Skype is Open to Social Engineering !!!

I still believe the easiest way to attack a network is by social engineering. A threat never taken so seriously by organizations. In fact they think it’s too trivial and does not need to be paid so much attention to. The bad news is that social engineering is still one of the most effective ways for hackers to get in to a network. They need no tools and no Trojans and they can only use their soft skills to talk the employees of an organization into doing something to the hacker’s benefits. I read on the news yesterday that Skype is one of the companies open to social engineering. As a matter of fact, their support team is so novice that can change a user’s password only by making a phone call. Yes, it is as easy as it sounds. You can also try it. All it takes is to call Skype support desk and request for a new password. Then you will need to prove the ownership of the account by giving them 5 contacts connected to that account. Now the question is, how difficult do you think it is to guess those 5 contacts? Let’s say you want to request to change your friend’s account’s password and you are trying to social engineer the Skype support desk. I think all of you probably know 5 contacts on your friend’s Skype account. You probably have a lot of common friends. Once you let the support desk know about the connections, they will change the password for you to whatever you wish. That is what social engineering sounds like. Scary… huh? Were there any tools involved? Absolutely not. All it took was a phone call and pretending to be someone else. There are a lot of these examples here and there in every organization that should be addressed more seriously by top management. The first thing companies should do is educating the users about such threats and having strict policies and workflows for sensitive processes within organizations. I had a talk about a year ago which part of it was about social engineering. I thought you might want to have a look at the slides deck: Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *