 |
|
05.17.07
Social Engineers And Domain Hijacking
 By
Dan Morrill
Slashdot Contributor Bennett Haselton is running an article that is a great example on how to use social engineering to hijack a person's domain away from them.
Reading the story points out how important it is to know about the tricks of social engineering, and how to spot them.
Let's face it, most help desk folks get a lot of abuse when they do not perform to expectations, social engineers rely on that to get information from people. Overall, though, it is important to realize that this is a global problem. This is not just one business doing things; this is all businesses all the time that face this kind of issue. This is also a human problem, our basic nature to want to get someone off the phone by giving him or her what they want.
But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them. Source: Slashdot
The success rate of the process was about 50%, or 1 in 2 domain information was given out to someone who "didn't own the domain" at these smaller companies. Cut rate hosting is just that, it is a way to deliver service on the cheap, and that means people who fill those positions are not going to be highly trained, and odds are most likely this will be their first "real tech job".
Nor is the solution to simply "fire these people" going to work here, they are still cheap hosting, and still paying very small wages, and probably going to hire another entry level person into the position that was just vacated.
As this is a people problem, the more training, the more verification like they use at Banks (while not fool proof it is at least something) or other ways of verifying the identity of the person that is on the other end of the e-mail or phone should become a mandatory process in determining if the person is who they state they are. While no method is foolproof, some simple steps involving information that only the person on the other end of the phone or e-mail should know is one way of addressing the concerns with help desk being social engineered to give out information or change information that really belongs to someone else.
Comments
About
the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
