3.1 - Social Engineering

 3.1 - Social engineering 

 

Key Terms 

    • Social engineering – An attack involving human interaction. 
    • FootprintingSimilar to stalking in a social engineering context. 
    • Pretexting – Creating a fake scenario to persuade someone to do something. 
    • Elicitation – A technique to extract information from a target without drawing suspicion. 
    • Preloading – Influencing a target’s thoughts before something happens. 
    • SMiShing – A phishing attack through SMS. 
    • Impersonation – Pretending to be someone to extract information from a target. 
    • SpimSimilar to spam but through instant messaging instead of email. 
    • Hoax – A type of malicious email with some urgent message to decieve a target. 
    • Hacktivist - A hacker whose main purpose is to draw attention to their views or protest an event/situation. One example of a hacktivist group is Anonymous. 
    • Script kiddie – An unskilled hacker who uses tools and scripts developed by real hackers. 
    • White hat – A hacker who uses their skills for defensive purposes only. These hackers only gain access to systems they have been given permission to and are the only legal form of hacker. 
    • Cybercriminal – A hacker willing to take more risks due to a higher payoff. They are usually associated with large, organised crime groups. 

 

Social Engineering Attacks 

Social engineering is one of the best ways to extract information from a target. This is because humans are the weakest point in any IT system. Social engineering is hard to deflect, track and catch. The only real way of preventing social engineering attacks is through education of relevant people. Social engineers are masters of social patterns and manipulation. They often use principles such as: 

    • Moral obligation – Exploitation of a responsibility. 
    • Trust – Exploitation of the natural tendency to trust others. 
    • Threats – Intimidation of the target. 
    • Greed – Offering a small reward. 
    • Ignorance – Exploiting someone’s lack of education about social engineering. 

 

Social Engineering Process 

    • Research – The attacker gathers information about the company or target. This can be done through footprinting where the attacker goes through websites, social media, employee information and does onsite scouting. 
    • Development – The attacker selects which target to attack. They usually pick people who have access to the needed information and are overconfident, arrogant or frustrated. This will help the attacker extract information easier. They will then start forming a relationship with the target through conversations, emails, shared interests, etc... This builds trust with the target so they will be more comfortable and willing to give information away. 
    • Exploitation – The attacker exploits the target to complete actions such as exposing passwords and usernames, inserting malicious payloads into a company system, opening infected attachments and exposing trade secrets, 

 

Pretexting 

This refers to a fictitious scenario given to the target to extract information. Pretexting requires knowledge of the target to create a believable scenario. The more the attacker knows about the target, the better the pretext is going to be. If a pretext attack is successful, the attacker will erase digital footprints and ensure no items of information are left behind. 


Shoulder Surfing/Eavesdropping 

Shoulder surfing is where an attacker looks over a target’s shoulder physically to steal data. This could be anything from a username to credit card details. Eavesdropping is when an attacker listens to a conversation that they aren’t meant to hear without the targets knowing. This can leak sensitive information. 

 

USB and Keyloggers 

A USB flash drive, from a security standpoint, is an extremely risky device. USB flash drives can be stolen by on-site attackers to steal information and due to their no access controls default setting, anyone can view the data on there. A keylogger is a program that records and logs keystrokes from a target’s computer. This can be used to steal passwords and other sensitive information. 

 

Spam and Spim 

Spam emails can be used to embed URLs and banner ads that entice a target to click them. Spim is the same thing except the malicious link is sent through instant messaging. 

 

Hoax 

A hoax is a fictional scenario used to scare or intimidate targets into giving away personal information. Hoax emails can be identified through usual bad grammar and spelling however, some are quite sophisticated and use many tactics to convince the target they are real. 

 

Types of Attackers 

    • Insider – This attacker is already located inside the target system. An insider could be an employee, 3rd party or even a customer. Humans are the weakest part in any computer system so, an insider could become a major security threat. An employee could be bribed to steal information, have personal reasons for breaching security protocols or social engineered by an attacker. In that case, they are known as an unintentional threat actor. Because an unintentional threat actor does not know they are doing anything wrong, they could continue to be a threat to security for a long time. 
    • Hacker – Hackers locate, and exploit vulnerabilities found in security systems. The main reasons for this are money, attention, and revenge. 
    • Nation State – Sometimes, attacks can come from other countries. These are usually from state-hires hackers who steal valuable information about the government or people of another country. These attacks are the most dangerous and advanced attacks that a tester will face. 

 

Authority 

A hacker may pretend to be a figure of authority over a business. This can trick employees into giving away information by using fear or intimidation techniques. 

 

Social Proof 

A hacker may use social pressure to get an insider to leak information. They may try to convince an employee that it is okay to leak the information or that something will happen if they do not. 

 

Scarcity 

This plays on the target’s greed. A time-limit is set to pressure a target into giving away valuable information. 

 

Opportunistic Attack 

On this type of attack, the hacker will want to be as fast and efficient as possible. The hacker will want to get in, grab everything they can and then get out as quickly as possible. These attacks are typically automated by large scanning of the target. An example of an opportunistic attack is ransomware. 

 

Targeted Attack 

These attacks are carried out by large groups and much more methodical than an opportunistic attack. The point of these attacks is to do as much damage as possible. They usually use unknown exploits and prioritise covering their tracks. 

 

Elicitation 

This attack’s main purpose is to extract information without creating suspicion. The attacker uses techniques to make the target more comfortable or willing to share information. Some techniques include: 

    • Compliments 
    • Misinformation 
    • Feign ignorance 
    • Listening and validation 

 

Phishing 

This is when an attacker appears as a trustworthy individual and sends out emails to socially engineer targets. A phishing email should look as legitimate as possible. These emails usually contain links to a fraudulent website where a target inputs their sensitive information thinking it is legitimate. When this information is submitted, the results are sent to the hacker instead of the institution the attacker is impersonating. This attack is incredibly easy to set up and execute and is particularly successful.  

 

Spear Phishing 

The attacker first gathers information about the target. Then, they send specific emails to that target in hopes of tricking them. 

 

Whaling 

A form of phishing that target high-profile individuals with valuable information. 

 

Vishing 

Like a phishing attack but over VOIP (voice-over internet protocol). 

 

SMiShing 

The attacker sends a text to the victim with an urgent topic to be addressed immediately. This could contain links to malicious sites and software or fake phone numbers to extract information. 

 

Pharming 

This attack executes malicious programs on the target’s computer to redirect all traffic to malicious sites. This attack can be performed 2 ways: 

    • DNS cache poisoning – This is when the hacker attacks the DNS server of a real website to redirect users to fake websites. 
    • Host file modification – The hacker sends malicious code via messaging or email to the target through an attachment. When the attachment is opened, the code is executed which modifies local host files on the target’s computer. This then redirects the target’s web activity to fake websites. 

Pharming attacks can also be executed through trojan horse malware, worms and RATs. 

 

Social Networking 

Social media is a vital way of gathering information about a target before sending an attack. The hacker can steal identities and use the information posted on social media to seem more trustworthy to a target. Social media can also be used in phishing attacks where the attacker posts malicious links usually with a pretext statement attached. This statement can be specifically targeted towards the target’s interests. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more