Skip to content

Latest commit

 

History

History
107 lines (87 loc) · 5.69 KB

social-engineering-overview.md

File metadata and controls

107 lines (87 loc) · 5.69 KB
Raw

Social engineering overview

  • 📝 Art of convincing people to reveal confidential information
  • Exploits peoples
    • unawareness about importance of data or social engineering attacks
    • careless about protecting data
    • trust
    • fear of consequences of not providing the information
    • greed for promised gain for providing requested information
    • moral obligation sense
  • Type of footprinting.
  • 🤗 Well-known social engineering examples
    • RSA attack: $66 million loss based on e-mail with attachment exploiting zero day Flash vulnerability through an Excel macro.
    • Ubiquiti networks scam: $47 million stolen by impersonation of executives with requests to companies finance department.
    • US Department of Justice attack: One employee e-mail was hacked, then hacker pretended to be a new employee and asked for all access codes, ended up with leak of 30.000 FBI and DHS employee data
    • Yahoo Customer Account Attack: 3 billion users data was stolen and used for social engineering (e.g. if two people are connected)

Steps of social engineering

  1. Research
    • Gather enough information about the target company
    • Collected by e.g. dumpster diving, scanning, company tour, search on the internet...
  2. Select target
    • Choose a target employee
    • Some employees are more vulnerable than others
      • Easy targets also known as Rebecca and Jessica mean a person who is an easy target for social engineering such as the receptionist of a company
      • E.g. receptionists, help-desk personnel, tech support, system administrators, clients.
    • A frustrated target is more willing to reveal information
  3. Relationship
    • Earn the target employee's trust e.g. by creating a relationship
  4. Exploit
    • Extract information from the target employee

Identity theft

  • Stealing someone elses personally identifiable information to pose as that person
    • E.g. name, credit card number, social security or driver license numbers
  • Can be used to impersonate employees of a target

Steps of stealing an identity

  1. Gather targets information
    • Through e.g. bill from social networks, dumpster diving
    • Information include usually first and last name, date of birth, address, social security number, bank accounts, id card and passport numbers.
  2. Fake identity proof: get fake IDs
    • Can be driving licence, ID card, etc...
    • E.g. using stolen bills you can claim the person lost driving license and get new one to an address you choose.
  3. Fraud: spend money, unauthorized access, use ID for frauds, etc...
    • Can open new credit card accounts on the victim's name
    • Can sell identity information

Identity theft countermeasures

  • Check the credit card reports periodically
  • Safeguarding personal information at home and in the workplace
  • Verifying the legality of sources.

Impersonation on social network sites

Gaining information through social network sites

  • Information is used for spear phishing, impersonation, and identity theft.
  • Can e.g. create a fake user group "Employees of the company" in Facebook
    • Invite people to group and collect credentials such as birth date, employment/education backgrounds.
  • Can scan profile pages in LinkedIn and Twitter.

Steps of social media impersonation

  1. Gather personal information from Internet including social network sites
    • E.g. full name, date of birth, email address, residential address.
  2. Create an account that is exactly the same
  3. Carry out social engineering attacks with the account e.g.:
    • Introduce it to targets friends in a convincing way to reveal information
    • Join the target organization's employee groups where they share personal and company information.

Corporate threats from social network sites

  • Social network has vulnerable authentication as it's not isolated like corporate network.
  • The employee while communicating on social network may not take care of sensitive information.

Physical security

  • Physical measures
    • E.g. air quality, power concerns, humidity-control systems
  • Technical measures
    • E.g. smart cards and biometrics
  • Operational measures
    • E.g. policies and procedures to enforce a security-minded operation.
  • Access control
    • Biometrics
      • Something you are
      • False rejection rate (FRR)
        • When a biometric rejects a valid user
      • False acceptance rate (FAR)
        • When a biometric accepts an invalid user
      • Crossover error rate (CER)
        • Combination of the FRR ad FAR; determines how good a system is
  • Environmental disasters
    • E.g. hurricanes, tornadoes, floods.
  • See also Physical security | Information security controls

The Social-Engineer Toolkit (SET)

  • Open-source tool for Linux and macOS
  • Available in Kali Linux
  • Templates and cloning for credential harvesting
  • Functions such as website attack vectors, mass mailer attack, sms spoofing, QRCode generator, WAP attack...