SlideShare a Scribd company logo

Uk computer emergency response team (cert) introduction to social engineering

P
PublicLeaker

This document provides an introduction to social engineering techniques. It describes common social engineering attacks like phishing emails, baiting websites, spear phishing targeted attacks, watering hole attacks, and physical baiting. Phishing remains the most prolific attack, while more sophisticated methods focus targets and use multiple layers. Effective defenses include educating users about social engineering techniques and promoting an organizational culture of information security awareness. However, a skilled attacker can still successfully retrieve information through social engineering given enough resources and luck. Organizations should have response and recovery plans for successful attacks.

1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
TLP WHITE 1. An introduction to social engineering
TLP WHITE 1 Contents Summary........................................................................................................................................................2 Introduction...................................................................................................................................................3 Wide scale attacks ........................................................................................................................................3 Phishing ...............................................................................................................................................3 Baiting..................................................................................................................................................4 Focusing the attack.......................................................................................................................................5 Spear phishing.....................................................................................................................................5 Watering hole attacks .........................................................................................................................6 Attacking on multiple fronts................................................................................................................7 Physical baiting....................................................................................................................................7 Mitigation advice..........................................................................................................................................8
TLP WHITE 2 Summary Social engineering is one of the most prolific and effective means of gaining access to secure systems and obtaining sensitive information, yet requires minimal technical knowledge. Attacks vary from bulk phishing emails with little sophistication through to highly targeted, multi-layered attacks which use a range of social engineering techniques. Social engineering works by manipulating normal human behavioural traits and as such there are only limited technical solutions to guard against it. As a result, the best defence is to educate users on the techniques used by social engineers, and raising awareness as to how both humans and computer systems can be manipulated to create a false level of trust. This can be complemented by an organisational attitude towards security that promotes the sharing of concerns, enforces information security rules and supports users for adhering to them. Even so, a determined attacker with sufficient skill, resources and ultimately, luck, will be able to retrieve the information they are seeking. For this reason, organisations and individuals should have measures in place to respond to, and recover from, a successful attack.
TLP WHITE 3 Introduction In cyber-security, social engineering refers to the manipulation of individuals in order to induce them to carry out specific actions or to divulge information that can be of use to an attacker. Social engineering in itself does not necessarily require a large amount of technical knowledge in order to be successful. Instead, social engineering preys on common aspects of human psychology such as curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.1 Social engineering techniques are commonly used to deliver malicious software (malware2 ) but in some cases only form part of an attack, as an enabler to gain additional information, commit fraud or obtain access to secure systems. Social engineering techniques range from indiscriminate wide scale attacks, which are crude and can normally be easily identified, through to sophisticated multi-layered tailored attacks which can be almost indistinguishable from genuine interactions. Social engineers are creative, and their tactics can be expected to evolve to take advantage of new technologies and situations. This paper outlines some of the most common and effective forms of social engineering. Wide scale attacks Phishing The most prolific form of social engineering is phishing, accounting for an estimated 77% of all social- based attacks with over 37 million users reporting phishing attacks in 2013.3 Phishing is the fraudulent attempt to steal personal or sensitive information by masquerading as a well-known or trusted contact. Whilst email phishing is the most common, phishing attacks can also be conducted via phone calls, text messages and fax, as well as other methods of communication, including social media. A large amount of wide scale email phishing attacks remain unsophisticated and will be recognised by most (although not all) computer users as illegitimate. However, email phishing is becoming increasingly sophisticated and attackers will use a variety of techniques to either make the email appear legitimate or to lure the victim into acting before thinking. Attackers may disguise the address the email is sent from so that it appears to be from a well-known organisation and common ones include banks, utility companies, couriers, recruitment agencies and government. Better designed phishing emails will actually appear to be very similar imitations of legitimate emails from these organisations (see example 1). Another common technique is to make use of major news events by posing as having new information on the event, or asking the recipient to take action (donate money, sign a petition, etc.) in relation to the event. Despite increasing competency in wide scale campaigns, there are still indicators that frequently appear in phishing emails:  Messages are unsolicited (i.e. the victim did nothing to initiate the action)  Messages are vague, not addressed to the target by name and beyond purporting to be from a known organisation, contain little other specific or accurate information to build trust  May be from an organisation with which the target has no dealing with 1 How hackers exploit 'the seven deadly sins', BBC News http://www.bbc.co.uk/news/technology-20717773 2 See CERT-UK’s ‘An introduction to malware’: https://www.cert.gov.uk/wp-content/uploads/2014/08/An- introduction-to-malware.pdf 3 The Social Engineering Infographic http://www.social-engineer.org/social-engineering/social-engineering- infographic/
TLP WHITE 4  Contain poor spelling and grammar, typos or use odd phrases; whilst this is becoming less common as attackers are becoming more proficient, mistakes are still made  Are too good to be true or make unrealistic threats, often with a sense of urgency  Are sent from an email address that, whilst perhaps similar, does not match ones used officially by an organisation  Contain incorrect or poor versions of an organisation’s logo, and may contain web links to sites that, whilst perhaps similar, are not ones used by that organisation Phishing emails often ask the user to follow a link to a website or open an attachment. Some may ask the user to reply to the email, after which they will be engaged in an exchange of messages to elicit confidential information. When asked to click on a link, it may be designed so that the text the victim clicks on appears to be for a known website, but the link takes them to a completely different website (a technique known as obfuscation). At the website, the victim will then be asked to enter confidential information or may unknowingly download a file which will subsequently infect their machine with malware. Likewise, any attachment on a phishing email is likely to contain malware. 4 More sophisticated phishing campaigns may even extend to taking victims to a close replica of a legitimate website that is designed to trick them into entering username, password or other confidential information. Baiting Another form of wide scale attack is baiting through the use of online adverts and websites. As with phishing, these will usually have offers that are too good to be true or with an urgent warning. This includes some websites that allow the user to download or stream videos (i.e. movies or TV shows), or pop-ups that purport to have detected a problem with the victim’s system which clicking on the pop-up will solve. Following the links provided in the bait, a user may then be tricked into giving away 4 O2 Phishing alert mid-2014 http://news.o2.co.uk/2014/05/29/phishing-alert-may-2014/ Example 1 – A phishing emailiii Although it appears to be from O2, closer inspection, by right clicking or hovering over the name, shows the email address has been spoofed. For example, ‘user123@o2-mail.com’. An official O2 email would come from ‘@o2.co.uk’. The subject title is 02 (zero-two) not O2 Hovering over the link here will show that it will not take the user to O2’s website, but to a completely unrelated website A comma is used instead of a decimal point By the time this email was sent, O2 has discontinued their ‘Lucy’ virtual assistant It is addressed generically, not to the customer by name
TLP WHITE 5 personal information, or their machine may automatically download malware. These attacks can be crude, but others are sophisticated and persistent (see example 2).5 Another mass form of baiting is the use of ‘free’ Wi-Fi hotspots, although this requires some technical knowledge. The attacker creates a Wi-Fi hotspot that is clearly labelled as ‘free’, typically in public areas such as coffee shops, airports and hotel rooms. Whilst they may provide a victim with an internet connection, any data sent over this connection can be intercepted by the attacker, through what is known as a ‘man-in-the-middle’ attack.6 The ability to intercept the victim’s data can extend even to secure connections to services such as online banking. The attacker may also be able to remotely install malware on to the victim’s system, allowing a range of further exploits to be carried out. Focusing the attack Spear phishing Spear phishing is used by more sophisticated attackers who will limit the target audience and increase the precision of their messages, increasing the appeal of the message and apparent legitimacy. A spear phishing attack may target individuals within a particular business sector, who work in the same company, in the same department, or who share some other common attribute. A spear phishing email may even target just one specific individual if they are seen to be of sufficient value to the attacker. Whilst this decreases the number of potential victims, it is also likely to result in a higher proportion falling for their attack. Some spear phishing attacks can still be crude, and still remain easy to spot as they contain some of the indicators listed above. Others can appear legitimate and are extremely difficult to identify as malicious. A competent attacker will research their target(s) in order to maximise their chances of success. They will try to find out information about the organisation, including organisational charts, contact details 5 BAE Shylock Whitepaper http://info.baesystemsdetica.com/rs/baesystems/images/ShylockWhitepaper.pdf 6 This is similar to another technique call ‘Evil Twin’ where an attacker creates a Wi-Fi network with the same name as a known public network (e.g. ‘BTOpenzone’ or ‘Starbucks’), that a smartphone, tablet or computer will automatically connect to. As with baiting, this now enables the attacker to intercept all data sent by the victim. Unlike baiting however, this can happen without the user’s knowledge if their device is set to automatically connect to known public networks. Example 2 – Shylock Shylock is a sophisticated, hard to detect, adaptable piece of malware that enables criminals to steal victims’ credentials and support financial cybercrime. Whilst UK-led law enforcement activity in mid-2014 successfully disrupted and reduced the prevalence of Shylock, it still continues to be used by criminals. The UK was a major target for Shylock, and at its height around 61% of all infected websites were UK based – the majority of these being from the retail sector.iv Shylock is distributed via a variety of methods, including malicious code embedded into online adverts which subsequently appear on legitimate websites and the direct targeting and compromise of popular websites. Some compromised websites may display a ‘missing plugins’ message with a button to install the missing plugins. When clicked this downloads and installs Shylock onto the victim’s system. Once running, Shylock, can send any data entered into a computer to the attacker, including website credentials and other sensitive information. It can even create a false ‘chat’ window on a banking website, enabling the attacker to interact with the intended victim in order to persuade them to give up additional sensitive information – effectively a second layer of social engineering.
TLP WHITE 6 and combine this with knowledge obtained from their victim’s social media profiles and other publicly available information. Rather than a generic greeting, a recipient is likely to be addressed by name and the message will probably include other personalised details. An attacker is likely to use the identity of a third party that is to be known or of interest to the intended victim(s), such as a supplier, to leverage existing trust relationships. Similarly, the attacker may try to replicate the third party’s email address and use their research to assume the identity of someone who is employed by the third party, potentially someone who they believe their victim(s) know. They may even attempt to gain access to a third party’s email account (see example 3). 7 Watering hole attacks Watering hole attacks, similar to baiting, use trusted websites to infect victim’s computers. They are typically more sophisticated than most other social engineering techniques as they also require some technical knowledge. A watering hole attack works by compromise a trusted third party website to deliver malicious code against the intended victim’s computer. As with other targeted social engineering attacks, the attacker will research their intended victim(s) and identify one or more trusted websites that they are likely to access. This may be a supplier’s website, an industry journal, think tank or some other website that the attacker has identified as of interest to the intended victim. Having identified a suitable website (or websites), the attacker will seek out vulnerabilities within the server that hosts the website, and having found one, insert code that will enable malware to be downloaded, sometimes with little or no interaction from the victim (known as a ‘drive-by’ attack). 7 Hacking the Street?, FireEye, http://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf Example 3 – A spear phishing emailv The example to the left has been attributed to a group called ‘Fin4’ by FireEye, a cyber-security company. Fin4 were identified as targeting individuals within companies who had access to information about market catalysts (i.e. events that would cause changes in stock prices). In this example, Fin4 successfully compromised the email of an individual at a public company (possibly through the use of social engineering), and then used the compromised account to send a message that would play on a chief executive’s concerns: damage to reputation and disclosure of confidential information. Prompted by this, the victim would click on the link in the email, which would result in the download of malware.
TLP WHITE 7 Attacking on multiple fronts A determined attacker may adopt a multi-layered approach along with additional techniques to increase their target’s trust, or confusion, in order to maximise the chance of success. Whilst somewhat indiscriminate, an attacker could begin dialling random numbers within an organisation claiming to be IT support (potentially using a real name from the IT support department gleaned from social media) until they eventually find a victim that does have an IT issue. In their attempt to solve the problem, they will trick the user into giving them login, password or other information that will be useful in compromising their computer. Alternatively, the attacker may pretend to be an executive, urgently demanding to be sent an important (and sensitive) document to their personal email address as they cannot access their work account. In both cases, the victim is put under pressure to do something they should know they should not do: they do not want to question someone who knows more than them (IT support), or who is senior to them (the executive), and refusal to comply could get them in trouble. Some attackers may be even more creative (see example 4). 8 Such sophisticated attacks are usually reserved for targets who will have access to valuable information, such as chief executives; this type of spear phishing is known as whaling. Physical baiting An attacker may also use hardware to bait a target or group of targets. The nature of this type of social engineering means that it is typically only used by more sophisticated attackers against a particular sector, organisation or individual. A common example of baiting is to leave a form of digital media (e.g. a USB flash drive, CD, DVD) unattended, perhaps labelled with something alluring to, and in a location frequented by, the intended victim (like a car park). The intent is that they will pick it up and then use it on a personal or work computer, whereupon that computer is infected with malware. Another form of physical baiting can be at conferences or other events, where the attacker is in a position to hand out free USB drives as gifts, or provide further information on digital media, which is secretly loaded with malware. 8 Social Engineering: The Art of Human Hacking, Chris Hadnagy Example 4 – A sophisticated social engineering attack As part of a vulnerability assessment for an organisation, an assessor carried out some information gathering and found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names, titles and much more. Through Facebook, he was also able to get other personal details about the CEO, such as his favourite restaurant, sports team and that he was involved in cancer fundraising. Using this information, he called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were running a raffle with prizes including tickets to a game played by his favourite sports team and tickets to his favourite restaurant. The CEO was interested and agreed to let the assessor send him a PDF with more information on the fundraising and the raffle. The assessor even managed to get the CEO to tell him which version of Adobe reader he was running. Soon after he sent the PDF, the CEO opened it, installing malware that enabled access to his machine.vi
TLP WHITE 8 Mitigation advice Technical solutions such as spam filters, anti-virus software and blocking known phishing/baiting websites can help prevent some phishing attacks. To some extent blocking the use of non-authorised USB devices and disabling CD/DVD drives can do the same for baiting attacks. However, a successful social engineer will attempt to get around these protections. As a result, the best prevention against social engineering is raising user education and awareness:  Make sure users are aware of the signs of phishing emails – good advice is available from Cyber Streetwise (https://www.cyberstreetwise.com/common-scams) and Get Safe Online (https://www.cyberstreetwise.com/common-scams)  If your organisation is a member of CiSP, you can seek advice from other CiSP members on improving user awareness. See here for more information about joining CiSP: https://www.cert.gov.uk/cisp/  Consider holding user awareness sessions, potentially as part of training or induction days, and including a demonstrative penetration test, showing a successful social engineering attack against an (anonymous) member of the organisation  Encourage users to verify any strange requests or messages by calling the originator on an already confirmed number  Make users aware of their online presence and caution them to be aware of how much information they make available on social media  Assess how much information your organisation makes available publicly, and whether any of this could be used in a social engineering attack  Implement policies that reduce the risk of a successful phishing (e.g. to never send sensitive information outside your organisation’s network), and give users the confidence they won’t be punished for sticking to the rules  Encourage users to share their concerns over strange emails or other potential social engineering events with colleagues and IT support  Ensure as an organisation you inform others of potential social engineering attempts through CiSP – you may not be the only one being targeted, but you may be the first who realises it’s a social engineering attack  Prepare for the fact that you are highly likely to eventually be compromised, and ensure you have in place an incident response and disaster recovery capability  In general, if your organisation adheres to the ‘10 Steps to Cyber Security’9 and the ‘20 Critical Controls for Cyber Defence’10 you will be in a good place to prevent, respond and recover from a range of cyber related incidents, including those that involve social engineering 9 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility 10 http://www.cpni.gov.uk/advice/cyber/Critical-controls/
TLP WHITE www.cert.gov.uk @CERT_UK A CERT-UK PUBLICATION COPYRIGHT 2015 ©

More Related Content

PDF
Cybercrime - An essential guide from Thawte
RapidSSLOnline.com
 
PDF
IRJET- Phishing and Anti-Phishing Techniques
IRJET Journal
 
PDF
Advanced Phishing The Art of Stealing
Avinash Sinha
 
PDF
Study on Phishing Attacks and Antiphishing Tools
IRJET Journal
 
PDF
Customer Involvement in Phishing Defence
Jordan Schroeder
 
PDF
What are the possible damages of phishing and spoofing mail attacks part 2#...
Eyal Doron
 
PDF
IRJET- Phishing Web Site
IRJET Journal
 
PDF
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Cybersecurity Education and Research Centre
 
Cybercrime - An essential guide from Thawte
RapidSSLOnline.com
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET Journal
 
Advanced Phishing The Art of Stealing
Avinash Sinha
 
Study on Phishing Attacks and Antiphishing Tools
IRJET Journal
 
Customer Involvement in Phishing Defence
Jordan Schroeder
 
What are the possible damages of phishing and spoofing mail attacks part 2#...
Eyal Doron
 
IRJET- Phishing Web Site
IRJET Journal
 
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Cybersecurity Education and Research Centre
 

What's hot (17)

PDF
A Review on Antiphishing Framework
IJAEMSJORNAL
 
PDF
Fire eye spearphishing
Zeno Idzerda
 
PDF
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Eyal Doron
 
PDF
What is the meaning of mail phishing attack in simple words part 4#9 | Eyal...
Eyal Doron
 
PDF
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
CSCJournals
 
PDF
Phishing detection in ims using domain ontology and cba an innovative rule ...
ijistjournal
 
PPTX
Email phishing and countermeasures
Jorge Sebastiao
 
PPTX
Phishing technology
Preeti Papneja
 
PDF
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
CMR WORLD TECH
 
PDF
Social Engineering CSO Survival Guide
E.S.G. JR. Consulting, Inc.
 
PPTX
Lesson iv on fraud awareness (cyber frauds)
CA.Kolluru Narayanarao
 
PPTX
Lesson iv on fraud awareness (cyber frauds)
Kolluru N Rao
 
DOC
14 cyber threats
mahesh43211
 
PPTX
Phishing
North Carolina State University
 
PDF
A Guide to Internet Security For Businesses- Business.com
Business.com
 
PPTX
Phishing ppt
Sanjay Kumar
 
PDF
Improving Phishing URL Detection Using Fuzzy Association Mining
theijes
 
A Review on Antiphishing Framework
IJAEMSJORNAL
 
Fire eye spearphishing
Zeno Idzerda
 
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Eyal Doron
 
What is the meaning of mail phishing attack in simple words part 4#9 | Eyal...
Eyal Doron
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
CSCJournals
 
Phishing detection in ims using domain ontology and cba an innovative rule ...
ijistjournal
 
Email phishing and countermeasures
Jorge Sebastiao
 
Phishing technology
Preeti Papneja
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
CMR WORLD TECH
 
Social Engineering CSO Survival Guide
E.S.G. JR. Consulting, Inc.
 
Lesson iv on fraud awareness (cyber frauds)
CA.Kolluru Narayanarao
 
Lesson iv on fraud awareness (cyber frauds)
Kolluru N Rao
 
14 cyber threats
mahesh43211
 
Phishing
North Carolina State University
 
A Guide to Internet Security For Businesses- Business.com
Business.com
 
Phishing ppt
Sanjay Kumar
 
Improving Phishing URL Detection Using Fuzzy Association Mining
theijes
 
Ad

Viewers also liked (16)

PPTX
Day 2
sefreed
 
PPT
Link Baiting
Raghavan Parthasarathy
 
PPTX
Day 3
sefreed
 
PPTX
Ventajas de la biodiversidad
CARRANZA41255782
 
PDF
An Approach to Detect Packets Using Packet Sniffing
ijcses
 
DOCX
Packet sniffer repot
Kunal Thakur
 
PPTX
Phishing
Naval OPSEC
 
PPTX
IPV4 vs IPV6
Devang Doshi
 
PPT
Module 5 Sniffers
leminhvuong
 
PPTX
Sniffer ppt
Rajashree Praharaj
 
PPTX
Packet sniffers
Kunal Thakur
 
PDF
Network Security Presentation
Allan Pratt MBA
 
PPT
Network security
Gichelle Amon
 
ODP
Sniffer
Stelcy Jose
 
PPTX
Packet sniffers
Ravi Teja Reddy
 
PPT
Network Security Threats and Solutions
Colin058
 
Day 2
sefreed
 
Link Baiting
Raghavan Parthasarathy
 
Day 3
sefreed
 
Ventajas de la biodiversidad
CARRANZA41255782
 
An Approach to Detect Packets Using Packet Sniffing
ijcses
 
Packet sniffer repot
Kunal Thakur
 
Phishing
Naval OPSEC
 
IPV4 vs IPV6
Devang Doshi
 
Module 5 Sniffers
leminhvuong
 
Sniffer ppt
Rajashree Praharaj
 
Packet sniffers
Kunal Thakur
 
Network Security Presentation
Allan Pratt MBA
 
Network security
Gichelle Amon
 
Sniffer
Stelcy Jose
 
Packet sniffers
Ravi Teja Reddy
 
Network Security Threats and Solutions
Colin058
 
Ad

Similar to Uk computer emergency response team (cert) introduction to social engineering (20)

PDF
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
DOCX
social engineering attacks.docx
MehwishAnsari11
 
PDF
Edu 03 assingment
Aswani34
 
PDF
E Mail Phishing Prevention and Detection
ijtsrd
 
PDF
Phishing 101: Part-1 Blog Welcome to this Phishing Blog Part1.
abhishekbacklink
 
PPTX
Cybersecurity Social Engineering Tactics & Mitigation Strategies
Cindtoro
 
PDF
Difference Between Phishing And Social Engineering
Cyber Sapiens
 
PDF
Prevent phishing scams
ronpoul
 
PDF
Prevent phishing scams
ronpoul
 
DOCX
Learn About Social Engineering Services - Aardwolf Security
Aardwolf Security
 
PPTX
December 2019 Part 10
seadeloitte
 
PPTX
Empowerment Technologies - Lesson 2: ONLINE SAFETY-SECURITY-ETHICS-AND-ETIQUETTE
GrazeleenMercado
 
PDF
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
IJNSA Journal
 
DOCX
THESIS-2(2)
Elsayed Muhammad
 
PDF
Cyber security
JoseMerda1
 
PDF
E0334035040
theijes
 
PDF
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
IJNSA Journal
 
PPTX
Phishing ppt
shindept123
 
PPTX
WPU ICC Template-2 ... Topic. 2.1.4 Methods Infiltration.pptx
Western Pacific University
 
PPTX
Cyber Attacks
Insiya Tarwala
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
social engineering attacks.docx
MehwishAnsari11
 
Edu 03 assingment
Aswani34
 
E Mail Phishing Prevention and Detection
ijtsrd
 
Phishing 101: Part-1 Blog Welcome to this Phishing Blog Part1.
abhishekbacklink
 
Cybersecurity Social Engineering Tactics & Mitigation Strategies
Cindtoro
 
Difference Between Phishing And Social Engineering
Cyber Sapiens
 
Prevent phishing scams
ronpoul
 
Prevent phishing scams
ronpoul
 
Learn About Social Engineering Services - Aardwolf Security
Aardwolf Security
 
December 2019 Part 10
seadeloitte
 
Empowerment Technologies - Lesson 2: ONLINE SAFETY-SECURITY-ETHICS-AND-ETIQUETTE
GrazeleenMercado
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
IJNSA Journal
 
THESIS-2(2)
Elsayed Muhammad
 
Cyber security
JoseMerda1
 
E0334035040
theijes
 
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
IJNSA Journal
 
Phishing ppt
shindept123
 
WPU ICC Template-2 ... Topic. 2.1.4 Methods Infiltration.pptx
Western Pacific University
 
Cyber Attacks
Insiya Tarwala
 

More from PublicLeaker (20)

PDF
Alec 990-2010
PublicLeaker
 
PDF
Alec wi weber_media_baseball_game
PublicLeaker
 
PDF
Alec wi weber_media
PublicLeaker
 
PDF
Alec wi tf_meeting_issue_alerts
PublicLeaker
 
PDF
Alec wi right_on_crime
PublicLeaker
 
PDF
Alec wi records_request_1
PublicLeaker
 
PDF
Alec wi obamacare_louisiana_awards
PublicLeaker
 
PDF
Alec wi obamacare
PublicLeaker
 
PDF
Alec wi misc_news__issues
PublicLeaker
 
PDF
Alec wi hale_emails_baseball_game_tf_appointments
PublicLeaker
 
PDF
Alec new jersey
PublicLeaker
 
PDF
Alec in arizona_2013
PublicLeaker
 
PDF
Agreement
PublicLeaker
 
PDF
Aclunc lye-sting rays-the_most_common_surveillance_tool_the_govt_wont_tell_yo...
PublicLeaker
 
PDF
Aclu hodai-v.-tpd-final-complaint-and-exhibits-03.03.14-hodai-v-tpd-complaint
PublicLeaker
 
PDF
Abc 2010 state-legislative-handbook
PublicLeaker
 
PDF
1224302 0-288 a-de-106943-section-1-serial-1-cover-sheet-mediapage
PublicLeaker
 
PDF
12.9.2011 crac agenda
PublicLeaker
 
PDF
12.09.2011 crac-unapproved-minutes
PublicLeaker
 
PDF
12.09.2011 attachment-f
PublicLeaker
 
Alec 990-2010
PublicLeaker
 
Alec wi weber_media_baseball_game
PublicLeaker
 
Alec wi weber_media
PublicLeaker
 
Alec wi tf_meeting_issue_alerts
PublicLeaker
 
Alec wi right_on_crime
PublicLeaker
 
Alec wi records_request_1
PublicLeaker
 
Alec wi obamacare_louisiana_awards
PublicLeaker
 
Alec wi obamacare
PublicLeaker
 
Alec wi misc_news__issues
PublicLeaker
 
Alec wi hale_emails_baseball_game_tf_appointments
PublicLeaker
 
Alec new jersey
PublicLeaker
 
Alec in arizona_2013
PublicLeaker
 
Agreement
PublicLeaker
 
Aclunc lye-sting rays-the_most_common_surveillance_tool_the_govt_wont_tell_yo...
PublicLeaker
 
Aclu hodai-v.-tpd-final-complaint-and-exhibits-03.03.14-hodai-v-tpd-complaint
PublicLeaker
 
Abc 2010 state-legislative-handbook
PublicLeaker
 
1224302 0-288 a-de-106943-section-1-serial-1-cover-sheet-mediapage
PublicLeaker
 
12.9.2011 crac agenda
PublicLeaker
 
12.09.2011 crac-unapproved-minutes
PublicLeaker
 
12.09.2011 attachment-f
PublicLeaker
 

Uk computer emergency response team (cert) introduction to social engineering

  • 1. TLP WHITE 1. An introduction to social engineering
  • 2. TLP WHITE 1 Contents Summary........................................................................................................................................................2 Introduction...................................................................................................................................................3 Wide scale attacks ........................................................................................................................................3 Phishing ...............................................................................................................................................3 Baiting..................................................................................................................................................4 Focusing the attack.......................................................................................................................................5 Spear phishing.....................................................................................................................................5 Watering hole attacks .........................................................................................................................6 Attacking on multiple fronts................................................................................................................7 Physical baiting....................................................................................................................................7 Mitigation advice..........................................................................................................................................8
  • 3. TLP WHITE 2 Summary Social engineering is one of the most prolific and effective means of gaining access to secure systems and obtaining sensitive information, yet requires minimal technical knowledge. Attacks vary from bulk phishing emails with little sophistication through to highly targeted, multi-layered attacks which use a range of social engineering techniques. Social engineering works by manipulating normal human behavioural traits and as such there are only limited technical solutions to guard against it. As a result, the best defence is to educate users on the techniques used by social engineers, and raising awareness as to how both humans and computer systems can be manipulated to create a false level of trust. This can be complemented by an organisational attitude towards security that promotes the sharing of concerns, enforces information security rules and supports users for adhering to them. Even so, a determined attacker with sufficient skill, resources and ultimately, luck, will be able to retrieve the information they are seeking. For this reason, organisations and individuals should have measures in place to respond to, and recover from, a successful attack.
  • 4. TLP WHITE 3 Introduction In cyber-security, social engineering refers to the manipulation of individuals in order to induce them to carry out specific actions or to divulge information that can be of use to an attacker. Social engineering in itself does not necessarily require a large amount of technical knowledge in order to be successful. Instead, social engineering preys on common aspects of human psychology such as curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.1 Social engineering techniques are commonly used to deliver malicious software (malware2 ) but in some cases only form part of an attack, as an enabler to gain additional information, commit fraud or obtain access to secure systems. Social engineering techniques range from indiscriminate wide scale attacks, which are crude and can normally be easily identified, through to sophisticated multi-layered tailored attacks which can be almost indistinguishable from genuine interactions. Social engineers are creative, and their tactics can be expected to evolve to take advantage of new technologies and situations. This paper outlines some of the most common and effective forms of social engineering. Wide scale attacks Phishing The most prolific form of social engineering is phishing, accounting for an estimated 77% of all social- based attacks with over 37 million users reporting phishing attacks in 2013.3 Phishing is the fraudulent attempt to steal personal or sensitive information by masquerading as a well-known or trusted contact. Whilst email phishing is the most common, phishing attacks can also be conducted via phone calls, text messages and fax, as well as other methods of communication, including social media. A large amount of wide scale email phishing attacks remain unsophisticated and will be recognised by most (although not all) computer users as illegitimate. However, email phishing is becoming increasingly sophisticated and attackers will use a variety of techniques to either make the email appear legitimate or to lure the victim into acting before thinking. Attackers may disguise the address the email is sent from so that it appears to be from a well-known organisation and common ones include banks, utility companies, couriers, recruitment agencies and government. Better designed phishing emails will actually appear to be very similar imitations of legitimate emails from these organisations (see example 1). Another common technique is to make use of major news events by posing as having new information on the event, or asking the recipient to take action (donate money, sign a petition, etc.) in relation to the event. Despite increasing competency in wide scale campaigns, there are still indicators that frequently appear in phishing emails:  Messages are unsolicited (i.e. the victim did nothing to initiate the action)  Messages are vague, not addressed to the target by name and beyond purporting to be from a known organisation, contain little other specific or accurate information to build trust  May be from an organisation with which the target has no dealing with 1 How hackers exploit 'the seven deadly sins', BBC News http://www.bbc.co.uk/news/technology-20717773 2 See CERT-UK’s ‘An introduction to malware’: https://www.cert.gov.uk/wp-content/uploads/2014/08/An- introduction-to-malware.pdf 3 The Social Engineering Infographic http://www.social-engineer.org/social-engineering/social-engineering- infographic/
  • 5. TLP WHITE 4  Contain poor spelling and grammar, typos or use odd phrases; whilst this is becoming less common as attackers are becoming more proficient, mistakes are still made  Are too good to be true or make unrealistic threats, often with a sense of urgency  Are sent from an email address that, whilst perhaps similar, does not match ones used officially by an organisation  Contain incorrect or poor versions of an organisation’s logo, and may contain web links to sites that, whilst perhaps similar, are not ones used by that organisation Phishing emails often ask the user to follow a link to a website or open an attachment. Some may ask the user to reply to the email, after which they will be engaged in an exchange of messages to elicit confidential information. When asked to click on a link, it may be designed so that the text the victim clicks on appears to be for a known website, but the link takes them to a completely different website (a technique known as obfuscation). At the website, the victim will then be asked to enter confidential information or may unknowingly download a file which will subsequently infect their machine with malware. Likewise, any attachment on a phishing email is likely to contain malware. 4 More sophisticated phishing campaigns may even extend to taking victims to a close replica of a legitimate website that is designed to trick them into entering username, password or other confidential information. Baiting Another form of wide scale attack is baiting through the use of online adverts and websites. As with phishing, these will usually have offers that are too good to be true or with an urgent warning. This includes some websites that allow the user to download or stream videos (i.e. movies or TV shows), or pop-ups that purport to have detected a problem with the victim’s system which clicking on the pop-up will solve. Following the links provided in the bait, a user may then be tricked into giving away 4 O2 Phishing alert mid-2014 http://news.o2.co.uk/2014/05/29/phishing-alert-may-2014/ Example 1 – A phishing emailiii Although it appears to be from O2, closer inspection, by right clicking or hovering over the name, shows the email address has been spoofed. For example, ‘user123@o2-mail.com’. An official O2 email would come from ‘@o2.co.uk’. The subject title is 02 (zero-two) not O2 Hovering over the link here will show that it will not take the user to O2’s website, but to a completely unrelated website A comma is used instead of a decimal point By the time this email was sent, O2 has discontinued their ‘Lucy’ virtual assistant It is addressed generically, not to the customer by name
  • 6. TLP WHITE 5 personal information, or their machine may automatically download malware. These attacks can be crude, but others are sophisticated and persistent (see example 2).5 Another mass form of baiting is the use of ‘free’ Wi-Fi hotspots, although this requires some technical knowledge. The attacker creates a Wi-Fi hotspot that is clearly labelled as ‘free’, typically in public areas such as coffee shops, airports and hotel rooms. Whilst they may provide a victim with an internet connection, any data sent over this connection can be intercepted by the attacker, through what is known as a ‘man-in-the-middle’ attack.6 The ability to intercept the victim’s data can extend even to secure connections to services such as online banking. The attacker may also be able to remotely install malware on to the victim’s system, allowing a range of further exploits to be carried out. Focusing the attack Spear phishing Spear phishing is used by more sophisticated attackers who will limit the target audience and increase the precision of their messages, increasing the appeal of the message and apparent legitimacy. A spear phishing attack may target individuals within a particular business sector, who work in the same company, in the same department, or who share some other common attribute. A spear phishing email may even target just one specific individual if they are seen to be of sufficient value to the attacker. Whilst this decreases the number of potential victims, it is also likely to result in a higher proportion falling for their attack. Some spear phishing attacks can still be crude, and still remain easy to spot as they contain some of the indicators listed above. Others can appear legitimate and are extremely difficult to identify as malicious. A competent attacker will research their target(s) in order to maximise their chances of success. They will try to find out information about the organisation, including organisational charts, contact details 5 BAE Shylock Whitepaper http://info.baesystemsdetica.com/rs/baesystems/images/ShylockWhitepaper.pdf 6 This is similar to another technique call ‘Evil Twin’ where an attacker creates a Wi-Fi network with the same name as a known public network (e.g. ‘BTOpenzone’ or ‘Starbucks’), that a smartphone, tablet or computer will automatically connect to. As with baiting, this now enables the attacker to intercept all data sent by the victim. Unlike baiting however, this can happen without the user’s knowledge if their device is set to automatically connect to known public networks. Example 2 – Shylock Shylock is a sophisticated, hard to detect, adaptable piece of malware that enables criminals to steal victims’ credentials and support financial cybercrime. Whilst UK-led law enforcement activity in mid-2014 successfully disrupted and reduced the prevalence of Shylock, it still continues to be used by criminals. The UK was a major target for Shylock, and at its height around 61% of all infected websites were UK based – the majority of these being from the retail sector.iv Shylock is distributed via a variety of methods, including malicious code embedded into online adverts which subsequently appear on legitimate websites and the direct targeting and compromise of popular websites. Some compromised websites may display a ‘missing plugins’ message with a button to install the missing plugins. When clicked this downloads and installs Shylock onto the victim’s system. Once running, Shylock, can send any data entered into a computer to the attacker, including website credentials and other sensitive information. It can even create a false ‘chat’ window on a banking website, enabling the attacker to interact with the intended victim in order to persuade them to give up additional sensitive information – effectively a second layer of social engineering.
  • 7. TLP WHITE 6 and combine this with knowledge obtained from their victim’s social media profiles and other publicly available information. Rather than a generic greeting, a recipient is likely to be addressed by name and the message will probably include other personalised details. An attacker is likely to use the identity of a third party that is to be known or of interest to the intended victim(s), such as a supplier, to leverage existing trust relationships. Similarly, the attacker may try to replicate the third party’s email address and use their research to assume the identity of someone who is employed by the third party, potentially someone who they believe their victim(s) know. They may even attempt to gain access to a third party’s email account (see example 3). 7 Watering hole attacks Watering hole attacks, similar to baiting, use trusted websites to infect victim’s computers. They are typically more sophisticated than most other social engineering techniques as they also require some technical knowledge. A watering hole attack works by compromise a trusted third party website to deliver malicious code against the intended victim’s computer. As with other targeted social engineering attacks, the attacker will research their intended victim(s) and identify one or more trusted websites that they are likely to access. This may be a supplier’s website, an industry journal, think tank or some other website that the attacker has identified as of interest to the intended victim. Having identified a suitable website (or websites), the attacker will seek out vulnerabilities within the server that hosts the website, and having found one, insert code that will enable malware to be downloaded, sometimes with little or no interaction from the victim (known as a ‘drive-by’ attack). 7 Hacking the Street?, FireEye, http://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf Example 3 – A spear phishing emailv The example to the left has been attributed to a group called ‘Fin4’ by FireEye, a cyber-security company. Fin4 were identified as targeting individuals within companies who had access to information about market catalysts (i.e. events that would cause changes in stock prices). In this example, Fin4 successfully compromised the email of an individual at a public company (possibly through the use of social engineering), and then used the compromised account to send a message that would play on a chief executive’s concerns: damage to reputation and disclosure of confidential information. Prompted by this, the victim would click on the link in the email, which would result in the download of malware.
  • 8. TLP WHITE 7 Attacking on multiple fronts A determined attacker may adopt a multi-layered approach along with additional techniques to increase their target’s trust, or confusion, in order to maximise the chance of success. Whilst somewhat indiscriminate, an attacker could begin dialling random numbers within an organisation claiming to be IT support (potentially using a real name from the IT support department gleaned from social media) until they eventually find a victim that does have an IT issue. In their attempt to solve the problem, they will trick the user into giving them login, password or other information that will be useful in compromising their computer. Alternatively, the attacker may pretend to be an executive, urgently demanding to be sent an important (and sensitive) document to their personal email address as they cannot access their work account. In both cases, the victim is put under pressure to do something they should know they should not do: they do not want to question someone who knows more than them (IT support), or who is senior to them (the executive), and refusal to comply could get them in trouble. Some attackers may be even more creative (see example 4). 8 Such sophisticated attacks are usually reserved for targets who will have access to valuable information, such as chief executives; this type of spear phishing is known as whaling. Physical baiting An attacker may also use hardware to bait a target or group of targets. The nature of this type of social engineering means that it is typically only used by more sophisticated attackers against a particular sector, organisation or individual. A common example of baiting is to leave a form of digital media (e.g. a USB flash drive, CD, DVD) unattended, perhaps labelled with something alluring to, and in a location frequented by, the intended victim (like a car park). The intent is that they will pick it up and then use it on a personal or work computer, whereupon that computer is infected with malware. Another form of physical baiting can be at conferences or other events, where the attacker is in a position to hand out free USB drives as gifts, or provide further information on digital media, which is secretly loaded with malware. 8 Social Engineering: The Art of Human Hacking, Chris Hadnagy Example 4 – A sophisticated social engineering attack As part of a vulnerability assessment for an organisation, an assessor carried out some information gathering and found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names, titles and much more. Through Facebook, he was also able to get other personal details about the CEO, such as his favourite restaurant, sports team and that he was involved in cancer fundraising. Using this information, he called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were running a raffle with prizes including tickets to a game played by his favourite sports team and tickets to his favourite restaurant. The CEO was interested and agreed to let the assessor send him a PDF with more information on the fundraising and the raffle. The assessor even managed to get the CEO to tell him which version of Adobe reader he was running. Soon after he sent the PDF, the CEO opened it, installing malware that enabled access to his machine.vi
  • 9. TLP WHITE 8 Mitigation advice Technical solutions such as spam filters, anti-virus software and blocking known phishing/baiting websites can help prevent some phishing attacks. To some extent blocking the use of non-authorised USB devices and disabling CD/DVD drives can do the same for baiting attacks. However, a successful social engineer will attempt to get around these protections. As a result, the best prevention against social engineering is raising user education and awareness:  Make sure users are aware of the signs of phishing emails – good advice is available from Cyber Streetwise (https://www.cyberstreetwise.com/common-scams) and Get Safe Online (https://www.cyberstreetwise.com/common-scams)  If your organisation is a member of CiSP, you can seek advice from other CiSP members on improving user awareness. See here for more information about joining CiSP: https://www.cert.gov.uk/cisp/  Consider holding user awareness sessions, potentially as part of training or induction days, and including a demonstrative penetration test, showing a successful social engineering attack against an (anonymous) member of the organisation  Encourage users to verify any strange requests or messages by calling the originator on an already confirmed number  Make users aware of their online presence and caution them to be aware of how much information they make available on social media  Assess how much information your organisation makes available publicly, and whether any of this could be used in a social engineering attack  Implement policies that reduce the risk of a successful phishing (e.g. to never send sensitive information outside your organisation’s network), and give users the confidence they won’t be punished for sticking to the rules  Encourage users to share their concerns over strange emails or other potential social engineering events with colleagues and IT support  Ensure as an organisation you inform others of potential social engineering attempts through CiSP – you may not be the only one being targeted, but you may be the first who realises it’s a social engineering attack  Prepare for the fact that you are highly likely to eventually be compromised, and ensure you have in place an incident response and disaster recovery capability  In general, if your organisation adheres to the ‘10 Steps to Cyber Security’9 and the ‘20 Critical Controls for Cyber Defence’10 you will be in a good place to prevent, respond and recover from a range of cyber related incidents, including those that involve social engineering 9 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility 10 http://www.cpni.gov.uk/advice/cyber/Critical-controls/
  • 10. TLP WHITE www.cert.gov.uk @CERT_UK A CERT-UK PUBLICATION COPYRIGHT 2015 ©