Fake charity proposal wins Social Engineering Award

Today, the TREsPASS Social Engineering Award ceremony took place at the Computer Privacy and Data Protection conference in Brussels. The jury announced that the EUR 750 prize goes to.... Demetris Antoniou! Congratulations!

From the jury report:

"His proposal, It is all about the individual, in form pays homage to the way emeritus hacker Kevin Mitnick warns his audience about security threats. Catchingly written, Antoniou’s proposal is original, feasible and extremely threatening to the victim company involved. In his entry, the author combines a number of known techniques to prey on exactly the responsible nature of perhaps the most socially-engaged employees.

The core attack vector is that company workers are sought out on their charity involvement and are time-pressured into (unwittingly) installing malware on the network. Not, as often seen, by targeting people’s curiosity or wallet, but rather their heart, identity and sense of responsibility. With a high-value target, medium investment and low risk-ratio, we find it an elegant and attractive attack for (industrial) espionage.

As the paper discusses, countermeasures are very costly. Besides strict technical measures, the company should strengthen its selection process, enforce permanent awareness and perhaps maintain online honeypots. These costly procedures would also have legal and ethical consequences. While national security agencies might have the time and resources, for most companies this would be just too much to ask. Well done!"