Social networking websites can help social-engineering attacks

Can be used to find the names of legitimate employees

Social networking websites such as Facebook can help in social engineering attacks that attempt to steal private information from companies, according to security experts.

Ian Mann of security firm ECSC said attackers who are challenged by suspicious staff can sometimes escape by simply producing the name of a legitimate employee and pretending to be with them.

“Probably the best place to find a name is Facebook," he said.

Social engineering attacks make use of human error rather than problems with computers or software in order to steal from, damage or deface computer systems. They can be as simple as asking employees for the passwords required to access computers, although others require gaining the confidence of staff over a long period of time.

Such attacks are not always simple to prevent. “If a computer is vulnerable, you can patch it”, explained Roberto Preatoni, founder of the online cybercrime archive Zone-H. “There is no patch for human stupidity”.

“Sooner or later, each one of us will be vulnerable”, he added. Mr Preatoni speaks from experience, as his own website has been broken into and defaced on a number of occasions – including one just seven minutes after it was first launched.

Each time, the attackers stole the required information using social engineering techniques, such as pretending to be Mr Preatoni himself and asking his colleagues for passwords.

He now advocates warning employees of the potential consequences should attackers successfully break into computer systems.

“Training is not enough”, he said. “You should introduce something involving fear … fear is a primal instinct that will always override logic in the priority list in our brain”.