CCSA#4

Social Engineering & safeguarding

Disclaimer:

Usage of these information/Data/Tools/Techniques for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. The Computer Joker/Instructor/Owner assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purpose. The Computer Joker/Instructor do not support/promote hacking. For more details, head to our t&c page.

what is social engineering?

In the context of information security, social engineering is the psychological manipulation of people into performing actions or disclosing sensitive information such as credit card information or password

Any act that influences a person to take an action that may or may not be in their best interests.

1. Information gathering:

Information gathering is the first and for the most step that requires much patience and keenly watching habits of the victim. This step gathering data about the victim's interests, personal information. It determines the success rate of the overall attack.

2. Engaging with victim:

After gathering required amount of information, the attacker opens a conversation with the victim smoothly without the victim finding anything inappropriate.

3. Attacking:

This step generally occurs after a long period of engaging with the target and during this information from the target is retrieved by using social engineering. In phase, the attacker gets the results from the target.

4. Closing interaction:

This is the last step which includes slowly shutting down the communication by the attacker without arising any suspicion in the victim. In this way, the motive is fulfilled as well as the victim rarely comes to know the attack even happened.

life-cycle of social engineering

social engineering stats

98% of cyberattacks rely on social engineering.

43% of IT professionals say they have been targeted by social engineering in the last year.

45% of employees click emails they consider to be suspicious “just in case it’s important.”

47% of employees cited distraction as the main factor in their failure to spot phishing attempts

On average, social engineering attacks cost $130,000

The number one type of social engineering attack is phishing.

IC3 reports that socially engineered business email compromise is the costliest cybercrime.

Socially engineered cyberattacks are just under 80% effective.

An estimated 70 – 90 % of breaches are caused by social engineering.

45% of employees don’t report suspicious messages out of fear of getting in trouble

(data sources - www.graphus.ai)

phising

Phishing is a technique of tricking someone to obtain their private information, by leading them to a fake web page or email form, pretending that it comes from a genuine company.

Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN or a credit card number.

phishing case study

For example, in 2003, there was a phishing scam in which users received emails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). By mimicking a legitimate organization's HTML code and logos, it is relatively simple to make a fake Website look authentic. The scam tricked some people into thinking that eBay was requiring them to update their account information by clicking on the link provided. By indiscriminately spamming extremely large groups of people, the "phisher" counted on gaining sensitive financial information from the small percentage (yet large number) of recipients who already have eBay accounts and also fall prey to the scam.

How suspicious/spam emails look like

How suspicious/spam emails look like

type of phishing

Deceptive phishing

Deceptive phishing is the most common type of phishing. In this case, an attacker attempts to obtain confidential information from the victims. Attackers use the information to steal money or to launch other attacks. A fake email from a bank asking you to click a link and verify your account details is an example of deceptive phishing.

Pharming

Similar to phishing, pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the bogus site. Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to a fake site even if the correct URL is typed in.

Spear phishing

Spear phishing targets specific individuals instead of a wide group of people. Attackers often research their victims on social media and other sites. That way, they can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company’s defences and carry out a targeted attack.

Whaling

When attackers go after a “big fish” like a CEO, it’s called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means of stealing login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of company information.

vishing

Vishing, otherwise known as "voice phishing", is the criminal practice of using social engineering over a telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organization.

Phone phishing (or "vishing") uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical "vishing" system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker/defrauder, who poses as a customer service agent or security expert for further questioning of the victim.

smishing

The act of using SMS text messaging to lure victims into a specific course of action.

Like phishing it can be clicking on a malicious link or divulging information

impersonation

Pretending or pretexting to be another person with the goal of gaining access physically to a system or building. Impersonation is used in the "SIM swap scam" fraud.

baiting

Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and waits for victims.

For example, an attacker may create a disk featuring a corporate logo, available from the target's website, and label it "Executive Salary Summary Q2 2012". The attacker then leaves the disk on the floor of an elevator or somewhere in the lobby of the target company. An unknowing employee may find it and insert the disk into a computer to satisfy their curiosity, or a good Samaritan may find it and return it to the company. In any case, just inserting the disk into a computer installs malware, giving attackers access to the victim's PC and, perhaps, the target company's internal computer network.

tailgating

An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access.

Following common courtesy, the legitimate person will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them. The legitimate person may fail to ask for identification for any of several reasons, or may accept an assertion that the attacker has forgotten or lost the appropriate identity token. The attacker may also fake the action of presenting an identity token.

dumpster diving / Trashing

Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters.

 The LAN Times, listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.”

stay safe with best practices

Security awareness/ Training

Enforce standard security standards/protocols

Be aware of offers that seem "Too good to be true".

Avoid clicking on attachments from unknown sources.

Not giving out personal information to anyone via email, phone, or text messages.

Use of spam filter software such as Spam box.

Avoid befriending people that you do not know in real life.

Teach kids to contact a trusted adult in case they are being bullied over the internet (cyberbullying) or feel threatened by anything online.

email security

What is Email Tracing?

Email tracing is a method for monitoring the email delivery to the intended recipient. Most tracing technologies use some form of digitally time-stamped record to reveal the exact time and date that an email was received or opened, as well the IP address of the recipient.

Email 2FA – Two factor authentication

2FA is an extra layer to the security. When you login, it will ask for an another identity information such as OTP from your mobile number.

block email - tracing

Ugly Email

Ugly email extension for blocking read receipts and other email tracking pixels.

When a tracker is detected, it shows the icon of an eyeball in the subject line to alert you that a tracker is hidden inside the email.

That's all for this module!

Click below to get to the Next Module - Social Engineering & Security


“We are all living in each other’s paranoia”

-ELLIOT<Mr. Robot>

Disclaimer:

Usage of these information/Data/Tools/Techniques for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. The Computer Joker/Instructor/Owner assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purpose. The Computer Joker/owner/Instructor do not support/promote hacking. For more details, head to our t&c page.

want a training?

Please contact us by filling the form on the right side for:

--> Live One to One Training

--> Course materials (pdf, tools & videos)

--> For any queries/feedback & suggestions.

Social

Contact

hi@thecomputerjoker.com

© copyrighted 2021. All Rights Reserved.