Transcription
Social Engineering TechniquesTable of ContentsSocial Engineering -1 . 2Social Engineering -2 . 3Social Engineering -3 . 4Social Engineering -4 . 7Social Engineering -5 . 9Human-Based vs Computer-Based SE. 11Human-Based SE -1 . 14Human-Based SE -2 . 16Computer-Based SE -1 . 18Computer-Based SE - 2 . 19Computer-Based SE -3 . 20Computer-Based SE -4 . 21Computer-Based SE -5 . 22Computer-Based SE -4 . 23Social Engineering Stages. 25Insider Threat . 28Notices . 30Page 1 of 30
Social Engineering -1Social Engineering -1A fascinating, low-cost, and effective method of obtaining(sometimes sensitive) information from unsuspecting usersWhy is social engineering successful?Because There Is NoPatch for the AverageUser64**064 So what is Social Engineering?It is convincing somebody to dosomething that is not in their bestinterest or not in the best interest ofthe enterprise that they represent.Convincing them to break their policy,for whatever reason the attacker has.Why does social engineering work? Hum.Well I have this problem. Andimmediately what everybody goes is:Oh Dan has a problem. Let's helphim. That desire to help.You know, would you like to make amillion dollars? Oh I'd really like tomake a million dollars. Dan has aPage 2 of 30
proposal on the table to help me dothat. Greed.Now the reason why this works iswell because we forget. Because wetrust inappropriately. And the enduser that's out there isn't as- isn't asbitter and pessimistic as we are.Because we know that people areattacking us.Social Engineering -2Social Engineering -2Exploits the human aspect to break into networks From an attacker’s point of view – why go after a hard target such asa firewall, when a soft target, such as a user, may get them whatthey are really after? The attacker can bypass layers of security like DMZs,network perimeter security, firewalls, intrusion detection, domainsecurity policies, workstation security, and host-based firewallssimply by targeting the user.65**065 What we want to do aspenetration testers is test for thoseparticular exploits and convincepeople through training not to dothat.Page 3 of 30
What adversaries want to do is theywant to convince people to give theminformation that can lead to a deeperattack.From an attacking standpoint what'sreally nice is that we don't have to gothrough all that man-in-the-middlestuff, all that buffer overflow stuff.That stuff's a pain. That takes forever.Let's just ask the user for their password.It's a lot easier.Social Engineering -3Social Engineering -3Exploits basic human nature with the following principles: Authority – perceived legitimacy, justification, and/or right to exercise powerIntimidation – using implied authority and and force of personalityto gain access or achieve another outcomeConsensus/Social Proof – mirroring popular behavior in a socialsettingScarcity – a sense of urgency is implied when people feelsomething is limitedUrgency – using time as a basis for performing an action (“if youdon’t do this within 10 minutes, your account will be suspended”)Familiarity/Liking – people draw closer to things they are familiarwith and likeTrust – uniting principle of Social Engineering as the victim trustswhat you are saying/conveying is accurate66**066 Now there are all these differenthuman emotions that come out therethat we can prey upon.Page 4 of 30
The best social engineers are whatwe call "cold readers." This term hasbeen-- first came out when it cameto- when it came to fortune tellersand people like that.And cold readers can see what yourtrigger is. Is it authority,intimidation, consensus, scarcity,urgency, liking or trust? What is itthat this person will make their pupilsdilate? And cold readers can look forthose telltale signs.If you see somebody that's like this,what do you know? You know thatthey will knuckle under to authority;or intimidation.If they're talking to you like this, andthey walk up to you and the firstthing that they do is they open theirarms, they're probably susceptible toconsensus. Hey be just like me.Especially if they mirror your stance.That's one of the other ways that youcan figure out that consensus andsocial proofing will work is do theystand like you do; or do they stand adifferent way?Are they defensive? Do they turntheir side to you so that you can onlysee a small profile of their body?Like a boxer would do.We look for these clues as to howthey're standing, to be really goodsocial engineers. We look for thosehints.Page 5 of 30
And as a social engineer you have topounce on these as quickly as youpossibly can; and be unmercifulabout it.And that's where we as good humanbeings have a problem. And that'swhere- that's where attackers haveno problem whatsoever.They can do these cold reads overthe phone if they want to; like thecompany that does scareware thatwe've talked about before.So these human natures followcertain principles; and then we justcraft a statement that convincesthem to give us that information insome way, shape or form.Page 6 of 30
Social Engineering -4Social Engineering -4Social engineering principles AuthorityIntimidationConsensus / social proofScarcityUrgencyFamiliarity / likingTrustThe principles may not always be applicable or work welltogether. Example: It is not important to be liked if you are using authorityand/or intimidation67**067 So when we look at thoseprinciples-- remember, they're notgoing to work for every single personthat's out there; and we don't jamthem all together. What we do is welook at the person and we test.The best way to deal with this by theway is to have a little bit of aconversation with that person; andyou really you want to get ahold ofthis person.You have that polite conversationhere; and you're looking out of thecorner of your eye to see how theyreact to it.Page 7 of 30
This conversation is not going to gowell and you know it. That's okay.If you see that when you're talking tothis person you try to beauthoritarian and you try to powerover them, and this person bristles atthat-- and you're looking at themwhile you're doing it; and you'vereally got to be quick about howyou're doing this-- you'll see that theauthority attack is not going to workagainst them. The intimidationattack is not going to work withthem.Maybe you try urgency: Hey this isonly good for a limited time.So you use this person to figure outwhat that person is doing; and youprey upon them. And that's not yourtarget. This person is.Page 8 of 30
Social Engineering -5Social Engineering -5There are two types of social engineering. Human-Based – attempt is carried out directly with victim Computer-Based – attempt is carried out with the aid of a computerEffective social engineering attacks may combine both types,and use supporting material or events (such as a falsified workorders or popup messages on a computer screen) to achievethe deception.68**068 There really are two types ofSocial Engineering. And by the way-remember I talked to you about thattool called Metasploit? There's a toolthat goes over top of that forwebsites that's called S-E-T. It's theSocial Engineering Toolkit. It is acomputer-based social engineeringtool; because it mirrors the websitethat's out there.When we talk about human-basedsocial engineering, it's me againstyou; it's us-- it's me looking into youreyes.One of the qualities of a good socialengineer is somebody who isPage 9 of 30
malleable, adaptable and flexible andkind of goes with the flow.It's also somebody, in most cases,that can look you straight in the eyeand lie to you; with no flinch and notell. Good poker players are alsoreally good social engineers becausethey can be very deadpan about it.Now normally what we do intechnology attacks is we do both ofthese things. Call you up on thephone-- that's a human interaction-and get your password that way; andthen use that to attack the systemhere.Remember, in a computer-basedattack we really want to get to thecomputer resources. So we're tryingto apply that attack against the userso that we can then capture thateasy username and password to thendig into the systems.Page 10 of 30
Human-Based vs Computer-Based SEHuman-Based vs Computer-Based SEHuman-BasedComputer-Based Shoulder surfing Eavesdropping Hoaxes Chain Letters Dumpster diving Tailgating Phishing Whaling Piggybacking Pharming Impersonation Spam Vishing69**069 When we look at the humanbased, we want to look at these as agroup; as compared to computerbased. Because we're going to dotraining that focuses around one orthe other.Try not to do both at the same time.Anytime you're doing an awarenesscampaign, pick one side or the other.It's not a good idea to do both.So human-based. There's shouldersurfing: looking over their shoulder.Eavesdropping: listening in on theirconversation.Page 11 of 30
Dumpster Diving: literally what dothey throw away and how can we seeit?Tailgating: convincing them to allowus to go through the door with them.Piggybacking is almost the same astailgating.Impersonating somebody else. "Hi,I'm the computer technician."And human-based spam.So spam can come in many forms.Most of the time we talk about it inemail form.Computer-based: Hoaxes, fake thingsthat happen. Chain letters."If you send this to 15 people andthink about how you love them, thenall that love will come back to you.Please forward this on-- don't breakthe chain-- and add the other peopleto the email.""Bill Gates will give a million dollars ifwe email this with a million people onthe list."Phishing attacks. If I can convinceyou through an attack to actually goto our website-- I sent you a piece ofemail that was spam, that relates toa particular location, and has youexecute.Now phishing and whaling are almostexactly the same thing; except forwe're going after bigger targets.Page 12 of 30
Now I heard a story--and if this istrue it's great; if it's not true then it'sstill a cool story.Email gets sent to the top Fortune1000 Global 100 companies; to theCEO's of Fortune 100 companies donot answer their own email. Whodoes? Their executive assistant.And it says inside of there: ClassAction Lawsuit. Here is the details ofit. If you want the entire class actionlawsuit please click here to go to thefull text of it on this website; officiallooking, official looking, officiallooking.In whaling we're going after reallybig targets in the organization.Nonetheless it still starts up with anemail that looks very official thatmakes you go to a website; and onthe website there's malware thatattacks the computer. And now itcomes over here. This malware getsdriven into this computer of theperson who is the assistant to theLook at all the good information wecould get there if we were evil.Pharming is a little bit different thanphishing. In pharming what we do iswe don't send out the original email.What we do is we sit on a site or wepost things to a site that makepeople click on it. So we don't eventell them that that website is thereand go to it. We just attack thewebsite and we wait.Page 13 of 30
And then vishing is voicemailphishing or voice phishing: calling upa whole bunch of people.How does that work Dan? I mean,we can call them back.Not if it's a Skype number. They cango ahead and set up a Googlenumber or a Skype number that onlylasts for seconds, only lasts for hours.Human-Based SE -1Human-Based SE -1Shoulder SurfingViewing someone’s activities (ATM transactions, entering a password,etc.) either close-up (literally over their shoulder), or at long-range withtelescopes / binoculars, etc.EavesdroppingListening in on conversations, reading messages, or other interceptionof information by audio, video, or read/written meansDumpster DivingSearching for sensitive information carelessly thrownout by the target; this could include bills, customerinformation, product designs, etc that is not shreddedbefore being put in the garbage. Dumpster diving is agood source of supporting material for conducting othersocial engineering attacks – it may give you enoughInformation about the company to seem knowledgeable70**070 Okay. We've gone over mostof these. I've got some gooddefinitions for you here, to take alittle pause on. If I haven't gotten itone way, I can get it another way inPage 14 of 30
your head. I can convince you; I cansocial engineer you into readingthese concepts.How do we-- but what we're going todo is we're going to talk about howto defend against these.In shoulder surfing-- it's very simple-training and education to look overyour shoulders, both shoulders,before you do something sensitive.Eavesdropping; again, lookingaround.Now technical eavesdropping is muchmore difficult to detect. You couldalso talk in low whispers.Dumpster diving. Shredding is yourtool of choice. It will help you to nothave this information revealed.And by the way, there are certaincompanies now that will shred yourhard drives. You can-- they'll actuallygive you a receipt for all yourshredding; and they'll show you thatthey've actually shredded the harddrive in front of you.Page 15 of 30
Human-Based SE -2Human-Based SE -2Third Party AuthorizationUsing the name of a trusted third person, usually someone inauthority, to add credibility to the social engineering attemptTailgatingPhysically entering a secure area by following someone through asecure doorPiggybackingRequesting an authorized person to provide access to a secure area– e.g., “I forgot my ID at home – can you let me in?”Reverse Social EngineeringThe attacker appears to be in a position of authority, relying on hisvictims to give him the information he seeks instead of asking for it71**071 Third Party Authorization.Anytime I say, "Well your boss said-"; you say, "Hang on a second, letme call my boss."Tailgating: physically enter a securearea.Piggybacking is requestingauthorization.In both cases the answer throughtraining is always: I'm sorry, I can'tdo that; you're supposed to go tothat entrance over there.Reverse Social Engineering is-- it's alittle bit difficult- more difficult skill.Page 16 of 30
But in reverse social engineeringwhat we do is we ask you questionsto help you. "Oh I see you're havingproblems with your keyboard.What's wrong with it?" This personsays: Blah-blah-blah-blah-blah-blah;and they start giving me information.I keep on letting them drive or thinkthat they're driving the conversation,and let them steer it; and all thewhile I'm collecting data.Reverse social engineering is a reallyadvanced technique. You want tolook for somebody who is a little bitdistrusting. Not a total pessimist butjust a little bit distrusting. That's kindof like the perfect person for reversesocial engineering.Page 17 of 30
Computer-Based SE -1Computer-Based SE -1Mail / IM AttachmentsFiles attaches to emails or instant messages can contain malicioussoftware masquerading as useful files. Users are socially engineeredinto opening the attachment because they believe it to be of value tothemAttachments of any kind maynot be benign – even filestypes that were previouslybelieved to be secure (e.g.PDF, and PNG) have beenused to compromisecomputers.72**072 Computer-based: mailattachments. Click here to see apicturePage 18 of 30
Computer-Based SE - 2Computer-Based SE -2Pop-up WindowsA window appears on a user’s computer screen prompting them toenter their credentials or divulge other sensitive informationWebsites / SweepstakesA user is unwittingly directed to a malicious site. The site may looklegitimate and may even offer a reward (e.g., free game download)for providing personal information.Spam, Hoaxes, and Chain LettersMay contain dire warnings of the latest internet threat, offers ofmillions of dollars from a bank in Nigeria, or offers for free gifts ifcertain actions (usually involving money or personal information) aretaken.Messaging Spam (SPIM)A type of SPAM delivered via instant messaging.73**073 Popup windows we've talked aboutbefore. But when they pop up, whatdo they lead you to? Will you clickon that thing?Websites and sweepstakes. "You're awinner."Page 19 of 30
Computer-Based SE -3Computer-Based SE -3PhishingAn email which claims to be from a legitimate source and attempts tosolicit information or convince the recipient to take some sort of action. Can be very convincing, appear to come from friends,associates, companies you do business with, or completestrangers Used in conjunction with a malicious website that solicitsinformation or installs malware in the background while visitingthe siteWhat the link says, and the actual site it linksto, are VERY different.74**074 Phishing. Looks veryauthoritative. Usually the link insideof here goes to the wrong place.And if you have a browser that haswell if that browser has the ability torender-- I mean, not browser. But ifyour email client renders html, it willlook like the correct link.In phishing it looks very official. Thelink is usually going to say somethingelse. I always tell people to turn offthe rendering, so that it renderseverything in plaintext. And that wayyou can see these inappropriate links.Page 20 of 30
Computer-Based SE -4Computer-Based SE -4Spear phishingNarrowly focused variant of phishing Gathers detailed personal information to craft convincing emailsthat can trick even seasoned professionals into opening taintedemail attachments or visiting fake websitesWhalingPhishing attacks targeted towards senior executives Used for sophisticated corporate and military espionage attacks Senior executives requires security training too75**075 Spear phishing and whaling.Spear phishing is a much narrowergroup. Whaling is an even narrowergroup.Usually what spear phishing is after isenough personal details to collect upa profile on a bunch of people thatthey could use to then guess theirpasswords.Page 21 of 30
Computer-Based SE -5Computer-Based SE -5PharmingA social engineering attack in which traffic destined for a validwebsite is redirected to a malicious website Attacker mirrors a bank’s website and users, who inadvertentlyvisit or are redirected to the site, input their username/passwordinto the malicious site.VishingForm of phishing using the telephone or VOIP Attacker uses caller id spoofing and pre-recorded messagesusually stating the victim was involved in a credit-cardcompromise Requires victim to call a number and provide account andpersonal information in order to mitigate the hoax compromise76**076 Pharming. This is going tothe wrong website.And vishing is your number postedout there for people to see. It'susually a form of VoIP that they'reusing because then the numbersaren't tied to a physical location.Page 22 of 30
Computer-Based SE -4Computer-Based SE -4Spear phishingNarrowly focused variant of phishing Gathers detailed personal information to craft convincing emailsthat can trick even seasoned professionals into opening taintedemail attachments or visiting fake websitesWhalingPhishing attacks targeted towards senior executives Used for sophisticated corporate and military espionage attacks Senior executives requires security training too75**075 Now in pharming, vishing,spear phishing and whaling, whatyou want to do is you want to usethings- you want to use tools in yourbrowsers that will reveal whether thisis appropriate or inappropriateactivity. There are plenty of pluginsthat will talk to you about the qualityof that site.The other thing that you can do onan enterprise level is you can buy areputation filter.What they did for both mailand for web browsing was theywould intercept the request in aproxy, and they would assign valuesPage 23 of 30
to appropriate or inappropriateactivity.So if the reverse DNS doesn't workfor this URL, or if it's going directly toan IP address of a known set, or ifit's a known spammer's address, orthere's no correct signature inside theemail, or the website's only had aDNS record for a couple of days, or-on and on and on and on and on.And all these calculations add up to areputation assessment of the emailcoming in.Now there are a whole host ofcompanies out there that do mail andweb reputation filtering. And all ofthem will help you with these type ofactivities.Be careful; and look at the reviewson them; and talk to- talk to peoplewho do this for a living.Page 24 of 30
Social Engineering StagesSocial Engineering StagesThe four stages of social mentSelect TargetExecution1.Information Gathering – includes actions like dumpster diving,company tours, requests for information, and web searches2.Select Target – identify a target for the attempt3.Relationship Development – establish a rapport or credibility4.Relationship Exploitation – perform the attack to achieve yourobjective77**077 So let's kind of wrap up thesocial engineering here for a second.Let's talk about the stages of socialengineering.First we're going to gatherinformation so that we know who theaudience is.Then we're going to find the righttarget. Remember, we could beusing this person as a throwaway tofind out about that person overthere.If you're looking and you think thatthere's-- and this takes a little bit ofpessimism on your part. But watchPage 25 of 30
how somebody interacts. Usually thegiveaway in a bad social engineer isthey'll look at you and then they'llwalk toward that person. So they'vealready sized you up at that pointthat you're the target.So look-- if they're kind of squaringoff on you like this. Most people willnot walk this way and look this way.It's just- it's unnatural. And if they'redoing that, then they're- then they'redefinitely doing it. Especially ifthey're turning their back to you alittle bit and they're really-- I mean,they really got to crank theirshoulders around like that. But ifthey're looking at you and walking adifferent way, you're the target.Figure out who the target is. Ifyou're going to do the socialengineering, I'm going to go ahead.And before I do that, if I'm reallygood, what I'll do is I'll just get acouple of quick glances in. Or I'llbend down and I'll look up like this;and then I'll go over to that person.If this is my direct target, I'm goingto select that target and I'm going tosize them up and I'm going to figureout what their posturing stance is.How are they looking? I'll do my coldread.Then I'll start developing arelationship with them. I usuallydon't go at them with-- the first orsecond request I don't make it about:Give me your password. I make itPage 26 of 30
about establishing that rapport withthem.This works really well with cigarettesmokers. Because everybody goesoutside, sits outside and smokes theircigarette. And then you could bestanding out there smoking acigarette, leaning against the wall.And when they go in, flick your buttout just like them and walk in andfollow them right through, throughthe tailgating. So I'm exploiting thatrelationship.If it's direct social engineering whereyou want them to give yousomething, like a piece ofinformation, and you're going toexploit that relationship, you have todevelop that relationship over alonger period of time.The shortest social engineeringattacks that I've seen work are aboutfour to five minutes to actually getwhat you want.I'm sure that there are people outthere that can do it much faster thanthat. But usually rapport relationshipworks in a four to five minuteversion.Now if it's an advanced persistentthreat, somebody actually getting ajob somewhere, you can't tell thatthey're exploiting that relationship.Page 27 of 30
Insider ThreatInsider ThreatInsider attacks are the most insidious type of threat to anetwork.Disgruntled employees, who are authorized to be on thenetwork, can take advantage of their access to wreak havocinternally.Consider the following Insider attacks are easy to accomplish as the attacker has accessand authorization to the network. Prevention is difficult, much less detection, as most networkmonitoring is focused on attacks coming from the outside of thenetwork.—One can view networks as M&M candies – hard on the outside, but softon the inside.78**078 The worst is that person thatis an advanced persistent threat, theinsider.These people you really want to becareful about. Because they try andget a job within your organization;and then they look for that personthat- well that's truly not happy.They look for that disgruntledemployee and they pull informationout of them.Now the last piece in this is- on theother side of this is truly the insiderthreat; and that is this disgruntledemployee. No social engineerinvolved whatsoever. This person isPage 28 of 30
mad and has got a grudge andthey're going to- they're going toattack.Remember, that person can attack somuch easier because they are aninsider than the person on theoutside.If this is truly social engineering-- thisis kind of spy versus spy stuff-- thatperson will get in and will getcomfortable with this person andthey'll make them vent all of thatstuff; and then they'll take that stuffand they'll use it against the entireorganization. Or even recruit them.So that's our social engineering. Andthen the worst- the worst person toworry about is that actual insidermaybe even going to the advancedpersistent threat level.Page 29 of 30
NoticesPage 30 of 30
Social Engineering -5 68 Social Engineering -5 There are two types of social engineering. Human-Based – attempt is carried out directly with victim Computer-Based – attempt is carried out with the aid of a computer Effective social engineering attacks may combine both types, and u
