We’ve all heard about hackers and how much damage they can cause online, but there’s a new threat out there that’s getting a lot of attention after last month’s attacks on web hosting billing solution provider WHMCS.
It’s called social engineering, and it’s all about the art of manipulation. Whereas hackers find weaknesses in websites and exploit them, with social engineering the “hacker” manipulates people into giving up confidential information (like passwords) in order to gain access to a server or database.
A Social Engineering Case Study
On May 21, 2012, attackers targeted web hosting billing solution provider WHMCS, gaining access to the company’s main server where they were able to get WHMCS customers’ credit card details, email addresses, phone numbers, and more.
It wasn’t a hack job though – WHMCS was a victim of social engineering. In a statement posted on the WHMCS forum, one of the WHMCS developers said:
Following an initial investigation I can report that what occurred today was the result of a social engineering attack.
The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
This means that there was no actual hacking of our server. They were ultimately given the access details.
This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.
WHMCS has turned the matter over to the FBI. In the meantime, WHMCS customers can find more information on the WHMCS blog.
What You Can Do to Protect Yourself
Since social engineering attacks exploit weaknesses in people, not in technology, things like anti-virus software, firewalls, and security scans can’t protect you.
Instead, you need to define some very specific security policies and, most importantly, make sure everyone who has access to your websites, servers, or databases knows how important the policies are and sticks to them.
For example, you should put strict security policies in place to address things like:
- Passwords: minimum length, requirements to change passwords every so many days, prohibitions on writing down passwords, complexity requirements, etc.
- Password sharing: policies to address when (if ever) passwords can be shared, with who, and under what circumstances.
- Logging off: procedure for logging out of password-protected areas when away from your computer.
- Physical security: measures to prevent visitors or outside contractors from accessing systems to place key loggers, etc.
- Paperwork disposal: procedure to shred or incinerate paperwork, disks, and other media that may hold information that can be used to breach security.
A few more tips to help protect against social engineering attacks include:
- Never include personal or financial information in an email, and don’t respond to any email that asks you for this information.
- Be wary of unsolicited phone calls or emails asking about your employees or other company information.
- Don’t provide any company information to anyone unless you know the person has the authority to receive that information.
- If someone claims to be from a legitimate company and is asking you for private information, verify their identity with that company before you respond.
- Never give out usernames, passwords, ID numbers, PIN numbers, server names, or system information unless you have express permission to do so.