Social Engineering

What is Social Engineering

• Social engineering is the technique of using the art of manipulating a person into performing an action or revealing sensitive information.

• This is the technique of hacking the human mind.

• Social engineering is typically used to gain unauthorized access in a physical secure location or even gathering a user's credentials.

Phishing

• This type of phishing is usually in the form of an email which may seem to originate from a legitimate sender such as a bank.

• Within the email may contain an obfuscated malicious link which is encouraging the user to click the link.

• Phishing emails are usually seen as spam emails as it is targeted towards a general audience.

Smishing

• This is a type of social engineering attack that is sent via a SMS text message.

• The victim usually receives a SMS text message from the attacker who is pretending to be from a legitimate organization.

Vishing

• This is another type of social engineering attack that is done via a telephone conversation.

• The attacker calls the victim while pretending to be from a legitimate organization such as a bank.

• Commonly done over a Voice over IP (VoIP) communication system.

Spear phishing

• Spear phishing is a type of targeted attack which is designed to focus on a specific group of persons.

• As compared to a general phishing attack which does not target any specific persons or group.

Whaling

• In a whaling attack, this is a type of phishing attack is targeted towards the high profile employees of an organizations such as the CEO.

• This attack is designed to trick the high profile employee who has high level authority within the organization.

• If the attacker is able to compromise a CEO's account, the attacker can perform various administrative and authoritative attacks.

Principles (reasons for effectiveness)

Social engineering does not require any form of technologies but rather a person who can manipulate or trick another person in doing something or giving up information without realizing it.

•  Authority - pretends to have some form of authority

• Intimidation - The attacker may say if you are not willing to help in a situation there may be some type of repercussions

• Consensus - using what other people has done to convince you it is normal

• Scarcity - Informing the victim this action is only for a short time and has to completed before a time as passed

• Familiarity - Tries to make the victim like the attack such as sharing a mutual experience

• Trust - Takes advantage of trust

• Urgency - Injecting urgency makes things seems more important and critical

Spam

• Spams are general phishing emails which arrives in the inbox.

Spam of Instant Messaging (SPIM)

• SPIM is a phishing that is done using some type of Instant Messaging (IM) application or platform.

 Pharming

• This is a type of social engineering where the attacker is able to manipulate the DNS records on either a victim's system or DNS Server.

• By changing the DNS Records will ensure users are redirected to a malicious website rather than visiting the legit website.

• A user who wants to visit www.mywebsite.com many be redirected to www.malciouswebsite.com within a different IP address.

• This technique is used to send a lot of users to malicious or fake website to gather sensitive information from the unaware site visitors.

Water Hole attack

• In this type of attack, the attacker observes where employees of a target organization is commonly visiting. Then creates a fake, malicious clone of the website and attempt redirect the users to the malicious website.

• This technique is used to compromised all the website visitor devices.

• This attack helps attackers to compromise a target organization who has very strict security controls.

• This type of attack helps hackers to perform credential harvesting which is used to gather users' credentials.

Typosquatting

• Typosquatting is the technique of taking advantage of a user who mistype a website's domain name.

• A user may type www.gooogle.com  or www.gogle.com and the user may be redirected to a malicious website owned by a hacker.

• This types of website can perform automatic drive-by downloads on the user's system and execute the malicious code.

Physical social engineering techniques

• Dumpster diving - Going through someone else's trash looking for sensitive documents.

• Shoulder surfing - This is the technique of looking over someone's shoulder while they are entering sensitive data on their screen.

• Tailgating - Following a person through a secure area within a building. Man traps are used to prevent this of attack.

• Pretexting - This technique allows the attacker to create a fake story and attempt to trick the victim into performing an action.

Invoice Scam

• The attacker pretends to be a legitimate organization and sends a fake invoice to the victim.

• The objective is to trick the victim into clicking the invoice file or link to download and execute code on their system.

• This technique is also used to gather the victim's user credential if they are redirected to a fake website.

Hoax

• A hoax is simply some type of false or misleading information that is designed to spread fake news about a topic.

Prepending

• This is attack is there additional information is placed in front of a URL.

• When the victim clicks the link, they are redirected to another website and not to the legit site.