not once did it mention that social engineers, or at least a good social engineer, will do their research to make sure they blend in as much as possible. The whole point of a social engineering attack is to gain trust, and to obtain information without arousing suspicion, and you’re certainly not going to wear a ski mask while doing these attacks face-to-face.

Again, I know that the ski masks in the videos were for dramatic effect, but how much more effective would this video have been if the attackers looked “normal”? If they didn’t stand out so much? If it focused more on attack methods and techniques instead of visual appearance? This then would have allowed the viewer the opportunity to look at behavioral patterns to try and identify the attackers themselves, instead of the dead giveaway with the ski mask.

Because others have written great articles on types of social engineering attacks and techniques, I’ll link to those instead of re-inventing the wheel:

The whole point is that social engineering attacks aren’t often noticeable, especially from a skilled, well-prepared attacker. They will be smooth in their efforts to get you to divulge sensitive information after building trust, or pressure. They will not stand out as shown in the video, so you’ll need to use your best judgement and ask good questions.

Also, not all hackers are bad! Yes, there are criminal hackers. But, there are also good hackers who work to help protect from malicious attacks. The media should attempt to show this separation by calling them criminals, instead of just ‘hackers’.

Here are some more screenshots of the social engineering video training for your displeasure:

Screen Shot 2018-11-12 at 11.23.15 AM.png

Screen Shot 2018-11-12 at 11.27.40 AM.png

Seeing these awful images gave me the “brilliant” idea of searching Amazon.com for a “Hacker ski mask”, and this is the result.

hacker-ski-mask.png

Yes, it’s true! For only $14.99, you too can be a hacker or even a real life Social Engineer!
*face palm*

I digress.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s