Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Cehv8 - Module 09: Social Engineering.

2.187 visualizaciones

Publicado el

cehv8
Module 9: Social Engineering

Download here:
CCNAv5:
ccna5vn.wordpress.com
Cehv8:
cehv8vn.blogspot.com

Publicado en: Educación
  • Sé el primero en comentar

Cehv8 - Module 09: Social Engineering.

  1. 1. Module 09
  2. 2. Ethi(al Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Social Engineering Module 09 Engineered by Hackers. Presented by Professionals. CEH c. .»r-4 mm in. .. Ethical Hacking Countermeasures V8 Module 09: Social Engineering Exam 312-50 Module 09 Page 1293 Ethical Hacking and Countermeasures Copyright © by [G-CW All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering s"-sat‘-t! _r. ::: ,1i: *x‘ ; L‘l= :'. “:t Clif ll - u u cybercriminals Use Social Engineering Emails to Penetrate Corporate Networks September 25, 2012 FireEye, Inc. has announced the release of "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data, " a report that identifies the social engineering techniques cybercriminals use in email~based advanced cyber attacks. According to the report, the top '. A(-Z>l'l-I‘ words cybercriminals use create a sense of urgency to trick unsuspecting recipients into downloading , , , _., ,_, ., malicious files. The top word category used to evade traditional IT security defenses in emai| ~based attacks relates to express shipping. According to recent data from the FireEye "Advanced Threat Report, " for the first six months of 2012, emai| —based attacks increased 56 percent. Email-based advanced cyber attacks easily bypass traditional - _ 4 signature—based security defenses, preying on naive users to install malicious files. "Cybercriminals continue to evolve and refine their attack tactics to evade detection and use techniques that work. Spear phishing emails are on the rise because they work, " said Ashar Aziz, Founder and CEO, FireEye. "Signature~based detection is ineffective against these constantly changing advanced attacks, so IT security departments need to add a layer of advanced threat protection to their security defences. " "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data, " explains that express shipping terms are included in about one quarter of attacks, including "DHL", ~— - 4 "UPS", and "delivery. " flit! !!/ l'7'N(= (-ifflllntaliii F1 '. ')In. ':lI'lC -In-1=€ 1 . . .1'I msllliilzllléiliii-1>l| ‘HiIi(>]-ll-itl‘lqiivIIIi~$'1Iil! ll‘l¥I-lfiiilit-Fl Security News ‘ Cybercriminals Use Social Engineering Emails to Penetrate Corporate Networks Source: http: [[biztech2.in. com FireEye, Inc. has announced the release of "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data, " a report that identifies the social engineering techniques cybercriminals use in email-based advanced cyber-attacks. According to the report, there are a number of words cybercriminals use to create a sense of urgency to trick unsuspecting recipients into downloading malicious files. The top word category used to evade traditional IT security defenses in email-based attacks relates to express shipping. According to recent data from the FireEye "Advanced Threat Report, " for the first six months of 2012, email-based attacks increased 56 percent. Email-based advanced cyber-attacks easily bypass traditional signature-based security defenses, preying on naive users to install malicious files. "Cybercrimina| s continue to evolve and refine their attack tactics to evade detection and use techniques that work. Spear phishing emails are on the rise because they work, " said Ashar Aziz, Founder and CEO, FireEye. "Signature-based detection is ineffective against these Module 09 Page 1294 Ethical Hacking and Countermeasures Copyright © by [C-Culiilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering constantly changing advanced attacks, so IT security departments need to add a layer of advanced threat protection to their security defenses. " "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data, " explains that express shipping terms are included in about one quarter of attacks, including "DHL, " "UPS, “ and "delivery. " Urgent terms such as "notification" and "alert" are included in about 10 percent of attacks. An example of a malicious attachment is "UPS- Delivery-Confirmation-Alert_Apri| -2012.zip. " The report indicates that cybercriminals also tend to use finance-related words, such as the names of financial institutions and an associated transaction such as ''Lloyds TSB - Login Form. htm| ," and tax-related words, such as "Tax_Refund. zip. " Travel and billing words including "American Airlines Ticket" and "invoice" are also popular spear phishing email attachment key words. Spear phishing emails are particularly effective as cybercriminals often use information from social networking sites to personalize emails and make them look more authentic. When unsuspecting users respond, they may inadvertently download malicious files or click on malicious links in the email, allowing criminals access to corporate networks and the potential exfiltration of intellectual property, customer information, and other valuable corporate assets. The report highlights that cybercriminals primarily use zip files in order to hide malicious code, but also ranks additional file types, including PDFs and executable files. "Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data" is based on data from the FireEye Malware Protection Cloud, a service shared by thousands of FireEye appliances around the world, as well as direct malware intelligence uncovered by its research team. The report provides a global view into email-based attacks that routinely bypass traditional security solutions such as firewalls and next-generation firewalls, |PSs, antivirus, and gateways. Copyright (0 2011, Biztech2.com - A Network 18 Venture Author: Biztech2.com Staff bercriminals-use-sociaI-en ineerin enetrate- htt ' biztech2.in. com news securit corporate-networks[144232[0 Module 09 Page 1295 Ethical Hacking and Countermeasures Copyright © by Em All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Social Engineering Exam 312-50 Certified Ethical Hacker f_'i_lc - «‘. _l. i_i. ;l-_—i What Is Social Engineering? Factors that Make Companies Vulnerable to Attacks Warning Signs of an Attack Phases in a Social Engineering Attack Common Targets of Social Engineering Human-based Social Engineering Computer-based Social Engineering i_@-. -.. +:: e+«+~. «: L=«: 1 .13. . - Mobi| e—based Social Engineering Social Engineering Through Impersonation on Social Networking Sites Identify Theft Social Engineering Countermeasures How to Detect Phishing Emails Identity Theft Countermeasures Social Engineering Pen Testing Module Objectives '. ¢1jiil: iill'I51'l : '1 ‘f . ,. -ll -. .;lIIill: lfi§1i(= l~1=Ifl= (5Iifa-ll-l-llMil-IrIl~$1Iil! il‘l2|-lillililii-l The information contained in this module lays out an overview on social engineering. While this module points out fallacies and advocates effective countermeasures, the possible ways to extract information from another human being are only restricted by the ingenuity of the attacker’s mind. While this aspect makes it an art, and the psychological nature of some of these techniques make it a science, the bottom line is that there is no defense against social engineering; only constant vigilance can circumvent some of the social engineering techniques that attackers use. This module will familiarize you with: What Is Social Engineering? Factors that Make Companies Vulnerable to Attacks Warning Signs of an Attack Phases in a Social Engineering Attack Common Targets of Social Engineering Human-based Social Engineering Module 09 Page 1296 Computer-based Social Engineering Mobile-based Social Engineering Social Engineering Through Impersonation on Social Networking Sites Identify Theft Social Engineering Countermeasures How to Detect Phishing Emails Identity Theft Countermeasures Ethical Hacking and Countermeasures Copyright © by [C-Ciilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Social Engineering Techniques Imperso- Soclal nation on Englneerlng soclal concepts Networking Silu Penetratlon Tostlng Soclal Englneorlng counter- IIIOIIUYOI Copyright 0 by Efilllcil. All Rights Reserved. Reproduction is Strictly Prohibited '"= ' Module Flow E. l LIEERQ As mentioned previously, there is no security mechanism that can stop attackers from performing social engineering other than educating victims about social engineering tricks and warning about its threats. So, now we will discuss social engineering concepts. ® Identity theft J - Social Engineering Techniques social Engineering . ~. Countermeasures , - mi‘ Impersonation on Social C] Penetration Testin 7 Networking Sites g This section describes social engineering and highlights the factors vulnerable to attacks, as well as the impact of social engineering on an organization. Q; Social Engineering Concepts Module 09 Page 1297 Ethical Hacking and Countermeasures Copyright © by [G-GM All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ldl1_i. r:_iiI Jr‘? ‘. ~‘1oi~. ‘:t= _-. -J ii_i_IL: :31}? ! ‘—lL1.'i]i_°, I"? . r_ O o ‘ Social engineering is the art of convincing people to reveal confidential information V Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it -" - Confidential 4 J Information i Gather Information Access ' 4 Authorization F Details ” _ Details r’ E‘ _ '. ¢1jiil: iill'I51'l : '1 ‘f . ,. -Tl -. .;lIIill: lii§1i(= l~1=ii‘i= (5Iifa-ll-i-lliqil-IrIl~$1Iil! il‘lUr-liilililii-l U _ What Is Social Engineering? Social engineering refers to the method of influencing and persuading people to reveal sensitive information in order to perform some malicious action. With the help of social engineering tricks, attackers can obtain confidential information, authorization details, and access details of people by deceiving and manipulating them. Attackers can easily breach the security of an organization using social engineering tricks. All security measures adopted by the organization are in vain when employees get ”socia| engineered” by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam email, and bragging in front of co-workers. Most often, people are not even aware of a security lapse on their part. Chances are that they divulge information to a potential attacker inadvertently. Attackers take special interest in developing social engineering skills, and can be so proficient that their victims might not even realize that they have been scammed. Despite having security policies in place, organizations can be compromised because social engineering attacks target the weakness of people to be helpful. Attackers are always looking for new ways to gather information; they ensure that they know the perimeter and the people on the perimeter security guards, receptionists, and help desk workers in order to exploit human oversight. People have been conditioned not to be overly suspicious; they associate certain behavior and appearances with known entities. For Module 09 Page 1298 Ethical Hacking and Countermeasures Copyright © by [C-Ciilliicll All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering instance, upon seeing a man dressed in a uniform and carrying a stack packages for delivery, any individual would take him to be a delivery person. Companies list their employee IDs, names, and email addresses on their official websites. Alternatively, a corporation may put advertisements in the paper for high—tech workers who are trained on Oracle databases or UNIX servers. These bits of information help attackers know what kind of system they are tackling. This overlaps with the reconnaissance phase. Module 09 Page 1299 Ethical Hacking and Countermeasures Copyright © by [G-Goliilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering l , :i= -l_iI_r=4**‘-: il0),1.'~“» Y‘ ~. _i_i_i. t=; _‘c3_f-I_i-. - to» _‘; _i r. _tc4_t-; ,:: ‘ . i_-1 . ._ I Human nature of trust is the basis of any social engineering attack H Ignorance about social engineering and its effects among the workforce makes the organization an easy target 111 Social engineers might threaten severe losses in case of non— compliance with their rcqut-st ‘ ! c . , -« Social engineers lure the targets to divulge information by promising I”! IV sonic-lhiny; for nothing; / V Targets are asked for help and they comply out of a sense of moral obligation A’ ‘U '. ‘11Ail1iiXI'I3A' . . ,1-Tl »q; ‘II€ii: ii1§1i(= i~1=It‘l= (5Ilia-II-l-lllqii-IiIL$1Iil! ii‘lIt-liililiiii-l 6“ Behaviors Vulnerable to Attacks 4 An attacker can take advantage of the following behaviors and nature of people to commit social engineering attacks. These behaviors can be vulnerabilities of social engineering attacks: ta Human nature of trust itself becomes the main basis for these social engineering attacks. Companies should take the proper initiative in educating employees about possible vulnerabilities and about social engineering attacks so that employees will be cautious. ‘:2 Sometimes social engineers go to the extent of threatening targets in case their requests are not accepted. ‘:9 When things don't work out with threatening, they lure the target by promising them various kinds of things like cash or other benefits. In such situations, the target might be lured and there is the possibility of leaking sensitive company data. ti At times, even targets cooperate with social engineers due to social obligations. ta Ignorance about social engineering and its effects among the workforce makes the organization an easy target. ‘:9 The person can also reveal the sensitive information in order to avoid getting in trouble by not providing information, as he or she may think that it would affect the company's business. Module 09 Page 1300 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ; -‘. ‘=. .t94i, i(9). l:: l i_i_r= ..tii ; 'l_i‘-. ,Ii_is(; - ‘.7“l'! L!_! ]', °,T= .,llaI_[il§-P-T" . .I_l . _ , . . . , hi I _'i J. ”'_U_I_l= -M. "-‘_! _i'l_l= -‘ (oi _43tt= ,t<4_i-ts‘ -T -u- A- lnsufficient ' ' Easy / Security 1 ‘ Access of l Training ’ Information rxa 3:) ‘ twee K _ , __>: __ e S, 4 [% it Lack of Several . Q, ,. Security 3' Organizational ‘Ht P Policies , Units ~ 1.01-jlil: iill'I31'l i '1 ‘f . ,1-Tl 1;lIIiil: li1§1i(= l~1=ia‘i= (5Ilia-II-l-llMil-IrIL$1Iil! il‘lIt-lillililii-l _ Factors that Make Companies Vulnerable to Attacks Social engineering can be a great threat to companies. It is not predictable. It can only be prevented by educating employees about social engineering and the threats associated with it. There are many factors that make companies vulnerable to attacks. A few factors are mentioned as follows: Insufficient Security Training ‘ It is the minimum responsibility of any organization to educate their employees about various security aspects including threats of social engineering in order to reduce its impact on companies. Unless they have the knowledge of social engineering tricks and their impact, they don't even know even if they have been targeted and. Therefore, it is advisable that every company must educate or train its employees about social engineering and its threats. 7% Lack of Security Policies 7 7 Security standards should be increased drastically by companies to bring awareness Module 09 Page 1301 Ethical Hacking and Countermeasures Copyright © by [G-Gullilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering to employees. Take extreme measures related to every possible security threat or vulnerability. A few measures such as a password change policy, access privileges, unique user identification, centralized security, and so on can be beneficial. You should also implement an information sharing policy. /9 Easy Access of Information L—J/ For every company, one of the main assets is its database. Every company must protect it by providing strong security. It is to be kept in view that easy access of confidential information should be avoided. Employees have to be restricted to the information to some extent. Key persons of the company who have access to the sensitive data should be highly trained and proper surveillance has to be maintained. Several Organizational Units It is easy for an attacker to grab information about various organizational units that is mentioned on the Internet for advertisement or promotional purposes. Module 09 Page 1302 Ethical Hacking and Countermeasures Copyright © by [G-Gullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker Social Engineering Why Is Social Engineering C E H Effective? M ~- Security policies are as strong as their weakest link, and humans are the most susceptible factor It is difficult to detect social engineering attempts There is no method to ensure complete security from social engineering attacks There is no specific software or hardware for defending against a social engineering attack Copyright 0 by E-G21 All Rights Reserved. Reproduction is Strictly Prohibited. : Why Is Social Engineering Effective? ® The following are the reason why social engineering is so effective: 0 Despite the presence of various security policies, you cannot prevent people from being socially engineered since the human factor is the most to variation. 0 It is difficult to detect social engineering attempts. Social engineering is the art and science of getting people to comply with an attacker’s wishes. Often this is the way that attackers get a foot inside a 0 No method can guarantee complete security from social engineering attacks. 0 No hardware or software is available to defend against social engineering attacks. Module 09 Page 1303 Ethical Hacking and Countermeasures Copyright ‘C! by All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering . . ti‘ L‘ I g ‘ 7' -“ lilf: F. ‘ -, Lifl_i_u i . ~‘lEly: , L'_i}~‘~ 0 L3 '3_l. »_l_‘. _4_‘-l. I. i'= ._l‘ —l_l. :. ‘ . l_-. ,I_ . ‘ _, .. . - (:3 Internet attacks have become a business and attackers are I? constantly attempting to invade networks ‘_ 'arning Signs Show haste and drop Show discomfort Make the name inadvertently when questioned informal requests 2 i 4 ~* 6 Unusually Claim authority and Show inability to give compliment or praise threaten if information valid callback number is not provided '. ‘11All1lilI'I3A' . . ,1-ll »q; lII€ll: lfi§1i(= l~1=It‘l= (5Iifa-II-i-llMil-IrIL$1Iil! il‘l2|-lillilitil-l Warning Signs of an Attack ‘xv. Although it is not possible to firmly detect social engineering attempts from an attacker, you can still identify social engineering attempts by observing behavior of the social engineer. The following are warning signs of social engineering attempts: If someone is doing the following things with you, beware! It might be social engineering attempts: U Show inability to give a valid callback number '3 Make informal requests e Claim authority and threaten if information is not provided *3 Show haste and drop a name inadvertently 6 Unusually compliment or praise 8 Show discomfort when questioned Module 09 Page 1304 Ethical Hacking and Countermeasures Copyright © by [G-Gullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering l_5.‘s_i, t=_+_-‘i ZlI_i_i ‘-3. . ~“lHi»-1]‘-_~. _ 3'u_IL3 fill; -I = JL'~. ‘1i1:i M. ‘ _i . . i L I _'i , |_ flii -_l'~d_l'. -i . - i-_-: Ffll E Research on 2 ‘.5 Target company 2 Select Victim 5 :5 :1 f Y P Dumpster diving, 5 Identify the frustrated , .‘ 7"‘ “- a 1 . websites, employees, 2 employees of the gr ‘('5 tour company, etc. :1 target company l l - ~ E F! ‘o y :1 Develop Q Exploit the ? Relationship :3 Relationship 5‘ 1 . ..x " . . » __“ Devemp relationship ,5; Collect sensitive account * _ . H information, financial with the selected *1 . f t. d F} in orma ion, an current employees technologies '. ¢1jiil: iill'I5i'l : '1 ‘f . ,. -ll -. .ilIIill: li1§1i(= i~1=it‘i= (5Iila-II-i-lliqil-iiIl~$1Iil! il‘l2|-lillilitii-i Phases in a Social Engineering Attack ' ii The attacker performs social engineering in the following sequence. Research the target company . _ The attacker, before actually attacking any network, gathers information in order to find possible ways to enter the target network. Social engineering is one such technique to grab information. The attacker initially carries out research on the target company to find basic information such as kind of business, organization location, number of employees, etc. During this phase, the attacker may conduct dumpster diving, browse through the company website, find employee details, etc. Select victim "" After performing in-depth research on the target company, the attacker chooses the key victim attempt to exploit to grab sensitive and useful information. Disgruntled employees of the company are a boon to the attacker. The attacker tries to find these employees and lure them to reveal their company information. As they are dissatisfied with the company, they may be willing to leak or disclose sensitive data of the company to the attacker. Module 09 Page 1305 Ethical Hacking and Countermeasures Copyright © by [C-Cliliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Develop the relationship T ‘F Once such employees are identified, attackers try to develop relationships with them "" so that they can extract confidential information from them. Then they use that information for further information extracting or to launch attacks. - ,5 . . . 39?‘. V- Exploit the relationship / Once the attacker builds a relationship with the employees of the company, the attacker tries to exploit the relationship of the employee with the company and tries to extract sensitive information such as account information, financial information, current technologies used, future plans, etc. Module 09 Page 1306 Ethical Hacking and Countermeasures Copyright © by [G-Guliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. T i_ ‘ "7 Economic Losses E? ‘ W / Q Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Loss of Privacy Attacker Damage of Goodwill i , Temporary or Permanent Closure 5 V i ' Lawsuits and Arbitrations ii i . . i v ii ‘i ‘i i 1 Y i I i 2 : Dangers of Terrorism “ ‘ ‘ 1-4,‘ -‘-at A Organization "1' I 1.01-jiil: iill'I51'l 3 '5 ‘1 . ,. -ll -. .ilIIill: li1§1i(= l~1=h‘i= (5Iifa-II-i-lliqil-irIl~$1Iil! il‘lU| -Eilliliiiiii Impact on the Organization Though social engineering doesn't seem to be serious threat, it can lead to great loss for a company. The various forms of loss caused by social engineering include: Economic losses Competitors may use social engineering techniques to steal information such as future development plans and a company's marketing strategy, which in turn may inflict great economic losses on a company. , Damage of goodwill ~ Goodwill of an organization is important for attracting customers. Social engineering attacks may leak sensitive organizational data and damage the goodwill of an organization. Loss of privacy Privacy is a major concern, especially for large organizations. If an organization is unable to maintain the privacy of its stakeholders or customers, then people may lose trust in the company and may not want to continue with the organization. Consequently, the organization could face loss of business. Module 09 Page 1307 Ethical Hacking and Countermeasures Copyright © by [C-Cliliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering A Dangers of terrorism Aj. Terrorism and anti-social elements pose a threat to an organization's people and property. Social engineering attacks may be used by terrorists to make a blueprint of their target. ¢ Lawsuits and arbitration *‘ Lawsuits and arbitration result in negative publicity for an organization and affect the business’ performance. Temporary or permanent closure Social engineering attacks that results in loss of good will and lawsuits and arbitration may force a temporary or permanent closure of an organization and its business activities. Module 09 Page 1308 Ethical Hacking and Countermeasures Copyright © by [Em All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering 1. Li i-: ‘., l '" i‘—i: i.~: :iv4*= .,i'“ Clii J. 1 .13. . - Attackers use the term "Rebecca” and "Jessica" to denote social engineering Rebecca and Jessica means a person who is an easy target for social engineering, victims such as the receptionist of a company r. ,&(. i. -A K N. .4 i . < ’/ r‘, “ ; / . _. ‘A Q Rebecca Attacker Jessica "There was a Rebecca at the bank and I am going to call her to extract the privileged information. " Example: "I met Ms. Jessica, she was an easy target for social engineering. " "Do you have a Rebecca in your company? ” 1.01-jiil: ii'll'I31'l i '1 ‘f . ,1-ll 1iiIIill: li1§1i(= l~1=it‘i= (5Ilia-in-i-lliqil-iiIl~$1Iil! il‘l2|-lilliliiii-i “Rebecca” and “]essica” '2' Attackers use the terms "Rebecca” and ”Jessica” to imply social engineering attacks *3 They commonly use these terms in their attempts to ’’socially engineer” victims ‘:3 Rebecca or Jessica means a person who is an easy target for social engineering such as the receptionist of a company Examples: t-J ”There was a Rebecca at the bank, and I am going to call her to extract privileged information. ” ti ’’I met Ms. Jessica; she was an easy target for social engineering. ” ‘:3 ”Do you have any Rebeccas in your company? ” Module 09 Page 1309 Ethical Hacking and Countermeasures Copyright © by [C-Cliliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Common Targets of Social Engineering Receptionists and Help Desk Personnel Technical Support Executives System Ad minist- rators Vendors of the Target Organization tit? coovlkhtfibyfi-GI3i. AInI¢htsRese~ed. Reovodualov-IssvIa1yPruhbne¢ Users and Clients Common Targets of Social Engineering M _ Receptionists and Help Desk Personnell 9: Social engineers generally target service desk or help desk personnel of the target organization and try to trick them into revealing confidential information about the company. -A . Technical Support Executives : Technical support executives can be one of the targets of the social engineers as they may call technical support executives and try to obtain sensitive information by pretending to be a higher-level management administrator, customer, vendor, etc. System Administrators 5 —-4 Social engineers know that the system administrator is the person who maintains the security of the organization. The system administrator is responsible for maintaining the systems in the organization and may know information such as administrator account passwords. If the attacker is able to trick him or her, then the attacker can get useful information. Therefore, system administrators may also be the target of attackers. Module 09 Page 1 310 Ethical Hacking and Countermeasures Copyright © by Em All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering . Users and Clients --3-’ An attacker may call users and clients by pretending to be a tech support person and may try to extract sensitive information. 3‘ Vendors of the Target Organization ‘*"' Sometimes, a social engineer may also target vendors to gain confidential information about the target organization. Module 09 Page 1311 Ethical Hacking and Countermeasures Copyright © by [G-GUIIiIcll All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ‘io)_i; i.| _i, i_t-)_i}. ‘J}: ,iL'(_°K= ~iil; ‘ oij >‘l-I»-11]‘-. )i_l. .. I _, . , _, 3i_i, u l1i_Ii= : = -L1.‘ZlI_i_t3 Iv: ‘ Li EN = - ‘N0 )_'-. ',t( = -iI_L. ':‘ . . 3.7‘-"' Despite having the best firewall, Attackers can attempt social intrusion—detection, and antivirus r1 engineering attacks on office workers . . . . H . . systems, you are still hit with security :1 to extract the sensitive data, such as: _ 1 breaches : ,. . . . , 2 e Security policies . . . fl _ -. -.~ Sensitive documents gs. * l . ,, E} l 7:‘ l ' g ~ Office network infrastructure 4-l A *‘ Passwords — ” 3 Attacker making an attempt as a valid employee to gather information from the staff of a company rm i‘ -‘ '3 ‘1 1 If’ ‘-‘ P . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .. > | 1 N , i l‘ u » < , ljll<: r> . . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .. ‘ , I The victim employee gives information back assuming the attacker to be a valid employee Attacker Victim 1.01-jiii: ii'll'I51'l: ‘5 ‘f . ,. -ll -t. :lIIill: lfi§1i(= l~1=ii‘i= (5Iiia-II-i-llMil-IiIl~$1Iil!5l‘lIt-lilliiilii-l Common Targets of Social Engineering: Office Workers Security breaches are common in spite of organizations employing antivirus systems, intrusion detection systems, and other state-of-the-art security technology. Here the attacker tries to exploit employees’ attitudes regarding maintaining the secrecy of an organization's sensitive information. Attackers might attempt social engineering attacks on office workers to extract sensitive data such as: [Ii Security policies 8 Sensitive documents 8 Office network infrastructure ‘:9 Passwords Module 09 Page 1312 Ethical Hacking and Countermeasures Copyright © by [C-Ciiliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering , / . ‘ta Attacker making an attempt as a valid «_ 03 , . . employee to gather information from the staffof a company l i‘ in / I: ,. ( ‘ . ~ . ‘i>. /‘ The victim employee gives information back assuming ‘ ’ the attacker to be a valid employee FIGURE 09.1: Targets of Social Engineering Module 09 Page 1313 Ethical Hacking and Countermeasures Copyright © by EC-Gallilcil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Social Engineering Techniques Imperso- Social nation on Engineering Social Concepts Networking Silos Penetration Testing Social Engineering counter- IIIOIIUYOI Copyright 0 by Efilllcil. All Rights Reserved. Reproduction is Strictly Piohlbited i -i ' Module Flow So far, we have discussed various social engineering concepts and how social engineering can be used to launch attacks against an organization. Now we will discuss social engineering techniques. 1 Social Engineering Concepts I @ Identity theft Social Engineering _ Countermeasures ' Impersonation on Social _ , 1 Penetration Testing J - Social Engineering Techniques Networking Sites This section highlights the types of social engineering and various examples. Module 09 Page 1 314 Ethical Hacking and Countermeasures Copyright © by [G-Gm All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ll’ ”": i‘y+T'» -)‘_? . _~“'in~-. ‘ft= .il -Eii_i_l, ;3L'1-? .,i_l= -I3-)_1.'37._l_L3l‘ ‘i: l_= l,. _ l .13. . - Human-based Social Engineering C3 C3 rsi; ig, .lgi: :s J Attacks of this category exploit trust, fear, and helping nature of humans J Gathers sensitive information by interaction computer-based Social Engineering K J Social engineering is carried out with the help of computers Mobile-based Social Engineering J It is carried out with the help of mobile applications '. ‘11iil1lilI'I3A' Types of Social Engineering ; In a social engineering attack, the attacker uses social skills to tricks the victim into disclosing personal information such as credit card numbers, bank account numbers, phone numbers, or confidential information about their organization or computer system, using which he or she either launches an attack or commits fraud. Social engineering can be broadly divided into three types: human-based, computer-based, and mobile-based. i Human-based social engineering "'— Human-based social engineering involves human interaction in one manner or other. By interacting with the victim, the attacker gathers the desired information about an organization. Example, by impersonating an IT support technician, the attacker can easily gain access to the server room. The following are ways by which the attacker can perform human- based social engineering: 8 Posing as a legitimate end user ti Posing as an important user :3 Posing as technical support Module 09 Page 1315 Ethical Hacking and Countermeasures Copyright © by [G-Guliilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Computer-based social engineering . ——. ea Computer-based social engineering depends on computers and Internet systems to carry out the targeted action. The following are the ways by which the attacker can perform computer-based social engineering: 6 Phishing 8 Fakemail 8 Pop-up window attacks Mobile-based Social Engineering ; _/‘—’ Mobile-based social engineering is carried out with the help of mobile applications. Attackers create malicious applications with attractive features and similar names to those of popular applications, and publish them in major app stores. Users, when they download this application, are attacked by malware. The following are the ways by which the attacker can perform mobile-based social engineering: :3 Publishing malicious apps 6 Repackaging legitimate apps 6 Fake Security applications 6 Using SMS Module 09 Page 1316 Ethical Hacking and Countermeasures Copyright © by [G-Guliilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ill 'J,1_| _F, l,i, ¥—i, l' r= _i. ~‘i =4 -'. l . ~‘l 0 I 0-l}= .l_l. -_: ilLi. l; lClI_u: -I : -i_'-. ‘7,lI_ii3 I‘ ‘S: _. _ l .13. . - Posing as a legitimate end user Give identity and ask for the sensitive information "Hi! This is Iohn, from Department X. Ihaveforgotten my '_ f password. Can I get it? ” . 3-'-}llI. 'I ! ' ll lIIl: .-la", lII' ‘iii Posing as a VIP of a target company, valuable customer, etc. l, ,l _ g "Hi! This is Kevin, CFO Secretary. I'm working on an urgent lfil ‘ project and lost my system password. Can you help me out? ” l V 1 l Posing as technical support Call as technical support staff and request IDs and passwords to retrieve data "Sir, this is Mathew, Technicalsuppart, X company. Last night we had a system crash here, and we are checking for the lost data. Can u give me your ID and password? ” '. ¢1jiil: lill'I31'l : '1 ‘f . ,1-Tl millIill: lll§‘il5H= l|‘fi{‘lliH‘lI'l'llllilfllll~$1lil! il"3IIllll: lll3i'l C ~ 9 Human-based Social Engineering ad in human-based social engineering, the attacker fully interacts with victim, person-to-person, and then collects sensitive information. In this type of social engineering, the attacker attacks the victim's psychology using fear or trust and the victim gives the attacker sensitive or confidential information. Posing as a Legitimate End User 4* An attacker might use the technique of impersonating an employee, and then resorting to unusual methods to gain access to the privileged data. He or she may give a fake identity and ask for sensitive information. Another example of this is that a ”friend” of an employee might try to retrieve information that a bedridden employee supposedly needs. There is a well-recognized rule in social interaction that a favor begets a favor, even if the original ”favor” is offered without a request from the recipient. This is known as reciprocation. Corporate environments deal with reciprocation on a daily basis. Employees help one another, expecting a favor in return. Social engineers try to take advantage of this social trait via impersonation. Example "Hil This is John, from Department X. I have forgotten my password. Can I get it? ” Module 09 Page 1317 Ethical Hacking and Countermeasures Copyright © by [C-Culllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Posing as an Important User Impersonation is taken to a higher level by assuming the identity of an important employee in order to add an element of intimidation. The reciprocation factor also plays a role in this scenario, where lower-level employees might go out of their way to help a higher-level employee, so that their favor receives the positive attention needed to help them in the corporate environment. Another behavioral tendency that aids a social engineer is people's inclination not to question authority. An attacker posing as an important individual- such as a vice president or director—can often manipulate an unprepared employee. This technique assumes greater significance when the attacker considers it a challenge to get away with impersonating an authority figure. For example, a help desk employee is less likely to turn down a request from a vice president who says he or she is pressed for time and needs to get some important information for a meeting. The social engineer may use the authority to intimidate or may even threaten to report employees to their supervisor if they do not provide the requested information. Example "Hi! This is Kevin, the CFO secretary. I'm working on an urgent project and lost my system password. Can you help me out? ” Module 09 Page 1318 Ethical Hacking and Countermeasures Copyright © by [G-Guliilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering " , Posing as Technical Support _ P Hr’ Another technique involves an attacker masquerading as a technical support person, particularly when the victim is not proficient in technical areas. The attacker may pose as a hardware vendor, a technician, or a computer-accessories supplier when approaching the victim. One demonstration at a hacker meeting had the speaker calling up Starbucks and asking the employee if his broadband connection was working correctly. The perplexed employee replied that it was the modem that was giving them trouble. The attacker, without giving any credentials, went on to get the employee to read the credit card number of the last transaction. In a corporate scenario, the attacker may ask employees to reveal their login information including a password, in order to sort out a nonexistent problem. Example: ”Sir, this is Mathew, technical support at X company. Last night we had a system crash here, and we are checking for lost data. Can you give me your ID and password? ” Module 09 Page 1319 Ethical Hacking and Countermeasures Copyright © by EG~GUIiiIcll All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Technical Support Example C EH z. .m. .. mu in. .. A man calls a company's help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker clear entrance into the corporate network wt WUHKINL; 24 nouns ADAV ' Copyright 0 by $42“. All Rights Reserved. Reproduction is Strictly Prohibited. . Technical Support Examples Example: 1 A man calls a company's help desk and says he has forgotten his password. He adds that if he misses the on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, giving the attacker clear entrance into the Example: 2 An attacker sends a product inquiry mail to John, who is a salesperson of a company. The attacker receives an automatic reply that he (John) is out of office traveling overseas; using this advantage, the John and calls the target company's tech support number asking for help in resetting his password because he is overseas and cannot access his email. If the tech person believes the attacker, he immediately resets the password by which the attacker gains access to John's email, as well to other network resources, if John has used the same password. Then the attacker can also access Module 09 Page 1320 Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Social Engineering Exam 312-50 Certified Ethical Hacker I 1 .13. . - l _~‘ir. ;'. ;w: :-2-.1‘? 3i_: ;:: _i_a; u1'; i_l%—* s. _ ~ ~ Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash. p 1.01-jiil: iill'I5;'l : '1 ‘f . ,. -.7 1;‘IIiil: lfi§1i(= i~1=ifl= (5Iiia-II-i-llMil-IrIL$1Iil! ii‘l2|-liiliiiiii-i / ‘ Authority Support Example ”Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash. ” Module 09 Page 1321 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Authority Support Example C E H (com-d) . ... . . ... "Hi I'm Sharon, a sale? ‘-~. _ rep out of the New York office. I know this is short notice, but I have a group of prospective dients out in the car that I've been trying for months tog! to outsource their security training needs to us. They're located just a few miles away and I think that if I can give them a quick tour of our facilities, it should be enough to push them over the edge and get them to sign up. (ta {Kg Oh yeah, they are particularly interested in what security precautions we've adopted. Seems someone hacked into their website a while back, which is one ‘ of the reasons they're considering ' our company. " Copyright ID by IFCHIGH. All Rights Reserved. Reproduction is Strictly Prohibited. Authority Support Example (Cont’d) J "Hi I'm Sharon, a sales rep out of the New York office. I know this is short notice, but I have a group of prospective clients out in the car that I've been trying for months to get to outsource their security training needs to us. They're located just a few miles away and I think that if I can give them a quick tour of our facilities, it should be enough to push them over the edge and get them to sign up. Oh yeah, they are particularly interested in what security precautions we've adopted. Seems someone hacked into their website a while back, which is one of the reasons they're considering our company. " Module 09 Page 1 322 Ethical Hacking and Countermeasures Copyright © by [Em All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ». ‘ ‘L , 'i“ . .-_ ‘ _43!_ti. _i_l-lgji. * . ~‘ii; gi; I-)3 3i= f.', i'3., M_1]: l_i-‘ HI; I * * * I _i _ _ (Mo)_. ‘|Il'3]i -i . u- -- <. f 4 , 1. V V e I Hi, I'm with Aircon I <j Express Services. We received a call that the computer room was getting too warm and need to check your HVAC system. }, Using professional-sounding terms like HVAC 1' (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured E ,1 w resource. A " t * “I 1 “ . _. ,, ,, — d~ ’ / J . v " i_ .1!" , ___fi -’ / ‘f . ,. -Ti »q; iII€il: ifi§1i(= i~1=It‘l= (5Iiia-II-1-l‘iqii-IIIL$1Iii! ii‘l2|-liiiiiitii-i ‘ Authority Support Example (Cont’d) ~ "Hi, I'm with Aircon Express Services. We received a call that the computer room was getting too warm and need to check your HVAC system. ” Using professional-sounding terms like HVAC (heating, ventilation, and air conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource. Module 09 Page 1323 Ethical Hacking and Countermeasures Copyright © by [G-Gulllicii All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ; i_l! _l_i, i_t= JI_i_tJ_? i=_I; i=45i. .~‘loI-i}‘-1' 3l_i1:L1I_i_tu= ~)_'v£lI_i1:Iri . . —i 7 V . l 3‘ 3.‘r= ,w-. i:i-‘. ,l-_'i-mg)_1:_i. tgi ‘—}_! .l3._l. ~‘l. i.i-i-i, l€. ,t: ¢;» ~‘i-i-. '-i. i‘, i_iui . . _'. ..*. ‘_*" jij. rm. ii Eavesdropping i Shoulder Surfing Eavesdropping or unauthorized listening of conversations or reading of messages Shoulder surfing uses direct observation techniques such as looking over someone’: shoulder to get information such as passwords, c= =-=0 c= -=0 Interce tion of an form such as audio p y ' E P| Ns, account numbers, etc. video, or written Shoulder surfing can also be done form I‘ can also be done usmg a longer distance with the aid of vision c()| m"|3lun'ca| F'°n channels Such as ‘=3’: -== o enhancing devices such as binoculars ‘E ep °_ne mes’ ema' ' msmnt to obtain sensitive information messaging, etc. 5:3 is , E ‘ I Z _ N? / -_'~ . m . N i'- .1 ’*i =5‘ _ . .43 ll 4 N r .2 , . W ‘W A - ‘ no I I’ 1.01-jiii: iill'I5i'l i '1 ‘f . ,. -ii -i. iiII€ll: lfi§1i(= l~1=it‘i= (5Iita-in-l-llMil-IiIl~$1Iil! il‘l2|-liliilitil-l Human-based Social Engineering: Eavesdropping and Shoulder Surfing Human-based social engineering refers to person-to-person communication to retrieve desired data. Attacker can perform certain activities to gather information from other persons. Human-based social engineering includes different techniques, including: Eavesdropping Eavesdropping refers to the process of unauthorized listening to communication between persons or unauthorized reading of messages. It includes interception of any form of communication, including audio, video, or written. It can also be done using communication channels such as telephone lines, email, instant messaging, etc. Shoulder Surfing Shoulder surfing is the process of observing or looking over someone’s shoulder while the person is entering passwords, personal information, PIN numbers, account numbers, and other information. Thieves look over your shoulder, or even watch from a distance using binoculars, in order to get those pieces of information. Module 09 Page 1324 Ethical Hacking and Countermeasures Copyright © by [C-Culiiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Human-based Social CEI-l Engineering: Dumpster Diving . ... _. .. Dumpster Dumpster diving is looking for treasure in someone DIVIII e| se's trash 9 m Contact Information Financial Information Sflcfiy notes copyright 0 by E-Gill All Rights Reserved. Reproduction is Strlctiy Prohibited. Human-based Social Engineering: Dumpster Diving . ._, Dumpster diving is a process of retrieving information by searching the trash to get data such as access codes, passwords written down on sticky notes, phone lists, calendars, and organizational chart to steal one’s identity. Attackers can use this information to launch an attack on the target's network. Module 09 Page 1325 Ethical Hacking and Countermeasures Copyright © by Em All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ill | _iI, i.i_t= ,l_i, U_l° r= _'i. ~‘i =4 -ll . ~‘i 0 I 0-i}= .l_l. -_: ilLi. L', F1113-I : -L’-. ‘7,lI_ii3 i‘ ‘S: _. _ ' - 1 .1 3. . .. In Person A1‘-: |i‘rc: ,r'i: :'t'itgn Tailgating An unauthorized person, wearing a fake ID badge, enters a secured Refer to an important person in the organization and try to Survey a target company to collect information on: _ collect data area by closely following an as Current technologies th . d th h d ”Mr. George, our Finance 3” _°'_"ze perm“ mug 3 °°' ** Contact information Manager, asked thaupick up requlflng k9V “C955 the audit reports. Will you please provide them to me? " P“ in‘ at 3- 4. ‘ ; . ~ v 4. . . I. 8.; - 1vI. .Ii. ’:, WI” * I . . I ; V . ; ~ - I . / i H Al . K V ‘ ‘m . - 1.01-jiiiziiii-Ii; .. ,1-Ti ~. .1iI: ii; im1:i: n=maaii: <a-i. -i-iiiqai-; .im-ii-aim. -1man: -i I-Iuman-based Social Engineering In person Attackers might try to visit a target site and physically survey the organization for information. A great deal of information can be gleaned from the tops of desks, the trash, or even phone directories and nameplates. Attackers may disguise themselves as a courier or delivery person, a janitor, or they may hang out as a visitor in the lobby. They can pose as a businessperson, client, or technician. Once inside, they can look for passwords on terminals, important papers lying on desks, or they may even try to overhear confidential conversations. Social engineering in person includes a survey of a target company to collect information of: ‘:3 Current technologies implemented in the company 6 Contact information of employees and so on , Third-party Authorization Another popular technique for attackers is to represent themselves as agents authorized by some authority figure to obtain information on their behalf. For instance, knowing who is responsible for granting access to desired information, an attacker might keep tabs on him or her and use the individual’s absence to leverage access to the needed data. The Ethical Hacking and Countermeasures Copyright © by [C-Clilliicll All Rights Reserved. Reproduction is Strictly Prohibited. Module 09 Page 1326
  36. 36. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering attacker might approach the help desk or other personnel claiming he or she has approval to access this information. This can be particularly effective if the person is on vacation or out of town, and verification is not instantly possible. Even though there might be a hint of suspicion on the authenticity of the request, people tend to overlook this in order to be helpful in the workplace. People tend to believe that others are expressing their true intentions when they make a statement. Refer to an important person in the organization to try to collect data. P1 Tailgating An unauthorized person wearing a fake ID badge enters a secured area by closely following an authorized person through a door requiring key access. An authorized person may not be aware of having provided an unauthorized person access to a secured area. Tailgating involves connecting a user to a computer in the same session as (and under the same rightful identification as) another user, whose session has been interrupted. Module 09 Page 1327 Ethical Hacking and Countermeasures Copyright © by EG~GUIIiicil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ~, :_l'J, l_I, F,l', l} if-r= ,i~‘i=45., l. . ~‘iH-i}= _i. l. —_: Jr_I1:f1[l= -l= ¥_'-fl_l_3l‘ fl :1 I (Ofnmfliji -I . u- -- Reverse Social Engineering Piggybacking A situation in which an attacker presents himself as an authority and the target seeks his advice offering the information that he needs "I forgot my ID badge at home. Please help me. ” An authorized person allows (intentionally or unintentionally) an unauthorized person to pass Reverse social engineering through a Secure door attack involves sabotage, marketing, and tech support / it Q mi ‘:25’ r . _L1 . 1.01-jiil: in'll'I51'l i '1 ‘f . ,. -Tl -i. iiII€ll: li1§1i(= l~1=in‘i= (5Iita-ll-i-llIqil-InIl~$1Iil! il‘lHi-lillililii-I I-Iuman-based Social Engineering (Cont’d) Reverse Social Engineering In reverse social engineering, a perpetrator assumes the role of a person in authority and has employees asking him or her for information. The attacker usually manipulates the types of questions asked to get the required information. The social engineer first creates a problem, and then presents himself or herself as the expert of such a problem through general conversation, encouraging employees to ask for solutions. For example, an employee may ask about how this problem affected particular files, servers, or equipment. This provides pertinent information to the social engineer. Many different skills and experiences are required to carry out this tactic successfully. if Piggybacking Piggybacking is a process of data attack that can be done physically and electronically. Physical piggybacking is achieved by misusing a false association to gain an advantage and get access. An attacker can slip behind a legitimate employee and gain access to a secure area that would usually be locked or require some type of biometric access for entrance and control mechanism to open a door lock, etc. Module 09 Page 1328 Ethical Hacking and Countermeasures Copyright © by [C-Clilliicll All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Electronic piggybacking can be achieved in a network or workstation where access to computer systems is limited to those individuals who have the proper user ID and password. When a user fails to properly terminate a session, the logoff is unsuccessful or the person may attend to other business while still logged on. In this case, the attacker can take advantage of the active session. Module 09 Page 1329 Ethical Hacking and Countermeasures Copyright © by E0-Gollllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering KINO AUF DER llBERl‘l0l. SPURl ieonardo ciicaprio tom hanks , 9 K _ , *’W) in tr; ‘ / A/‘: Ir: I'iei‘In-Intel 7 , , . 4”? ) r- -l . “ing. e1;'-«g; .-.3-"Ir ‘ J? Watch these Movies I -Ni. There are many movies in which social engineering is highlighted. Watch these movies to get both entertainment and the knowledge of social engineering. ieonardo dicaprio tom hanks KW ii’ D. h/ U{/ :or-ll-i'n~uai: :/ , . i 1)‘ l i‘ ii‘, vx~1-. ner= .I-1’ - FIGURE 09.2: Italian Job Movie Wall Paper Module 09 Page 1330 Ethical Hacking and Countermeasures Copyright © by [C-Culiiicil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Social Engineering Exam 312-50 Certified Ethical Hacker Social Engineering In the 2003 movie “Matchstick Men", Nicolas Cage plays a con artist residing in Los Angeles and operates a fake lottery, selling overpriced water filtration systems to unsuspecting customers, in the process collecting over a million dollars Manipulating People This movie is an excellent study in the art of social engineering, the act of manipulating people into performing actions or divulging confidential information I’ i / vfl" ~. r 1 Watch this Movie 1.01-jiil: iill'I31'l i '1 ‘f . ,1-ll 1;lIIill: lfi§1i(= l~1=It‘i= (5Ilia-II-i-llMil-IiIl~$1Iil! ii‘l2|-lillililii-l In the 2003 movie "Matchstick Men, " Nicolas Cage plays a con artist residing in Los Angeles and operates a fake lottery, selling overpriced water filtration systems to unsuspecting customers, in the process collecting over a million dollars. This movie is an excellent study in the art of social engineering, the act of manipulating people into performing actions or divulging confidential information. FIGURE 09.3: MATCH STICK MEN Movie Wall Paper Module 09 Page 1331 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering T to)_. _.3:ii_qlr; ;_; * . _‘. y:_r; q;i; -_: lOle-j]': V_q‘_l, , —_ . Pop-up Windows i‘ u _ ‘ Windows that suddenly pop up while i : l i surfing the Internet and ask for users‘ J _--M information to login or sign-in Spam Email Hoax Letters Irrelevant, unwanted, and y‘ ff. ,_. l- , Hoax letters are emails that unsolicited email to collect ' ’ , l issue warnings to the user the financial information, s r . on new viruses, Trojans, or 7 ‘1 social security numbers, and , worms that may harm the network information ' user's system Instant Chat Messenger I Chain Letters Gathering personal information by l 3 D 3'‘ Chain letters are emails that offer chatting with a selected online user ‘ free gifts such as money and to get information such as birth 7; _ software on the condition that the dates and maiden names user has to forward the mail to the said number of persons I. -;; iir: in1 -I611 1."-I ‘. ., ;L-l1_»: .;lIltikliiu: (:m-'44-I: (aeh-i-[Ii-iii-; -IL91-ii-iii'lui-Inlfiita- Computer-based Social Engineering _. .. Computer-based social engineering is mostly done by using different malicious programs and software applications such as emails, Trojans, chatting, etc. There are many types of computer-based social engineering attacks; some of them are as follows: ti Pop-up Windows: A pop-up window appears and it displays an alert that the network was disconnected and you need to re-login. Then a malicious program installed by the attacker extracts the target's login information and sends it to the attacker’s email or to a remote site. This type of attack can be accomplished using Trojans and viruses. 8 Spam Email: Here the attacker sends an email to the target to collect confidential information like bank details. Attackers can also send a malicious attachment such as virus or Trojan along with email. Social engineers try to hide the file extension by giving the attachment a long filename. 6 Instant Chat Messenger: An attacker just needs to chat with someone and then try to elicit information. By using a fascinating picture while chatting, the attacker can try to lure the victim. Then, slowly the attacker can ask certain questions by which the target can elicit information. They ask different questions to get the target's email and Module 09 Page 1332 Ethical Hacking and Countermeasures Copyright © by [C-Culllicil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering password. Attackers first create deep trust with the target and then make the final attack. to Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user's system. They do not usually cause any physical damage or loss of information; they cause a loss of productivity and also use an organization's valuable network resources. 6 Chain Letters: Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to a said number of persons. Module 09 Page 1333 Ethical Hacking and Countermeasures Copyright © by EC-Guilllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Computer-based Social Engineering: Pop-Ups Pop-ups trick users into clicking a hyperlink that redirects , . them to fake web pages asking for personal information, or downloads malicious programs such keyloggers, Trojans, or W spyware *rer, iIreii‘iiiii. iJ l? TlilI, Ull%i , 1 flliia<Iod: 'v)I1nI': ui Dlcll insltnr this would ""' -. - -M. " mm. ..-. ».i. .. ». .- . .llU _ll« 'l. .‘iuI DUI)-ti. J)» . i—‘. )I '-V V"~Wl3-NH’-O W’ . ..i m. ..“ r. i.. Dnplllmenl —. ¢.. ... -- rm-~-ma--u-uv rw Copyright 0 by lF€flIl: il. All Rights Reserved. Reproduction is Strictly Prohibited. Computer-based Social Engineering: Pop-ups The common method of enticing a user to click a button in a pop-up window is by warning about a problem such as displaying a realistic operating system or application error message, or by offering additional services. A window appears on the screen requesting the user to re-login, or that the host connection has been interrupted and the network connection needs to be re-authenticated. The pop-up program will then email the access information to the intruder. The following are two such examples of pop-ups used for tricking users: an r A m. ,.i. i.. ... i * fI‘if| ‘llfEfiClWl«TiTl'|7,3357 KID! 3 ma lstxledpttuum -m my ruuorue , a. iioim mu 1 Mllllontii """”'“‘°‘°"°"“’ v. < lIv)u-IH. iDIin'fllokU . ~¢ um vuil'2.hIim. a roof -4 um-u= sw. nvx. ma »¢ . ., . ... .. visitor mi: ., . l4!Vt<£ . u , rm. FIGURE 09.4: Computer-based Social Engineering Pop-ups Screen shot Module 09 Page 1 334 Ethical Hacking and Countermeasures Copyright © by K-GM All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ~‘+-i-, ni 3: | ._t ii= i-gm F. _i_~‘i= -I ii. .~‘to - o~i: r_r| . .. ‘ : 3l_! ,l, f i=1i_-i= i=iI_'-. 'Zi_i_t; I-,1 : ‘_i, i_'l: i,i. i1i. tgi . . . '.. .*. -"' An illegitimate email falsely claiming to be from a legitimate site attempts (Ct to acquire the user's personal or account information Phishing emails or pop-ups redirect users to fake webpages of mimicking / ; trustworthy sites that ask them to submit their personal information ’ V m cii-iaiiiiiiu. -I —. —<. ~i mi» "l)Ir'i. yl l/ '1Il)rli' nu 4:: i»—». _. I 'I>1l S. - Computer-based Social Engineering: Phishing Phishing is a computer-based social engineering attack that is mostly carried out by the attacker to get the target's banking details and other account details. Attackers use emails to gain personal details and restricted information. Attackers may send email messages that appear to have come from valid organizations, such as banks or partner companies. The realistic cover-up used in the email messages include company logos, fonts, and free help desk support phone numbers. The email can also carry hyperlinks that may tempt a member of a staff to breach company security. In reality, the website is a fake and the target's information is stolen and misused. Module 09 Page 1335 Ethical Hacking and Countermeasures Copyright © by [G-GUIIIIDII All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering I O crrnirmt Update . We recently have discolered that multiple computers have ammeoted [0 log into v. .. r. -. rm. .. VOA! cmaui K Oriirne Account, and multiole password failures were presented ‘“"'"“~: be‘o—e the Iogcns. We now require van to re-validate your account information to __, ,__. us. v. .. -u. ... .-. iu. .w. mm-n. n , 2.. ... .‘ lftrrs I} not corpleted by Sep 14, 2010, we will be forced :0 suspenc your N_ accoart inde'mteI, as it may have been used fraudulent purposes. .. ... ,.. , v. .i, ... ... .r. .r. .., i.r. ... .i. . nun: n-r—n‘ '0 continue please (I ck l-ere or on the link below to re validate your a: roi. ni srcerely ‘ he ("IRAN I ‘earn Please :0 nor '-zrcly to : *i>s = .-email Mill sent to this address cannot be FIGURE 09.5: Computer-based Social Engineering Phishing Screen shots Module 09 Page 1336 Ethical Hacking and Countermeasures Copyright © by [G-ccililrcil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering *io)_i;1j‘gi| _I'Il= J,'r+. '- r__r. u=:6.l. .~‘t-ro+ir. _r, | ’_3i_r, tg: r]-_r_t= :=¢_1:: _1._, tg re: :‘_i, i}: l.i. i1r, tgr t-r. r.rari« 5 K. A r, ..rm. ... ,.. , HSBC (7) °‘‘' "““"‘ ‘“"""‘"4 A. part of Dtd serurrryr-reeurres, the H55»: Bank. has Our new smmw system will new you In avom ircquenzly ceuelcved a xeumly arugrarr agalnsttlw fiaudulevilattempts and arrourrrrrem fraud t'ansa(tions and to keep your cremr/ Dem Card delal 5 in safety vnererore our syzle-rHei: uIrgs'uvlhe1 arrounr rniorr-urron Due to tccnrucal update we rerornrnena you to rearrryare your ram we r-: n:£sl irfnvrullun lrum yuu ’ur rne ‘ulluwmg ream We nu. -c In verify yum arracrr mluvrul or in nicer ro insure the ulely and rnregrriy or our aervltes Plum lalluw ire Imk below to preteen Pix-, -,6 tr: rktcunt VcIi‘v<4tion Plczse an en rne link below to pIo(ccd ugaare Masrercaru we auoreoare your husincss It's truly our pleasure to serve you Masrercara cusrorner care o"‘. ( mu lugir you by We pruyruerr wen slcuslu <0I'1plc1r: lhI: ycvilrtat-or proton ier yum m. ~r—. welwaa‘ Uhyaiui ululiutm uroteaurrirateguaramartmrrrryarri-imrar msg . a izmu vqjuldlnuraln) wit-tr rne mluu-Ialror you to pumdulu us This email l5 for normratron purposes only vwr onlml main. >. moms . n rtlw Mrruwt and »uNrtvnal you-Nam v -—r. nave Mn m. m.. e. hyan ne. 6 ymtlnzral rrn your raurry we do re we need v: ,v: rid pureed -ammn ynmvtluvmition it . l:r V1,! pal due 3) we mun together to protect your azzn. .nt a V, r'E‘v NAM: -tr aa-n onw Bani urstnmt-‘sew <9 'l-. ac"3nr' r ytur v(-(mm an or secure 4! hours, a failure to nodal: Yu. V Ye: :l'fls ar l 'esult ‘Vi . y, umetwne nlwel wiry wane we ma, temD| Js 'u. .:n rou"wm§ Source: Imp: //www. banksafe-online. org. uk 1.01-jril: iill'I5i'l : '1 ‘f . ,. -Tl -r. :lII€ll: li1§1i(= l~1=Ifl= (5Iila-ll-l-llMil-IrIl~$1Iil! il‘l2|-lillililil-l Computer-based Social Engineering: Phishing r¥/ (Cont’d) In the present world, most bank transactions can be handled and carried out on the Internet. Many people use Internet banking for all their financial needs, such as online share trading and ecommerce. Phishing involves fraudulently acquiring sensitive information (e. g., passwords, credit card details, etc. ) by masquerading as a trusted entity. The target receives an email that appears to be sent from the bank and it requests the user to click on the URL or link provided. If the user believes the web page to be authentic and enters his or her user name, password, and other information, then all the information will be collected by the site. This happens because the website is a fake and the user's information is stolen and misused. The collected information from the target is directed to the attacker’s email. Module 09 Page 1337 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering , . . . . r ,4 . . . r r HSBC “ “ ourusecorrlinouur, ‘- ~’ °"' ‘’‘‘°‘‘ °“"°""" As you oi out umuilly rrruarurur, tire HSBC Bank has nu’ "il‘r' security system will rielp you to avoid frequently rsr-rruirrrrr-d . itxuiity arrrfirorrr Agnlrnl iire irorrriuierri nlliymph . rrr_< . tr. rurri rir. ~i M: in lvanszxrinris rrnrl to keep your rri-riii/ Debit card details in mir-ry. rirmvoro nur «ynerri r-qrrrru iirrtiier nrrnunt wtrnrioirnn we request rrriorniouon from you for in: following reason We nerd to vmfy you’ accoanx inlarrnalloii in order tu I-isaie the safely and irrieuriiy or uur senites PIeas1>'ullm~theIi'il ioo-Iour io proiued Proceed In Account vorrneation lliie tn rerhniral update we remmmenri ymitn rrnrtwnte ynrirrorri Vicar» ciirlrnn the link below to proceed: Ugdate MasterCard we anon. -crate Vbur business. It's truly our pleasure to serve you. Masrc'farill'ustomerfr1rr. , y y _ Chceyo. login you / /lll ae provided uritn steps to comaleie the voriiiratiorr oiocess. For "'5 °"‘a'l “f°'"°""‘“"°" °“">’°‘°‘ °"'V- vain salatv NE havauhysical electronic prmadural Lalagundsthal : nrr| :ly urain i. r:er. —.i msg—id: 1243471 _ regtdatiiris to protect the irrrrrrrriaiiorr you to provide to us. _ . i . . : l . A . r : r . «I ii r L‘ BA RCIAYS ‘ we aw ritantivleviewodvuuractvunt, aria Suii70flthatyourNatwest 3W I“ "M “>06 '= lw= '1 '0' "in With 59¢-My claw = _ Mr» r. «ir~. rurr. r—, rrr. —rrrrr» may nnu. heenlcrrfitud hynri rrrrrrrrrnmrmiirrirri MPV >crre ustcrrers -are beer rereiwrg an enirrri rirrnirrg to be iron» iir as. -mg lhr ti: tow .3 I1 -n rrirai Apt‘-4 '1': rr. . 9.» lAy «uh Ill-, wll-Ire ih-y «Iv ivrlr iirr v1tr no r r. I1 . run- we eiirr me scour. o‘ : ’-lD<9ialK rrour llmz wncom. inererorwsa rcyeritoirre ‘ ‘V V " '° W P 3. rri . iirrhli larclayx r Iirrowzy irrwlwil ryiiiriiru ulliall . rr. i -. i-r wr. ir. trr rim rrr: ')irii. n,i it rr D "«vIte"Ig1nruiiy rrrrrr-n r-rt-min wirriryu Arrnimi llnturit : .'cI'( -if: 5"'CU. 'a 50 i’Vl0uIlC€ GDCIIZ YHCV REW JW1fllQ1': l(ul’C5)5l§ilI WE Ndllfli C0’ VIEW )‘. L KT! “ vour ooirrnhorrlrrrg i. hi-ha i re ey: urxto. nr accesz, vi: nccdvm. t:>L'or*lIrVHvOulil! cr'IIly, loflo : owc'ccdycuto _'s__ U W "V , _,__, W W __W_ m‘m_ mm! w"_ “" “' ’'‘'”‘''°"’‘'‘‘’ V"’”'’"‘'‘''’'“ V'‘‘''''‘'‘'"'‘‘‘'“" Inc‘; «ruin i upiairr tr -. irr. urryrrr you Aluluquinlird Lu plum uoaat. war u. .x. iI' r-.0 al‘. ‘Ir iriir-. “ii/ w. rr Il~. I in .05“! “_ r . iturr /1r. r,4'i~i IIlLI4l§llll‘. (l$~"IUlll priilrilyiiiuaiiiiiirii . . r/ r. .. r, .,, r,, , , ,_r i. .;, ,i. mm . . . . . i., '. i~<orc r . v= «~~i0-M " l- -Hm ‘ml in-I ‘-~-i- II: we arm in mi: moi rnrorrriozrrn mirror is gorrir ti: be in out or tome og rr : vo: csg irer: 'i~u. an! ‘ a<(l'i‘rrAi riimnaliisr wllrp auieil ilirrlng your liilrirllogiri utrrriiy ta. new p"'n'v 4 '19-0 rr~'o 3|-Au-u| riol>yim'1r>tt rils rrrrr our. r-ui hi>| ir . iarirrr. -rrr. rrri. ri. yrr. rrr»4rrrr4. . . iimu li . rrp0'r: l/ as . .rr. t-. iy uiilulhlw riuutuureuiiiy iuouriu mi yiunr in (FAQ 51441.10) i zervporsi ricld o- . o.r mic; V ta'Ko': nv _ FIGURE 09.6: Computer-based Social Engineering Phishing Screen shots Module 09 Page 1338 Ethical Hacking and Countermeasures Copyright © by EC-Gflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering >+. x_uigxu_ik=4-; »:4.ln_-mail. .~‘t-uoiiml 3l_l, U : r1i_i:4=-)_1.'1i_Lg I-,1 ~‘$gi= := 1-1 5‘, i.i]: l,i:7l-_i_tg l . .l ll. ‘-. l-"' Spear phishing is a direct, targeted phishing attack aimed at specific individuals within an organization in contrast to normal phishing attack where attackers send out hundreds of generic messages to random email addresses, attackers use spear phishing to send a message with specialized, social engineering content directed at a specific person or a small group of people Spear phishing generates higher response rate when compared to normal phishing attack I‘. '. ¢1jiil: iill'I3;'l : '1 ‘f . ,1-ll 1:lIIiil: li1§1i(= i~1=it‘i= i5Iiia-ll-i-llMil-IiIl~$1Iil! il‘l2|-lillililii-l Computer-based Social Engineering: Spear Phishing Spear phishing is an email spoofing attack on targets such as a particular company, an organization, or a group or government agency to get access to their confidential information such as financial information, trade secrets, or military information. The fake spear-phishing messages appear to come from a trusted source and appear as a company's official website; the email appears as to be from an individual within the recipient's own company and generally someone in a position of authority. This type of attack includes: ‘:3 Theft of login credentials ‘:3 Observation of credit card details 8 Theft of trade secrets and confidential documents 8 Distribution of botnet and DDoS agents Module 09 Page 1339 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering i ’ l - l . ~ , , ~_'l_lol_. -)Cl_l= u_. - r= ._i_~‘i =4 '. _l. .3 0 I ~lI]= ._l_l 3i_i1: £lI_i_i. -A : )_«. ‘ZiI_i1: I1 . .I _. , . . , _, i i * — - ‘ _ _ , I_ 3 ‘ l! _i_. -i, l.': i~= i_i_il]I_i1gi _'l_i-= ,i-El ~i_l -1 II}: A 3) gr: .. _'. .. C? C? ‘ Attackers create malicious apps with attractive features and similar names to that ’ of popular apps, and publish them on major app stores Unaware users download these apps and get infected by malware that sends O credentials to attackers C) "T Attacker publishes r Ls) ir a Creates malicious 1 . malicious mobile 5 4 y i "" . ..l'! ?E‘l‘f. ‘2'? ?ll$‘ff‘2'i. ..> . ,5 . ..®. ... .?R’? ?.‘3E‘. ‘f‘? !‘. ?§‘? !? . ... .. > ’ A ' {’(‘i~5l. ; K’-. . 5.51 Anacker Malicious Gaming ' >2‘ " l _ 1| 5 Application User credentials ‘ ‘ User download and install . sends to the attacker t - ‘Yr the malicious mobile apnlication on * ’LJ ii User '31-jiilziilliliy . . , ;'ll1;‘lIill: l“§‘i(5H? l|‘fl{‘Ii(H‘iI'l'lllI; l°ilIl$1lil! il"uI'llllmill! ‘ 5:-. M Mobile-based Social Engineering: Publishing Malicious Apps In mobile-based social engineering, the attacker carries out these types of attacks with the help of mobile applications. Here the attacker first creates malicious applications such as gaming applications with attractive features and names them that of popular apps, and publishes them in major application stores. Users who are unaware of the malicious application believes that it is a genuine application and download and install these malicious mobile applications on their mobile devices, which become infected by malware that sends user credentials (user names, passwords) to attackers. Module 09 Page 1340 Ethical Hacking and Countermeasures Copyright © by [G-Glillilcll All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Attacker publishes a Creates malicious malicious mobile * mobile application apps on app store M Attacker alicious Gaming Application User credentials User download and Install sends to the attacker 0 P : | < the malicious mobile application User 5 FIGURE 09.7: Mobile-based Social Engineering Publishing Malicious Apps Module 09 Page 1341 Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Social Engineering Exam 312-50 Certified Ethical Hacker 1_'l_iol_. i iCl_l=4J_. i I= ._i_~‘i =4 3._l. 9i 0 I ~lI]‘~. _i_l i_3i_i1; i: l'_i_i= i : ¥_'r. ‘7_iI_i, Lf Ir. ‘ _§_(= :l: :Y? ,ll'<l_i'l'?13l: l_i, l3ll am: i] ii--i_-mi ‘i-— _'4j; i;i. ~*. ‘t ,1 _i l l I _'i , I_ Malicious developer Developer creates a gaming Q ~ o ' downloads a legitimate game :2 we and uploads on we store ‘ and repackagesit with malware * , .. ... ... ... ... ... ... ... ... ... . . ., . ... ... ... ... ... ... ... ... ... ... .. > _ .6 % i is‘ ’ Q P we 7 _ A Mobile App Malicious Q : Store Developer 0 . .‘. - User credentials _ H, _____ sends to the malicious . .-’ Uploads game E 4%’ Legitimate develolm '°"'i'd W" Developer « app store : v - ' __ ea ~ <""g. .;'; ;;; ;.: .;; ;.; ;;. ;""Q"3} malicious gammirig app ll; Third-Party App Store '. ¢1jiii: iill'I31'l : '1 ‘f . ,1-ll 1:lIIiil: lil§1i(= i~1=ii‘i= i5Iiia-in-l-lliqil-IrIl~$1Iil! il‘l2|-liiliiilii-i _V Mobile-based Social Engineering: Repackaging Legitimate Apps A legitimate developer of a company creates gaming applications. In order to allow mobile users to conveniently browse and install these gaming apps, platform vendors create centralized marketplaces. Usually the gaming applications that are developed by the developers are submitted to these marketplaces, making them available to thousands of mobile users. This gaming application is not only used by legitimate users, but also by malicious people. The malicious developer downloads a legitimate game and repackages it with malware and uploads the game to third-party application store from which end users download this malicious application, believing it to be a genuine one. As a result, the malicious program gets installed on the user's mobile device, collects the user's information, and sends it back to the attacker. Module 09 Page 1342 Ethical Hacking and Countermeasures Copyright © by [C-Clilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Malicious developer Developer creates a gammlng i q ~ _ . downloads a legitimate game ' ‘ it wl ~. <‘ °. 6 <1a"- . . Mobile App Malicious Store Developer User credentials _, -‘X “! sends to the malicious . -‘ UP| oads game ; Leghimme to third party (v V . ‘ Developer app “on 3 V User Third Party App Store FIGURE 09.8: Mobile-based Social Engineering Repackaging Legitimate Apps Module 09 Page 1343 Ethical Hacking and Countermeasures Copyright © by EG~GUIIiIcll All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ' ; 'I_iol_? ):l_iaJ_? r:_i>‘1=I5.. '§‘l| I0‘Eh, _‘_l ~_3i_iL; [l'_i_Il= i=~lI_'-. ‘='_iI_i1gIr1 M ? .‘= _'! }.(= -‘ _~‘t= m~r. Liftiw _4_; m,lfx-+= _n%: ix-iii: 1. Attacker infects the victim's PC 2. The victim logs onto their bank account 3. Malware in PC pop-ups a message telling the victim to download an application onto their phone in order to receive security messages 4. Victim download the malicious application on his phone 5. Attacker can now access second authentication factor sent to the victim from the bank via SMS User logs to bank account pop-ups a message appears telling me userto download an application onto his/ her phone User f, C9 , Userduwnloadsapplicalion : f . iromaitackersappstore ' Altackeruploads malicious APP application on app store | s(°'e <'" Attacker's App Store -. -1-mi: in4 «Ml ('5 ‘. .; .'l7_a. ;iIIilklilsfital-1=in'AalvIliar)! -bllHi! -lIILO}-il1ii‘lUi-Zfilfiifi-l 0 Mobile-based Social Engineering: Fake Security ; Applications A fake security application is one technique used by attackers for performing mobile-based social engineering. For performing this attack, the attacker first infects the victim's computer by sending something malicious. When the victim logs onto his or her bank account, a malware in the system displays a message window telling the victim that he or she needs to download an application onto his or her phone in order to receive security messages. The victim thinks that it is a genuine message and downloads the application onto his or her phone. Once the application is downloaded, the attacker can access the second authentication factor sent by the bank to the victim via SMS. Thus, an attacker gains access to the victim's bank account by stealing the victim's credentials (user name and password). Module 09 Page 1344 Ethical Hacking and Countermeasures Copyright © by [C-Clillllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering User log: to bank account pop~ups a message appears 0 Infants user PC with malware > j] calling the user In W ( . ... ... ... ... ... ... ... ... ... ... ... ... ... ... .e. .. K , ‘I downloadanappllcaflon User credentials sends to the attacker onto his/ her phone User Userdownloads application . from attacker’: app store E ___> D Anadterupoa smalcious DC App application onapp new sfofe (. -.nu. .u--u. ... ... -.. ... ..v Attacker's App Store FIGURE 09.8: Mobile-based Social Engineering Fake Security Applications Module 09 Page 1345 Ethical Hacking and Countermeasures Copyright © by Em All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ; 'l_i-if-i: l_l=4J_. i r= ._t_~‘i =4 -Tl . ~‘i 0 I 0+)‘-. _l_l. i_3i_i1; i]I_i_t= i : iL'«. ‘ZiI_i1; I1‘ . .. _. I lL‘iI)_i, IL3i _~‘i_'l_l. ~‘3 . ,‘ _'. .. . l_"' Tracy received an SMS text message, ostensibly from the security department at XIM Bank. It claimed to be urgent and that Tracy should call the included phone number immediately. Worried, she called to check on her account. She called thinking it was a XIM Bank customer service number, and it was a recording asking to provide her credit card or debit card number. Unsurprisingly, Jonny revealed the sensitive information due to the fraudulent texts. liliiiiiiliiiiliiill User Cellphone (Jonny gets an SMS) Tracy calling to 1-54D~709-1101 Fraud XIM (Bank Customer Service) '. ¢1jiil: iill'I51'l : '1 ‘f . ,. -ll -. .:lIIill: lil§1i(= i~1=ii‘i= (5Iiia-in-i-lllqil-IrIl~$1Iil! il‘lIt-lillililii-l Mobile-based Social Engineering: Using SMS __ SMS is another technique used for performing mobile-based social engineering. The attacker in this attack uses an SMS for gaining sensitive information. Let us consider Tracy, who is a software engineer at a reputable company. She receives an SMS text message ostensibly from the security department at XIM Bank. It claims to be urgent and the message says that Tracy should call the included phone number (1-540-709-1101) immediately. Worried, she calls to check on her account. She calls that number believing it to be an XIM Bank customer service number and it is a recording asking her to provide her credit card or debit card number as well as password. Tracy feels that it's a genuine message and reveals the sensitive information to the fraudulent recording. Sometimes a message claims that the user has won some amount or has been selected as a lucky winner, that he or she just needs to pay a nominal amount and pass along his or her email ID, contact number, or other useful information. Module 09 Page 1346 Ethical Hacking and Countermeasures Copyright © by [C-Clillllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Social Engineering Module 09 Page 1347 Tracy calling to 1-540-709-1101 User Cellphone (Jonny gets an SMS) FIGURE 09.9: Mobile-based Social Engineering Using SMS I I, . . . . . . . . . . .. >.l/ /‘ ‘R . ... . Exam 312-50 Certified Ethical Hacker I, u . . . . . rs . . / ‘ Fraud XIM (Bank Customer Service) Ethical Hacking and Countermeasures Copyright © by EC-Gulillcil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering '_l'. _i, i:: Zt«T_l :11‘ _4'_. %: i; —._y Cl}: .. . 1 .13. . - If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a spylng job opening, prepare someone to pass the interview, have that _ ‘ person hired, and they will be in the organization It t k I d‘ tl d t t k I n n Revenge a eso yone Isgrun e person 0 a ereve ge and your company is compromised *2 60% of attacks occur behind the firewall -< An inside attack is easy to launch Prevention is difficult '5 The inside attacker can easily succeed il as La "l1~T'3*7l’il}‘li(? '7'll '. ¢1jiil: iill'I3;'l : '1 ‘f . ,1-ll ~e; ‘lI§": lfi§‘§(5H3I| ‘li{5Ii(H‘iI'l'l‘lIil°llIl~$1lil! il"3|Ilf‘l: lll3i'l Insider Attack c_, An insider is any employee (trusted person) with additional access to an organization's privileged assets. An insider attack involves using privileged access to violate rules or cause threat to the organization's information or information systems in any form intentionally. Insiders can easily bypass security rules and corrupt valuable resources and access sensitive information. It is very difficult to figure out this kind of insider attack. These insider attacks may also cause great losses for a company. u 60% of attacks occur from behind the firewall a An inside attack is easy to launch ‘:3 Prevention is difficult 8 An inside attacker can easily succeed 8 It can be difficult to identify the perpetrator Insider attacks are due to: Module 09 Page 1348 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering % Financial gain — An insider threat is carried out mainly for financial gain. It is attained by selling " sensitive information of a company to its competitor or stealing a colleague's financial details for personal use or by manipulating company or personnel financial records, for example. —- -— Collusion with outsiders A competitor can inflict damages to an organization by stealing sensitive data, and may eventually bring down an organization by gaining access to a company through a job opening, by sending a malicious person as a candidate to be interviewed, and—with luck- hired. Disgruntled employees Attacks may come from unhappy employees or contract workers who have negative opinions about the company. The disgruntled employees who wants to take revenge on his company first plans to acquire information about the target and then waits for right time to compromise the computer system. Companies in which insider attacks commonly take place include credit card companies, healthcare companies, network service provider companies, as well as financial and exchange service providers. Module 09 Page 1349 Ethical Hacking and Countermeasures Copyright © by EC-Gullllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ,1 rim; :3 U. _i_| iii an‘. I 1 .13. . - 3J, I_u_! :p_kolfl‘. l:. ' l"'_: ‘: 7.‘ An employee may become disgruntled towards the company when he/ she is disrespected, frustrated with their job, having conflicts with the management, not satisfied with employment benefits, issued an employment termination notice, transferred, demoted, etc. Disgruntled employees may pass company secrets and intellectual property to competitors for monetary benefits , Sends the data — " , V K V 5 to competitors C3 C3 . . using mv, :.iio. ;r. iphy . . ... ... ... .. . .> . ... ... ... ... . . .) 5‘ I 11 . ... ... ... ... ... ... ... . . ’(4V‘3_l 1 ‘T -3” S2 . _ ‘V I Disgruntled Company's Company Competitors Employee Secrets Network 1.-1jii. ':iill'I51'l 3 '1 ‘f . ,. -ll -i. ;lIIillzlil!1i(= i~1=n‘i= (5Iiia-II-I-l‘mil-IrIi~$1Iil! il‘lIi-liiliiiiii-1 Disgruntled Employees Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, lack of respect or promotion, etc. Disgruntled employees may pass company secrets or confidential information and intellectual property to competitors for monetary benefits, thereby harming the organization. Disgruntled employees can use steganographic programs to hide the company's secrets and send it as an innocuous-looking message such as a picture, image, or sound files to competitors. He or she may use work email to send secret information. No one can detect that this person is sending confidential data to others, since the information is hidden inside the picture or image. Sends the date - I to competitors H‘ K - , >. using steganography @ f . ... ... ... . . .> . ... ... ... ... -. )l 5 , .. ... ... .. . ... ... ... .. )/Q Vh 4 c r ‘ ll? i7[(t| ¢)? l"I‘ . 4- . '- Disgruntled Company’: Company Competitors Employee Secrets Network FIGURE 09.10: Disgruntled Employees Figure Ethical Hacking and Countermeasures Copyright © by [C-Culllicll All Rights Reserved. Reproduction is Strictly Prohibited. Module 09 Page 1 350
  60. 60. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering ; !'; !f-‘*'f-i. i_il: l.: ii_-I l‘. ,i_i: ‘.iu‘. ,li= .~,1 'l‘; i,r. ::! ::= __il: :t _-2.. . L t ' ‘I data eas privi ege Separation and rotation of duties Archive critical A ; I e PolicY Controlled I Legal policies access him: I: nu -'flII; li: .1-nnitm in cu in-<n. r:4 imam '. ')h'iil: ii1I 'I31ll". “i . ,. ;l'I: ‘lIillfilIl! ~‘il= HHl‘A= (5.i(5!‘il'l5l'l'| ll¢lIIl~§I| ii‘| ii"u| 'lillallifll ( ) K *-~. , Preventing Insider Threats . , Prevention techniques are recommended in order to avoid financial loss and threat to the organization's systems from insiders or competitors. The following are recommended to overcome insider threats: Separation and rotation of duties Responsibilities must be divided among various employees, so that if a single employee attempts to commit fraud, the result is limited in scope. A particular job must be allotted to different employees at different times so that a malicious employee cannot damage an entire system. Least privileges %/ The least number of privileges must be assigned to the most critical assets of an organization. Privileges must be assigned based on hierarchy. D Controlled access Access controls must be implemented in various parts of an organization to restrict unauthorized users from gaining access to critical assets and resources. Module 09 Page 1351 Ethical Hacking and Countermeasures Copyright © by [G-Gullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Social Engineering Logging and auditing Logging and auditing must be performed periodically to check if any company resources are being misused. Legal policies . Legal policies must be enforced to prevent employees from misusing the resources of an organization, and for preventing the theft of sensitive data. Archive critical data A record of an organization's critical data must be maintained in the form of archives to be used as backup resources, if needed. Module 09 Page 1352 Ethical Hacking and Countermeasures Copyright © by EG~GUIiiIcll All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures Social Engineering Common Social Engineering Targets and Defense Strategies Social Engineering Targets Phone (help desk) Machine room/ Phone closet . ... Strategies Attack Techniques Eavesdropping, shoulder surfing, impersonation, persuasion, and intimidation Impersonation, fake IDs, piggy backing, etc. Shoulder surfing, eavesdropping, Ingratiation, etc. Impersonation, Intimidation, and persuasion on help desk calls Theft, damage or forging of mails Attempting to gain access, remove equipment, and/ or attach a protocol analyzer to grab the confidential data Exam 312-50 Certified Ethical Hacker CEH t. .m. .I I-. ..; in. .. Defense Strategies Train employees/ help desk to never reveal passwords or other information by phone Implement strict badge, token or biometric authentication, employee training, and security guards Employee training, best practices and checklists for using passwords Escort all guests Employee training, enforce policies for the help desk Lock and monitor mail room, employee training Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Copyright © by [C-Citil. All Rights Reserved. Reproduction is Strictly Prohibited. Social engineering tricks people into providing break into a corporate network. It works on the individual who have some rights to do something or knows something important. The common instruction tactics used by the attacker to gain follows. Module 09 Page 1353 and the prevention I I Common Social Engineering Targets and Defense that can be used to to be adopted are discussed as Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  63. 63. Ethical Hacking and Countermeasures Social Engineering Social Engineering Targets “F ~ror t (IfTI'r‘ and help desk Derimet-er security Jnnne (help desk) Mail rrirrn Mathine room/ Plmne closet Attack Techniques hivesrlrnpprrrg, xi rir. Idr>r l| lTlIig, imperscinatic-ru, persuasion, and intimidation Impersonation, lake IDs, piggy barking, etc. Shoulder si. rfing, eavesdropping, Ingratiat n, etc. Iiupersunaliuu, Inliinitlatiuu. auJ persuasion on help desk tal s Intemnn ni frirged mails Attempting to gain aticss, remove equipment, arid/ or atiatli a protocol analyzer to grabt onlidcrrial data Exam 312-50 Certified Ethical Hacker Defense Strategies imu: emplnyerrs/ lwlp desk l( HP‘/ (‘I IFVPA p. sword; or other information by phsine Tight badge security. employee t'2unin sccurity officers Du nut type in passvmids with auyure else LIr: '3t‘l[ (or if you mu do it Jrcklyl) Escort all guests Employee training, euiprte polities for ‘lie Help desk Inrk and ninnurrr mall rnnm, employee tniring Keep phone closets, server rooms, t? l(. |o(ked at al times and keep updated inventory on equ pmeut FIGURE 09.11: Common Social Engineering Targets and Defense Strategies Screen shot Module 09 Page 1354 Ethical Hacking and Countermeasures Copyright (C by Em All Rights Reserved. Reproduction is Strictly Prohibited.

×