The document discusses social engineering techniques used to manipulate people into providing confidential information or performing actions. It describes various social engineering attacks like pretexting, phishing, phone phishing, baiting, and quid pro quo. Pretexting involves creating a fake scenario to get information, while phishing uses fraudulent emails. Phone phishing replicates legitimate phone systems to steal information. Baiting leaves infected devices in public places, and quid pro quo offers to help with technical issues in exchange for access.
2. Today ...
… we will discuss:
• Pretexting
• Phishing
• IVR or phone phishing
• Baiting
• Quid pro quo
Computer Security Management
Page 2
3. Social Engineering
• Manipulating people into performing actions or providing confidential
information
• Social engineering techniques are based on specific attributes of
human decision-making known as cognitive biases
• These biases are exploited in various combinations to create
criminal attack techniques
• Examples of social engineering:
– Pretexting
– Phishing
– IVR or phone phishing
– Baiting
– Quid pro quo
– Etc.
Computer Security Management
Page 3
4. Social Engineering Attacks
• Attacker might pose as:
– fellow employee
– employee of a vendor, partner company, law enforcement
– Someone with authority
– Systems manufacturer offering system patch or update
– Offering help if problem occurs, then making the problem to occur
• Attacker might use software:
– Sending free software of patch to victim to install (Trojan)
– Sending viruses or Trojans as email attachment
– Using a false pop-up window asking user to log in
– Leaving a CD with malicious software lying around
• Others
– Offering prize for registering on Web site
– Dropping document in mail room for intra-office delivery
Computer Security Management
Page 4
5. Pretexting (1)
• Creating and using an invented scenario (pretext) to persuade a
targeted victim to release information or perform an action and is
typically done over the telephone
• Often involves some prior research or set up and the use of pieces
of known information, e.g. for impersonation: name, date of birth,
last bill amount, to establish legitimacy in the mind of the target
• Used for example to trick a business into disclosing customer
information, and is used by private investigators to obtain telephone
records, utility records, banking records and other information
directly from junior company service representatives
• As most companies authenticate clients by asking only for a name,
date of birth, or mother's maiden name, the method is effective in
many situations
Computer Security Management
Page 5
6. Pretexting (2)
• Can also be used to impersonate co-workers, police, bank, tax
authorities, or insurance investigators — or any other individual who
could have perceived authority or right-to-know in the mind of the
targeted victim
• The pretexter must simply prepare answers to questions that might
be asked by the victim. In some cases all that is needed is a voice
that sounds authoritative, an earnest tone, and an ability to think
on one's feet
Computer Security Management
Page 6
7. Example (1)
• Mary arrived early to a head start on what she expected to be a
long day and was surprised to find her phone ringing. She picked it
up and gave her name:
Hi, this is Peter Sheppard. I’m with Arbuckle Support, the company
that does tech support for your firm. We logged a couple of
complaints over the weekend from people having problems with the
computers there. I thought I could troubleshoot before everybody
comes into work this morning. Are you having any problems with
your computer connecting to the network?
Computer Security Management
Page 7
8. Example (2)
• She told him she didn’t know yet. She turned her computer on and
while it was booting he explained what he wanted to do:
I’d like to run a couple of tests with you. I’m able to see on my
screen the keystrokes you type and I want to make sure they’re
going across the network correctly. So every time you type a stroke
I want you to tell me what it is and I’ll see if the same letter or
number is appearing here. Okay?
Computer Security Management
Page 8
9. Example (3)
• With nightmare visions of her computer not working and a
frustrating day of not being able to get any work done, she was
more than happy to have this man help her. After a few moments,
she told him: I have the login screen and I’m going to type in my
ID. I’m typing it in: M A R Y
Great so far. I’m seeing that here. Now go ahead and type your
password but don’t tell me what it is. You should never tell anybody
your password not even tech support. I’ll just see asterisks here –
your password is protected so I can’t see it.
Computer Security Management
Page 9
10. Example (4)
• None of this was true but it made sense to Mary. And then he said:
Let me know once your computer has started up.
• When she said it was running he had her open two of her
applications and she reported that they launched just fine
• Mary was relieved to see that everything seemed to be working.
Peter said:
I’m glad I could make sure you’ll be able to use your computer ok.
And listen, we just installed an update that allows people to change
their passwords. Would you be willing to take a couple of minutes
with me so I can see if we got it working right?
Computer Security Management
Page 10
11. Example (5)
• She was grateful for the help he had given her and readily agreed.
Peter walked her through the steps of launching her application that
allows a user to change passwords (a standard element of Windows
operating system)
• Peter said: Go ahead and enter your password but remember not
to say it loud.
• When she had done so, Peter said: just for this quick test, when it
asks for your new password enter ‘test123’. Then type it again in
the verification box and click Enter.
• He talked her through the process of disconnecting from the server.
He told her to wait a couple of minutes, then connect again, this
time trying to log on with her new password. It worked fine and
Peter seemed pleased. He talked her through changing it back to
her original password once more cautioning her not to say it out
loudly.
Computer Security Management
Page 11
12. Example (6)
• Well Mary Peter said we didn’t find any trouble and that’s great. If
any problems come up just ring us at Arbuckle. I’m usually on a
special project but anyone here can help you.
• Analysing the con:
– Ringing reception at 7:30 – emergency, need to talk to anyone in accounting
– Call Mary, say there is problems, give her jitters so she is keen for help
– After giving ‘help’ ask for favour
– Quickly logged on with temporary password and installed his own program and
cleared access from logs
• Common:
– Con is embedded into long palaver
– If con would be at the end of the day Mary would remember this last thing but
after a busy working day she will forget
Computer Security Management
Page 12
13. Phishing
• criminal technique of fraudulently obtaining private information
• Typically, the phisher sends an e-mail that appears to come from a
legitimate business (e.g. a bank, or credit card company) requesting
"verification" of information and warning of some dire consequence
if it is not provided
• e-mail usually contains a link to a fraudulent web page that seems
legitimate (I.e. with company logos and content) and has a form
requesting everything from a home address to an ATM card's PIN
Computer Security Management
Page 13
14. Phone Phishing (IVR phishing)
• Uses a fake Interactive Voice Response (IVR) system to recreate a
legitimate sounding copy of a bank or other institution's IVR system
• Typically victim receives an e-mail asking to call in to the "bank" via
a (ideally toll free) number provided in order to "verify" information
• A typical system will reject log-ins continually, ensuring the victim
enters PINs or passwords multiple times, often disclosing several
different passwords
• More advanced systems transfer the victim to the attacker posing as
a customer service agent for further questioning
Computer Security Management
Page 14
15. Baiting
• Trojan Horse that uses physical media and relies on the curiosity or
greed of the victim
• Attacker leaves a malware infected floppy disc, CD ROM, or USB
flash drive in a location sure to be found (bathroom, elevator,
sidewalk, parking lot), gives it a legitimate looking and curiosity-
piquing label, and simply waits for the victim to use the device
• Examples could be:
– Installation disks for expensive Office software
– Fake electronic executive reports (infected spreadsheets)
– Fake demo programs
Computer Security Management
Page 15
16. Quid pro quo
• “Something for something”
• An attacker calls random numbers at a company claiming to be
calling back from technical support
• Eventually they will hit someone with a legitimate problem, grateful
that someone is calling back to help them
• The attacker will "help" solve the problem and in the process have
the user type commands that give the attacker access or launch
malware (see pretexting example!)
Computer Security Management
Page 16
17. Summary
Today we learned:
• Social engineering exploits human cognitive biases
• Manipulating people into performing actions or providing confidential
information
• Social engineering techniques include:
– Pretexting
– Phishing
– IVR or phone phishing
– Baiting
– Quid pro quo
Computer Security Management
Page 17