Article by Ben Rothke
In Social Engineering: The Art of Human Hacking, author Christopher Hadnagy writes that when performing a social engineer test, sometimes the easiest way to get information is to simply ask for it.
In recent months, a lot of people seem to have been taking that approach as I have gotten many surveys from anomalous sources asking penetrating questions. This is in line with what a spear phishing attack does.
According to PhishMe, Inc., once in an employee’s inbox, there is a 60% probability that an untrained staff member will miss all of the indicators that the email is in fact a scam and will click on a hyperlink or open a file attachment within the email. There is no technology filter or screener that can stop that 60% from clicking.
The surveys I received came from SurveyMonkey and Zoomerang. Note that both companies have since merged.
The underlying problem is that many people who respond to these surveys are oblivious to what is going on and think that their answers are confidential and anonymous. That may be the case when a legitimate survey is done, but when a phisher is using the system, that is simply not the case.
Here is a quick example of how this attack is done...
Download the full analysis here: