Researchers reveal how easy it is to fall victim to social engineering

Even security professionals can get fooled by well written, targeted emails, warns Trend Micro

Receiving an email to connect to someone on LinkedIn turned out to be a social engineering experiment that Trend Micro's global field enablement vice president, Blake Sutherland, will never forget.

Speaking at a press briefing in Sydney, Sutherland revealed that when he joined the security vendor two years ago, Trend Micro researchers demonstrated how easy it would be to get him to click on a link.

Searching Google and LinkedIn, the researchers discovered that years ago as a summer student, Sutherland worked with a geophysicist who was studying the wobble modes of the Earth. The geophysicist mentioned Sutherland’s calculations in a paper.

“I got an email from a Russian geophysicist referring to the geophysicist’s paper and mentioned Dr Smiley along with the study,” he said.

The geophysicist wanted Sutherland to connect with him on LinkedIn and included a link to his profile.

“Curiosity will kill the cat every single time and I got a note from Trend Micro’s threat research saying `gotcha’,” he said.

“It was very simple and amazing that they dug up at that information about me. That wouldn’t even have shown up on my resume.”

According to Sutherland, it took the researchers two hours to craft the social engineering email.

Security threats explained: Social engineering

LinkedIn hacking: What you need to know

Fake bushfire appeal emails flagged: ACCC

Reserve Bank of Australia

Social engineering was in the news earlier this week when an Australian Financial Review story revealed that the Reserve Bank of Australia (RBA) was the victim of a targeted email-based malware.

The emails were well written, targeted to specific bank staff and utilised an embedded hyperlink to the virus payload. According to the bank, six employees clicked on the link.

“The RBA has comprehensive security arrangements in place which have isolated these attacks and ensured that viruses have not been spread across the bank's network or systems,” an RBA spokesperson said in a statement.

IBRS Australia advisor James Turner said the RBA case was “really interesting” as an employee raised the flag and, by all accounts, managed to intercept the virus before collateral damage occurred.

“The [RBA] employee felt it was OK to raise the flag and that points to a good security culture within the organisation,” he said.

“At the moment we view [cyber crime] as a big scary predator and we’re all getting picked off one by one.”

Turner said that companies needed to change their security culture and start working together on issues such as social engineering.

“When we can say that we are all in this together, than we can start marshalling our forces, ask why we got hit and the best practices to avoid this happening,” he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags social engineeringtrend microIBRSJames TurnerBlake Sutherland

More about Australian Competition and Consumer CommissionAustralian Financial ReviewAustralian Financial ReviewGoogleIBRSRBAReserve Bank of AustraliaTrend Micro Australia

Show Comments