MKG Marketing MKG Marketing Logo Quotation Marks
Podcasts > What's the Problem

Case Study: An 85% Compromise Rate through Social Engineering

Mike Krass • Friday, April 29, 2022 • 17 minutes to listen

Subscribe to the Podcast or listen on...

Spotify Anchor

Join our weekly newsletter

We care about the protection of your data. Read our Privacy Policy.



Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, professionals, and business in the cybersecurity space face in today's world. Today, we are fortunate to have Fares Mohammed joining us.


Fares Mohammed: Hello, everybody. Thanks, Mike, for having me here with you.

Mike Krass: As we always do, let's dive right in. Tell us why you're qualified to talk about security.

Fares Mohammed: I can tell a story for myself when I until like, why I chose cybersecurity first, and then why I'm qualified for that. My background was electorate and communication systems in Yemen, and 2016 for my bachelor's. When I started working with some companies in Saudi Arabia, I loved to play games, but when you play online games, some people have the games, and they never die when you try to show them. You try to show them and do anything to win in this game, but you can't. People are saying, “ Oh. He is a hacker.” So I said, “Okay, what's that mean? How can they do it?” So I researched it and found out there is a huge place they call cybersecurity, a huge field that was new back in 2017, and it is where cybersecurity. I studied for some certifications like CEH, which is for ethical hackers.

Why am I qualified?

I'm doing my master's degree in cybersecurity at Rochester Institute of Technology in New York. I got some certification for this and established some programs and my country for Yemeni students that I help them get into this field, and I teach them to guide them to build a roadmap for them. I tried to focus on building a great background for new students who want to be in cybersecurity. I bought all my experience in teaching students and I got some professional certifications from e-learning, such as regression testing.

I'm focusing on how to test the website as a white-hat hacker as what they called us. We tested the website or the application and tried to do real hat, but we didn't have the sys. We just hacked the system and reported it to the owner or the organization. I'm focusing on malware analysis, which is very interesting for. How to work with the malware is putting them in something we call a sandbox, and you look at the virus or the malware in one place. It can't hurt you or harm your system and you do a lot of experimentation on this malware and understand how the malware will fit in the system. You come up with reports about the malware itself, and I think that's what makes me qualified to talk about cybersecurity.

Mike Krass: Awesome, thank you so much. I heard a lot there that you've done undergrad work back in your home countr, and you'vee now built programs that other students are learning from as you're also pursuing your master's at Rochester Institute of Technology. That's an awesome background that you bring into this conversation. Let's talk about a problem that you see in the security world and name one of the many problems you see that's worrying you in security today.

Fares Mohammed: The big problem is people who don't believe the hackers will get into your information by opening emails like phishing or scammers. We find it every day, and it's happening to many people. I have a nonprofit organization, and we call it the Education in Yemen, to teach students how to get a scholarship. But most of the Zoom meetings may end with what we make it as for a specific topic, but most of this, trying to make awareness about the scams, phishing, how the hackers are thinking about you and how they do a hack to get your information.

The problem is when you tell people, “Hello, there is a problem in this application. Please don't download it or don't use it. “ Facebook, Instagram or other application try to get into your phone, social media, or phone. When we try, people aware people about that, so don't open the link or don't give them permission, even though it's a trusted company like Facebook. They will look at your information, and they're going to take it off. So then, after you lose all your information, you're going to come and say, I got hacked by 1234. For phishing, some happened to me personally, and I got scams depending on the Bitcoins. When they know you are working on bitcoins or NFT, they send you a lot through your emails, Instagram, or Facebook requests. When you hit selling, they can take over your account. And here's the problem, people just click on the links when we try to teach them. Suppose you get any link, even though it's from a father, mother, brother, or anyone, you have to test it, take it, and put it on one website, which they call VirusTotals, doing a scan for the link, and it's going to tell you if it's scams or phishing or anything inside this link.

If it will show you it's clear, so you can click on it with the phone, say like you're safe if you click on it. But the problem here is people need to get a lot of awareness, and people have to understand what's going on. Nowadays, I can say we are all on our phones. You can't go anywhere without doing anything. Every time you take pictures for any place, they collect the data, and then if someone got your data, they try to get a picture from you, and then tell you, “Hey, we got some sexual pictures.” Some people tried to take a picture for you for themselves or any reason. And when they got it, they will tell you, “Okay, if you want to delete it, you have to pay for us.” The risk is you're going to go to them and pay for them. They're going to ask you the first time, and if you pay for them, they're going to ask you second, third and fourth times to pay every time for them. If they don't have money, they will come back to you and say, “Hey, we didn't delete your picture. Send us some money, or we'll send it to all your friends.” It happened to some friends I know in person. They texted me and called me on Facebook. They asked me what can they do.

Mike Krass: If I could just share what I hear one thing very clearly. But I'm also hearing a second problem that's related to it. The second thing that you didn't say directly, but I heard indirectly, was communicating issues to end-users and making awareness of those issues. The actual act of communicating and generating some awareness and education around how to protect yourself to end-users seems the number one big Issue. For number two, you mentioned a problem as well as a solution to it. We've gotten into your devices, and we have compromising photos of you or send us a Bitcoin or here's a new NFT project that we're looking for sponsors or members for really what you're discussing. There are phishing emails, and it's pretty sophisticated phishing emails, depending on how much access they've gained into your different systems and accounts. The solution that I heard you mentioned was, that even if you don't work for general electric, airbus, or some huge fortune 100 company, you can use VirusTotal to check links before you start putting them into your phone, tablet, or web browser on your computer. There is a solution to the problem that the average internet user can take advantage of without being protected by a corporate firewall or other corporate cybersecurity products that your employer has purchased for you.

Fares Mohammed: There is something we call social engineering to manipulate people to get to their data. In one project I did work on, they asked us to do our best to get to their system or let them click on any link or anything. So we say, okay, we will try our best. Some of us try to be like pizza delivery, and some of them try to ask how to get the permission to go to bathrooms, inside the building, and then we came up with the idea. We bought 20 flash drives, and inside is not malware; it's just a program. When you plug it into your computer, we will get a notification for your username and the IP you use on your computer. Imagine that we split 20 flash drives along with that company. We put something in the bathroom, desks and area or restaurant.

We write something as I said, Breivik flash drive or Breivik trip, to make them say. “Oh, what's inside those 20 flash drive?” There are seven-team blogging in their system in their devices inside the company. We imagine if we bought ransomware, one of these drive cards, and ransomware, you'd heard about it. If you plug it into your computer and you connect to a network for your company, it's going to spread directly to the whole network, and they're going to encrypt all your files, and then you have to pay for them. If it's happening for this company, 17 flash drives that login to their computers, and you can understand what we're talking about and what's the problem here for the awareness we have. We have to work on it, especially for the employee in positions. They don't have to click any link from outsourcing for the company or book any flash memory to the company's laptops or computers.

Mike Krass: Thank you so much. I know social engineering is a topic that comes in other episodes. It's a big problem, and I'm still shocked that 85% of flash drives you dropped off and 17 out of 20 got plugged in. That's a huge issue. It's not a little bit. The majority of that socially engineered experiments could have resulted in compromised systems. That's a scary number, and I don't like to hear it.

Fares Mohammed: They are a lot of studies about that stuff. It's driving to create you to go cheap on it.

Mike Krass: Thank you so much for educating our listeners on the importance of communicating awareness to end-users, talking a bit about social engineering, and some of the different experiences you've had. Let's finish with the fun question. Tell us about a terrible haircut that you've had in your life.

Fares Mohammed: If I'm talking about the worst haircut, it was the first time I came to the US. I was in Atlanta, Georgia, and I only did a haircut, but my English was not that good. In the beginning, they came here to study English and my master's degree. I tried to explain to him how to make the haircut for me. I don't want to be someone who just came to the US and got a new haircut. I wanted a regular haircut, and I tried to explain to him, but then he gave me the hair. I can't ever be honest with you. He thought, " Oh, okay, you are from the Middle East region. I know how they did the haircuts, and then he started just cutting you wasn't the seizure and everything and then surprised. He got half of my back hair, and he took it. I know what they call the faded, but it was faded, almost blonde in the down, and it's up a little bi. I told him, “Hell! No, I don't go because if you see my picture, it's like a regular haircut. I’ll go to a haircut alone the next time I take my friends, and explain what I want to him.

Mike Krass: You've got to bring some backup

Fares Mohammed: At least he did his job well. If he can just make a lot for me. He can't tell them just to do whatever they want to do.

Mike Krass: I appreciate our conversation, and I'm sure that our listeners have as well. This is the end of the episode I just want to thank our listeners for listening to What's the Problem, the show that explores problems that practitioners, buyers, professionals, and business folks in the cybersecurity world face in today's world.

Fares Mohammed: Thank you so much, Mike and goodbye to all the people who had us, and I hope I gave you some idea that you can protect yourself from at least one problem. We have it in the cybersecurity field. Thank you, Mike. Thank you

Matthew Buhler

Fares Mohammed

Join our weekly newsletter

Get industry news, articles, and tips-and-tricks straight from our experts.

We care about the protection of your data. Read our Privacy Policy.