It's interesting to see a social engineering proof of concept released in this way.
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."
> it should be no surprise that "social engineering works."
Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.
> Is it really social engineering if the employees followed the Microsoft policy
I'd say that the attack vector is still social engineering; the difference here is that the result is not based in policy failure.
Normally we recommend that clients require their employees to attend security awareness training, in order for them to understand social engineering risks and remind them to follow the correct policies that are put in place.
In this instance, however, there is no policy being broken. My summation of the issue would be that it is a policy failure being exploited by a social engineering attack vector.
If it's exploiting human factor vulnerability as opposed to software/hardware vulnerability, it is social engineering. It's like saying "this is not a vulnerability because our software does not have a buffer overflow - it just allows anybody who enters admin/admin as login/password to have full access". It's only worse if policies are so broken that you don't even have to violate them to get unauthorized access.
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."