And it works more times than you might assume.
The most recent case: the coordinated Operation Aurora, corporate computer systems were penetrated after users innocently called up malicious web pages that they believed to be legitimate. At Google, the target reportedly was a company program, code-named named Gaia, which controlled worldwide user access to e-mail and business applications.against computer networks run by Google and at least 20 other big companies. In what's since become known as
Reviewing the incident, cybersecurity officials familiar with the scenario note that it's become increasingly common for employees to inadvertently infect their machines after accessing Web sites booby trapped with malicious code. At that point, they say it's point, set, match with intruders able to steal passwords, impersonate the identities of real co-workers and waltz past a company's network defenses without much trouble.
"You can be smart and still get social-engineered," said Dave Marcus, the director of Security Research at McAfee. "They know what your hobbies are and what you're surfing."
With the gaining popularity of social networking and a Web 2.0 culture that more readily accepts openness, Marcus said the downside is that cyber criminals can more easily harvest personal data in preparing an attack.
"It is one of most difficult things to protect people against when someone knows about your habits, your likes and your dislikes," he said. "When they send you a message, there's a good chance that you'll click it. What you had with Aurora was some pretty sophisticated profiling of companies and the victims. When you're doing that level of reconnaissance, your measure of success goes up. They knew who they were targeting."
Mitnick: Nothing New Under the Sun
So much for building up supposedly impregnable - and expensive - network security systems. But to hacker-turned-consultant Kevin Mitnick, who helped popularize the social engineering as a computer security term, there's little new under the sun.
"I'm not surprised. When I was on the dark side, I was doing the same thing - except that I was going after source code for cell phones," Mitnick said in an interview with CBSNews.com. "Everyone seems surprised that they're trying to take source code. I was taking it 20 years ago. People must have forgotten.
In the 1980s and early 1990s, Mitnick gained notoriety for duping employees and gaining illegal entry to corporate computer networks. After a warrant was issued for his arrest, Mitnick became a fugitive for two and a half years. He was finally arrested in 1995 and served five years in prison.
The attack against Google and other companies naturally raises another uncomfortable question: are intruders getting smarter or are people getting dumber - or more likely, a combination of the two - when it comes to computer security?
"Some people are just busy and aren't always thinking about security when they are attacked," said SophosLabs's U.S. manager, Richard Wang. "Remember that attackers only need to find one person who falls for the social engineering."
While network defenses have improved in the last couple of decades, systems are only as strong as their weakest link, the individual employee. And as a new generation of cybercriminals has become more sophisticated about how to manipulate them into giving up protected information, the stakes have become even higher.
A 2007 GAO report didn't waste time with euphemisms: "Cybercrime has significant economic impacts and threatens U.S. national security interests." The fact is that cybercrime pays with financial data remaining the favored target of cybergangs. The most recently available FBI study put the annual loss due to cybercrime in the U.S. at more than $67 billion. It often comes down to a combination of social engineering and tricking a target into opening a document or visiting a web site with malicious code.
"Attackers are getting smarter and this will continue to go on and on and on," Mitnick said. "Attackers find out who is in a particular circle of trust, who they communicate with -and you have social networks to look that up - and then they strike."
"Back in my day, we broke in by attacking services that were exposed by servers," Mitnick recalled. "They had firewalls but we looked for vulnerabilities and tried to exploit them. Now, things have shifted to apps, or code by company employees that was done improperly."
"This stuff isn't new," he said.