Social engineering overview
- π Art of convincing people to reveal confidential information
- Exploits peoples
- unawareness about importance of data or social engineering attacks
- careless about protecting data
- trust
- fear of consequences of not providing the information
- greed for promised gain for providing requested information
- moral obligation sense
- Type of footprinting.
- π€ Well-known social engineering examples
- RSA attack: $66 million loss based on e-mail with attachment exploiting zero day Flash vulnerability through an Excel macro.
- Ubiquiti networks scam: $47 million stolen by impersonation of executives with requests to companies finance department.
- US Department of Justice attack: One employee e-mail was hacked, then hacker pretended to be a new employee and asked for all access codes, ended up with leak of 30.000 FBI and DHS employee data
- Yahoo Customer Account Attack: 3 billion users data was stolen and used for social engineering (e.g. if two people are connected)
Steps of social engineeringβ
- Research
- Gather enough information about the target company
- Collected by e.g. dumpster diving, scanning, company tour, search on the internet...
- Select target
- Choose a target employee
- Some employees are more vulnerable than others
- Easy targets also known as Rebecca and Jessica mean a person who is an easy target for social engineering such as the receptionist of a company
- E.g. receptionists, help-desk personnel, tech support, system administrators, clients.
- A frustrated target is more willing to reveal information
- Relationship
- Earn the target employee's trust e.g. by creating a relationship
- Exploit
- Extract information from the target employee
Identity theftβ
- Stealing someone elses personally identifiable information to pose as that person
- E.g. name, credit card number, social security or driver license numbers
- Can be used to impersonate employees of a target
Steps of stealing an identityβ
- Gather targets information
- Through e.g. bill from social networks, dumpster diving
- Information include usually first and last name, date of birth, address, social security number, bank accounts, id card and passport numbers.
- Fake identity proof: get fake IDs
- Can be driving licence, ID card, etc...
- E.g. using stolen bills you can claim the person lost driving license and get new one to an address you choose.
- Fraud: spend money, unauthorized access, use ID for frauds, etc...
- Can open new credit card accounts on the victim's name
- Can sell identity information
Identity theft countermeasuresβ
- Check the credit card reports periodically
- Safeguarding personal information at home and in the workplace
- Verifying the legality of sources.
Impersonation on social network sitesβ
Gaining information through social network sitesβ
- Information is used for spear phishing, impersonation, and identity theft.
- Can e.g. create a fake user group "Employees of the company" in Facebook
- Invite people to group and collect credentials such as birth date, employment/education backgrounds.
- Can scan profile pages in LinkedIn and Twitter.
Steps of social media impersonationβ
- Gather personal information from Internet including social network sites
- E.g. full name, date of birth, email address, residential address.
- Create an account that is exactly the same
- Carry out social engineering attacks with the account e.g.:
- Introduce it to targets friends in a convincing way to reveal information
- Join the target organization's employee groups where they share personal and company information.
Corporate threats from social network sitesβ
- Social network has vulnerable authentication as it's not isolated like corporate network.
- The employee while communicating on social network may not take care of sensitive information.
Physical securityβ
- Physical measures
- E.g. air quality, power concerns, humidity-control systems
- Technical measures
- E.g. smart cards and biometrics
- Operational measures
- E.g. policies and procedures to enforce a security-minded operation.
- Access control
- Biometrics
- Something you are
- False rejection rate (FRR)
- When a biometric rejects a valid user
- False acceptance rate (FAR)
- When a biometric accepts an invalid user
- Crossover error rate (CER)
- Combination of the FRR ad FAR; determines how good a system is
- Biometrics
- Environmental disasters
- E.g. hurricanes, tornadoes, floods.
- See also Physical security |Β Information security controls
The Social-Engineer Toolkit (SET)β
- Open-source tool for Linux and macOS
- Available in Kali Linux
- Templates and cloning for credential harvesting
- Functions such as website attack vectors, mass mailer attack, sms spoofing, QRCode generator, WAP attack...