Security Forums
Log in
FAQ
| Search
| Usergroups
| Profile
| Register
| RSS
| Posting Guidelines
| Recent Posts
Special offer!
TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
| View previous topic :: View next topic |
| Author |
Message |
enigman
Regular Member
Joined: 09 Oct 2002
Posts: 50
Location: Sydney
|
 Posted: Wed Nov 13, 2002 7:13 am Post subject: Poor Effort at Social Engineering |
 |
|
Here is an example of an attempt at social engineering that is currently being attempted in Australia. A number of government agencies have had this message sent to email addresses within their organisation.
The perpertrator used bogus addresses (in one instance resorting to Hotmail accounts). It only took seven questions before they asked for the target's logon id and password. If they were going to bother doing this they could have put a bit more effort into the act (a lot more questions so that by the end of it the person will not think so much about the validity of the questions.) I would have expected them at the least to maybe register a fake domain of a bogus survey company, provide incentive for filling out the 'survey' etc Overall, the perpetrator didn't put enough effort into their work, I give it a 2 out of 10.
| Quote: |
Dear Participant,
Your organisation has nominated you to participate in the ommonwealth Computer Usage Survey being undertaken by the
The objective of this broad survey is to gain an understanding of Australian Commonwealth service attitudes towards the use of computers. The results of this survey will be made available on the Telstra web site via your current username and password.
This survey should only take a few minutes and contains seven specific questions. This survey is being conducted between Monday 11 November and Friday 15 November. Can you please ensure that you reply to this email during this period. Please answer these questions honestly and frankly to the best of your abilities.
Simply reply to this email and answer the questions in relation to the computer you are answering them from. Please note your replies will be
treated in the strictest confidence and you will not be individually identified from the survey results.
Your participation is greatly appreciated. Thank you for your contribution
to the future of Electronic Government.
Kind regards
Glenn Bourne
Australian Bureau of Statistics
===============================================Survey
===============================================
Q1 - Is the the computer you are answering this email from located in Commonwealth premises ?
Q2 - How often do you use this computer as part of your Government work?
Q3 - How many Government related emails would you receive in a day ?
Q4 - Does your organisation have a Security Policy regarding the use of Commonwealth email and Internet facilities and have you read it ?
Q5 - Does your Department provide home or remote access to email and Internet facilities ?
Q6 - Do you use more than one computer in undertaking your Commonwealth services ? If so where and how often
Q7 - Would you like to be contacted to participate in Government focus
groups or more detailed interviews ?
Please supply your current logon ID (username) and password to verify the integrity of the survey and to establish your access to the results on the Internet.
Thank you |
Enigman
---
Def: Language: System of organizing/defining syntax errors.
|
|
| Back to top |
|
 |
myhatisred
Forum Addict
Joined: 11 Jan 2003
Posts: 313
|
| Posted: Wed Feb 05, 2003 5:20 pm Post subject: |
|
|
|
some people are stupid enough to fall for it though, so i'm sure that they got a few responses
|
|
| Back to top |
|
|
snootalope
Forum Junky
Joined: 14 Jan 2003
Posts: 618
Location: IA _ USA
|
| Posted: Wed Feb 05, 2003 6:04 pm Post subject: |
|
|
ya know.. I know people first hand that would do it.. I was thinking.. if they'd Call first and ask to speak to the IT assistant and how do IT people usually answer the phone? "This is "thier name" how can I help you" hang up and then use that name in the email you send to the recipient. wow..i might have to try that 
_________________
"...never put off 'til tomorrow what your wife can do today." - effortless SFDC
|
|
| Back to top |
|
|
sickroachman
Regular Member
Joined: 26 Jan 2003
Posts: 82
|
| Posted: Sun Feb 09, 2003 6:18 am Post subject: |
|
|
|
yep some people would fall for it. i think it would be better to put, 'enter a login and password' too. most people use the same password for everything.
|
|
| Back to top |
|
|
GSecur
Trusted SF Member
Joined: 30 Sep 2002
Posts: 96
|
| Posted: Fri Feb 14, 2003 3:07 pm Post subject: |
|
|
_Mhz,
I've seen the technique, you're talking about. They usually just send a normal spam letter out that has Item someone would be willing to sign up for. They then ask them to create a new user name and password, and then they usually use the same password or a similar password to the one they are currently using. There acount name is unimportant because most network accounts are the same as a persons e-mail (a policy I feal has to change) ex: bdavis@company.com , bdavis, or domain\bdavis
_________________
www.GovernmentSecurity.org www.datastronghold.com
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
