On my way in to work this morning I heard a fairly disturbing news report about criminals using basic social engineering techniques to get family members of US military members, that are deployed to Iraq and Afghanistan, to divulge the servicemen and women’s personal information. Here’s how the attack played out:
Criminal obtains a list of members of a specific unit or command and tracks down the phone numbers of family members of those soldiers. Criminal then calls the family member and states that they are calling from the Red Cross and that their son/daughter/spouse has been injured in the course of performing their duties. Then the criminal states that in order for the Red Cross to be able to transport the service member to a military hospital in Germany, the Red Cross needs to verify the Social Security Number and date of birth of the injured soldier. While the family member is upset, they quickly give out the information to ensure that their loved one gets the medical attention they need. At this point, the criminal now has all the information they need to begin the identity theft that we hear so much about.
This type of attack, while completely abhorent, has worked numerous times. I have not been able to find any conclusive data that speaks to how many people have been affected, nor do I think it is important for the purposes of this blog. What is important though, is to consider a couple of things.
1.) The Red Cross would never contact a military member’s family directly, without going through military channels.
2.) The Red Cross or military would never need to verify that type of information in order to proceed with medical attention.
3.) No person should ever give out that type of information over the phone, especially if you did not initiate the call
What really interests me though, is the creativeness of the attack. It plays on emotion to be successful. Whether you are for the war or against doesn’t matter, everyone should be able to agree that it is an emotional subject, especially when talking about a loved one. The lesson to learn from this is simple. Guard your personal identity very closely. This example only strengthens the notion that criminals will do very nasty things to get access to your information. This is a business to them…a very profitable business at that.
We know that the average consumer will always choose the metaphorical “Dancing Bear” when confronted with these types of attacks. At MSI, we have refined our services to include rigorous social engineering exercises for our clients. While we have seen improvement in the security posture of our client’s user base (at least the one’s who have taken advantage of the service offerings), there is a part of me that believes that those users aren’t taking the knowledge we are giving them and applying it to their personal lives. For the one’s that are, we commend you and hope you continue to interact with the masses in a secure way. We would love to not hear any more of these types of stories. Unfortunately, we truely believe that this current trend of identity theft is only going to continue. At least until “average Joe” begins to understand the threat.