Social Engineering Attacks & Principles
- 1. Friendly Tip: Please take notes to better remember concepts In the following slides we will learn what Social Engineering Attacks are & the Principles used to carry out such attacks Core Cyber Security Concepts
- 2. Social Engineering Attacks : " It's the Art of manipulating people, to give up confidential information/resources "
- 3. Such attacks are a very low tech form of a security attack. In fact, it doesn’t necessarily require tech expertise at all. It involves attacker or a group of attackers and the target organization/victim. The attackers try to manipulate the target & gain access to sensitive information or resources using social engineering techniques. Social Engineering Attacks :
- 4. Social engineering may involve one or more persons trying to gain access to sensitive information, In groups The attackers work together try to create a situation to manipulate the target into giving up info such as credentials or resources such as money. Social Engineering Attacks : They’re all coordinating their efforts and hoping that you’ll lower your guard and grant them access to anything that they might need. Social Engineering Attacks rely on Deceit & manipulation.
- 5. There are a number of principles associated with social engineering attacks. When these principles are combined and used effectively, the social engineering attacks have a higher chance of success. Social Engineering Principles:
- 6. Social Engineering Principles: We'll start with 'Authority'. Humans tend to cooperate and listen to authority figures and attackers who use social engineer often rely on this principle. -> Authority The attacker contacts the unsuspecting victim claim that they're from the tax department and states that the target owes taxes, the attacker continues to state that evading tax is a criminal offense and threatens the target with jail time.
- 7. By pretending to be an authority figure, the attacker tries to scare the victim, to put pressure on the victim and cause panic. Panicked individuals don't think straight & the attacker uses this to their advantage. When the victim is unable to think straight, The attacker presents a " Solution " Social Engineering Principles: -> Authority
- 8. Social Engineering Principles: -> Authority The attacker claims that the victim looks like they made a honest mistake and assures that they'll take care of the "issue" but only if the victim immediately clears the "dues" If the victim isn't compliant, they'll threaten with legal action & jail time to coerce the victim into paying the money.
- 9. Social Engineering Principles: If the victim believes the attacker, they will transfer the money. In the upcoming slides we'll be discussing how other social engineering principles compliment this attack, to make it more successful.
- 10. Social Engineering Principles: -> Social Proof It's also known as consensus. They try to use the names of people you know or private data to come up with a believable story to convince you to justify carrying out their request. Based on the previous example, the attacker might use leaked tax ID number as social proof to present themselves as a more legitimate entity.
- 11. Social Engineering Principles: -> Urgency If the person doing the social engineering can inject some type of urgency, then they can make things move even faster. This needs to happen quickly. Don’t even think about it. Just provide this information right now so that we can solve this problem.
- 12. Social Engineering Principles: -> Urgency They create the need to act urgently, to defuse a ticking time bomb by acting now. They force the panicked victim to comply immediately or face severe consequences for not complying. They use this to prevent the target from acting in a rational manner.
- 13. Social Engineering Principles: -> Scarcity Social engineers also like to have a clock that’s ticking. There needs to be scarcity. This particular situation is only going to be this way for a certain amount of time, we have to be able to resolve this issue before this timer expires.
- 14. Social Engineering Principles: -> Scarcity The attackers might call the unsuspecting victim & tell the victim that they're from a finance company and as part of their marketing campaign, they claim that the target won a lucky draw and that they're eligible for a 80% discount on a car of their choosing.
- 15. However attackers claim that offer wont last long & there are many eager customers on the line. As a solution to this problem, to confirm the purchase, the attacker asks to pay a 10 % token amount in advance & assures that they'll be sent a receipt. If the victim believes this is real, they will lose their money. Social Engineering Principles: -> Scarcity
- 16. Social Engineering Principles: -> Familiarity Another technique that they use is one of familiarity. They become your friend. They talk about things that you like, and by doing that, they make the target feel like the attacker can be trusted. They use this trust to make the victim do things for them. Honey Trap attacks work on this principle.
- 17. Types of Social Engineering Attacks Based on the principles we discussed, the attacker tries to incorporate them into their preferred type of social engineering attacks . We'll be what are the different types of social enginnering attacks in the upcoming slides.
- 18. Types of Social Engineering Attacks Phishing Phishing is one of the most popular Social Engineering Attacks. The attacker sends a fake email to steal from victims. Spear-phishing is a targeted attack where criminals disguise themselves as legitimate sources to convince specific victims to give up confidential info or steal money. Spear Phishing
- 19. The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain usernames and passwords from the system. In this attack vector, a website will be cloned, and when the victim enters the user credentials, the usernames and passwords will be posted back to your machine and then the victim will be redirected back to the legitimate site.
- 20. Baiting Baiting is one the most common and simplest social engineering attacks. IT is similar to phishing attacks, baiting uses false promises to lure unsuspecting victims to give up sensitive info or download malicious files. Examples of this include : Free video game downloads redirecting victims to download malicious files
- 21. DNS Spoofing DNS spoofing, also known as DNS cache poisoning is an attack where the attacker uses a fake website and redirects to this fake website to steal data. The victim believes he's accessing the legitimate site and proceeds to reveal credentials, which'll be captured by the attacker.
- 22. Honey Trap It's a social engineering attack that uses sexual relationships to lure victim into divulging critical information.
- 23. Tailgating Tailgating is a physical security breach where an attacker follows an authorized person into a restricted area. Piggy Backing In this scenario attacker comes up with a convincing story to let the employee/victim gain access to restricted area. the attacker might claim he/she/they works there, and forgot ID at home and are late for meeting inorder to convince the employee to use keycard to let attacker into premises
- 24. Shoulder Surfing The attacker stays close to you & tries to observe you while typing a password or a PIN. Lunch time attacks Attacker phsycially gains access to an unsecured device when employee is on a break.
- 25. Pretexting/ Impersonation In Pretetexting, Cyber criminals impersonate someone else and come up with convincing scenarios to manipulate the victim into giving up sensitive information , transfer money or grant access to private networks.