SlideShare a Scribd company logo

Social Engineering.pdf

M
MeshalALshammari12

Social engineering is a technique used by attackers to manipulate people into revealing confidential information through deception; it is effective because human behavior is vulnerable and there are no complete defenses against social engineering attacks. Common social engineering techniques include impersonation, pretexting, phishing emails and websites, baiting, and exploiting trust to obtain login credentials, financial details, and other sensitive data from targets. Social engineers use methods like researching targets, developing relationships, and exploiting those relationships to gather sensitive account and financial information from organizations.

Engineering
1 of 38
Download to read offline
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
MODULE 9 Social Engineering EC-Council, . Certified Ethical Hacker (CEH) Version 12. Available from: VitalSource Bookshelf, (12th Edition). International Council of E- Commerce Consultants (EC Council), 2022.
What is Social Engineering • Social engineering is the art of convincing people to reveal confidential information • Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc. • Social engineers depend on the fact that people are unaware of the valuable information to which they have access and are careless about protecting it Impact of Attack on an Organization • Economic losses • Damage of goodwill • Loss of privacy • Dangers of terrorism • Lawsuits and arbitration • Temporary or permanent closure Behaviors Vulnerable to Attacks • Authority • Intimidation • Consensus • Scarcity • Urgency • Familiarity • Trust • Greed
What is Social Engineering (Cont’d) Factors that Make Companies Vulnerable to Attacks • Insufficient security training • Unregulated access to information • Several organizational units • Lack of security policies Why is Social Engineering Effective? • Security policies are as strong as their weakest link, and human behavior is the most susceptible factor • It is difficult to detect social engineering attempts • There is no method that can be applied to ensure complete security from social engineering attacks • There is no specific software or hardware to defend against a social engineering attack
Phases of a Social Engineering Attack • Research the Target Company • Dumpster diving, websites, employees, tour of the company, etc. • Select a Target • Identify frustrated employees of the target company • Develop a Relationship • Develop a relationship with the selected employees • Exploit the Relationship • Collect sensitive account and financial information, as well as current technologies
Social Engineering Techniques
Types of Social Engineering Sensitive information is gathered by interaction Techniques: Sensitive information is gathered with the help of computers Techniques: Sensitive information is gathered with the help of mobile apps Techniques: Impersonation Vishing Eavesdropping Shoulder Surfing Dumpster Diving Reverse Social Engineering Piggybacking Tailgating Diversion Teft Honey Trap Baiting and Quid Pro Quo Elicitation Phishing Pop-up Window Attacks Spam Mail Instant Chat Messenger Scareware Publishing Malicious Apps Using Fake Security Apps Repackaging Legitimate Apps SMiShing (SMS Phishing) Human-based Social Engineering Mobile-based Social Engineering Computer-based Social Engineering
Human-based Social Engineering • The attacker pretends to be someone legitimate or an authorized person • Attackers may impersonatea legitimate or authorized person either personally or using a communication medium such as phone, email, etc. • Impersonation helps attackers to trick a target into revealing sensitive information • The most common human-based social engineering technique Posing as a legitimate end user The attacker gives this identity and asks for the sensitive information “Hi! This is John from the Finance Department. I have forgotten my password. Can I get it?” Posing as an important user The attacker poses as a VIP of a target company, valuable customer, etc. “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost my system’s password. Can you help me out?” Posing as a technical support agent The attacker poses as technical support staff and requests IDs and passwords “Sir, this is Matthew, Technical Support, X company. Last night we had a system crash here, and we are checking for the lost data. Can you give me your ID and password?” Impersonation Examples Impersonation
Human-based Social Engineering (Cont’d) • Vishing (voice or VoIP phishing) is an impersonation technique (electronic fraud) in which the attacker tricks individuals to reveal personal and financial information using voice technology such as the telephone system, VoIP, etc. Abusing the Over-Helpfulness of Help Desks • The attacker calls a company’s help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information from the help desk “A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker a clear entrance into the corporate network.” Third-party Authorization • The attacker obtains the name of the authorized employee of the targeted organization who has access to the information he/she wants • The attacker then places a call to the target organization where information is stored and claims that this employee has requested that such information be provided “Hi, I am John, I spoke with Mr. X last week before he went on vacation and he said that you would be able to provide me with this information in his absence. Can you help me out?” Tech Support • The attacker pretends to be technical support staff of the targeted organization’s software vendors or contractors • He/she may request user IDs and passwords for troubleshooting a problem in the organization Attacker: “Hi, this is Mike with tech support. We have had some people from your office report/complain about slowdowns in logging in lately. Is this true?” Employee: “Yes, it has been slow lately.” Attacker: “Well, we have moved you to a new server to improve your service. Could you give me your password so that I can check your service? Things should be better for you now.” Vishing Examples Impersonation (Vishing)
Human-based Social Engineering (Cont’d) Reverse Social Engineering • The attacker presents him/herself as an authority and the target seeks his or her advice before or after offering the information that the attacker needs • An authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door e.g., “I forgot my ID badge at home. Please help me” • Piggybacking usually implies entry into a building or security area • The attacker, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door that requires key access • The attacker tricks a person responsible for making a genuine delivery into delivering the consignment to a location other than the intended location Piggybacking Tailgating Diversion Theft
Human-based Social Engineering (Cont’d) Honey Trap • Attackers target a person inside the company online, pretending to be an attractive person. They then begin a fake online relationship to obtain confidential information about the target company • Attackers offer end users something alluring in exchange for important information such as login details and other sensitive data • A physical device such as USB flash drive containing malicious files is left in a location where people can easily find it • Attackers call numerous random numbers within a company, claiming to be from technical support They offer their service to end users in exchange for confidential data or login credentials • Attackers extract information from the victim by engaging him/her in normal and disarming conversations • Based on the victim’s interests, attackers must work to target their elicitation approach to extract the relevant information Baiting Quid Pro Quo Elicitation
• Emails that issue warnings to the user about new viruses, Trojans, or worms that may harm the user’s system Computer-based Social Engineering Pop-Up • Windows that suddenly pop up while surfing the Internet and ask for user information to login or sign-in • Emails that offer free gifts such as money and software on condition that the user forwards the mail to a specified number of people • Gathering personal information by chatting with a selected user online to get information such as birth dates and maiden names Windows Hoax Letters Chain Letters Instant Chat Messenger • Malware that tricks computer users into visiting malware infested websites, or downloading/ buying potentially malicious software Spam Email • Irrelevant, unwanted, and unsolicited emails that attempt to collect financial information, social security numbers, and network information Scareware
Computer-based Social Engineering: Phishing • Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information • Phishing emails or pop-ups redirect users to fake webpages that mimic trustworthy sites, which ask them to submit their personal information
Computer-based Social Engineering: Phishing
Computer-based Social Engineering: Phishing (Cont’d) Spear Phishing • A targeted phishing attack aimed at specific individuals within an organization Spear Phishing • Attackers send spear phishing to send a message with specialized, social engineering content directed at a specific person, or a small group of people • An attacker targets high profile executives like CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly valuable information • The attacker tricks the victim into revealing critical corporate and personal information through email or website spoofing • The attacker redirects web traffic to a fraudulent website by installing a malicious program on a personal computer or server • Also known as “phishing without a lure ” , dna demrofrep yb gnisu SND ehcaC gninosioP ro tsoH eliF notiacfiidoM • A variant of spam that exploits Instant Messaging platforms to flood spam across the networks • Attacker uses bots to harvest Instant Message IDs and spread spam Whaling Pharming Spimming
Computer-based Social Engineering: Phishing (Cont’d) Angler Phishing • Attackers create a fake social media account impersonating an organization’s helpdesk account and connect to disgruntled customers by posting fake service links • When victims click on the link, malicious software gets installed on their system, or they are redirected to another site requesting them to provide their details Deepfake Attack • Attackers create false media of a target individual using advanced technologies such as AI/ML Attackers perform deep fakes using previously recorded audio and video samples of the target person and then cloning those clips • Attackers trick online users into believing that they are listening to original clippings, which often request donations Catfishing Attack • Attackers target a person on social media platforms and perform identity theft to create a fake social media account • Then, attackers use the fake account for communicating with other users via chat boxes to perform cyber bullying for monetary gain
Phishing Tools Phishing tools can be used by attackers to generate fake login pages to capture usernames and passwords, send spoofed emails, and obtain the victim’s IP address and session cookies. This information can further be used by the attacker, who will use it to impersonate a legitimate user and launch further attacks on the target organization.
Mobile-based Social Engineering: Publishing Malicious Apps and Repackaging Legitimate Apps
Mobile-based Social Engineering: Fake Security Applications and SMiShing (SMS Phishing)
Insider Threat
Insider Threats/Insider Attacks • An insider is any employee (trusted person or people) with access to critical assets of the organization • An insider attack involves using privileged access to intentionally violate rules or cause threats of any form to the organization’s information or information systems • Such attacks are generally performed by privileged users, disgruntled employees, terminated employees, accident-prone employees, third parties, undertrained staff, etc. • Financial gain • Theft of confidential data • Revenge • Becoming a future competitor • Helping a competitor • Public announcement Reasons for Insider Attacks Insider Threat Statistics According to insider threat statistics for 2022, a majority of companies agree that privileged users, administrators, and C-level executives are the most dangerous insider threat actors
Types of Insider Threats • Malicious Insider A disgruntled or terminated employee who steals data or destroys the company’s networks intentionally by introducing malware into the corporate network • Negligent Insider Insiders who are uneducated on potential security threats or who simply bypass general security procedures to meet workplace efficiency • Professional Insider Harmful insiders who use their technical knowledge to identify weaknesses and vulnerabilities in the company’s network and sell confidential information to competitors or black market bidders • Compromised Insider An insider with access to critical assets of an organization who is compromised by an outside threat actor • Accidental Insider Inadvertent exposure of data to an external entity by mistyping an email address, sending a valuable business document to an unknown user, or unintentionally clicking on a malicious hyperlink Why are Insider Attacks Effective? • Easy to launch • Prevention is difficult • Succeed easily • Employees can easily cover their tracks • Differentiating harmful actions from the employee’s regular work is very difficult • Can go undetected for years and remediation is very expensive
Behavioral Indications of an Insider Threat • Data exfiltration alerts • Missing or modified network logs • Changes in network usage patterns • Multiple failed login attempts • Behavioral and temperament changes • Unusual time and location of access • Missing or modified critical data • Unauthorized downloading or copying of sensitive data • Logging of different user accounts from different systems • Temporal changes in revenue or expenditure • Unauthorized access to physical assets • Increase or decrease in productivity of employee • Inconsistent working hours • Unusual business activities Inconsistent working hours
Identity Theft
Identity Theft • Identity theft is a crime in which an imposter steals your personally identifiable information such as name, credit card number, social security or driver’s license numbers, etc. to commit fraud or other crimes • Attackers can use identity theft to impersonate employees of a target organization and physically access facilities • Child identity theft • Criminal identity theft • Financial identity theft • Driver’s license identity theft • Insurance identity theft • Medical identity theft • Tax identity theft • Identity cloning and Concealment • Synthetic identity theft • Social security identity theft Types of Identity Theft
Identity Theft (Cont’d) Types of personally identifiable information stolen by identity thieves: • Name • Home and office address • Social security number • Phone number • Date of birth • Bank account number • Credit card information • Credit report • Driving license number • Passport number Indications of Identity Theft • Unfamiliar charges to your credit card that you do not recognize • No longer receiving credit card, bank, or utility statements • Getting calls from the debit or credit fraud control department • Charges for medical treatment or services you never received • No longer receiving electricity, gas, water, etc. service bills
Identity Theft (Cont’d) The attacker steals people’s identity for fraudulent purposes such as: • To open new credit card accounts in the name of the user without paying the bills • To open a new phone or wireless account in the user’s name, or to run up charges on their existing account • To use the victims’ information to obtain utility services such as electricity, heating, or cable TV • To open bank accounts with the intention of writing bogus checks using the victim’s information • To clone an ATM or debit card to make electronic withdrawals from the victim’s accounts • To obtain loans for which the victim is liable • To obtain a driver’s license, passport, or other official ID card that contains the victim’s data with the attacker’s photos • Using the victim’s name and Social Security number to receive their government benefits • To impersonate an employee of a target organization to physically access its facility • To take over the victim’s insurance policies • To sell the victim’s personal information • To order goods online using a drop-site
Social Engineering.pdf
Social Engineering Countermeasures • Good policies and procedures are ineffective if they are not taught and reinforced by employees After receiving training, employees should sign a statement acknowledging that they understand the policies • The main objectives of social engineering defense strategies are to create user awareness, robust internal network controls, and secure policies, plans, and processes Password Policies • Periodic password changes • Avoiding guessable passwords • Account blocking after failed attempts • Increasing length and complexity of passwords • Improving secrecy of passwords Physical Security Policies • Identification of employees by issuing ID cards, uniforms, etc. • Escorting visitors • Restricting access to work areas • Proper shredding of useless documents • Employing security personnel Defense Strategy • Social engineering campaign • Gap analysis Remediation strategies
Social Engineering Countermeasures (Cont’d) • Train individuals on security policies • Implement proper access privileges • Presence of proper incidence response time • Availability of resources only to authorized users • Scrutinize information • Background check and proper termination process • Anti-virus/anti-phishing defenses • Implement two-factor authentication • Adopt documented change management • Ensure software is regularly updated
How to Defend against Phishing Attacks? • Educate individuals by conducting phishing campaigns • Enable spam filters that detect emails from suspicious sources • Hover over links to identify whether they point to the correct location • Check emails for generic salutations, spelling, and grammar mistakes • Confirm the sender before providing the information via email • Ensure that employees use HTTPS-protected websites • Verify the profile pictures of a suspicious account by performing a reverse image search • Immediately report social media accounts confirmed to be fake
Detecting Insider Threats • Insider Risk Controls • Insider data risk presents another layer of complexity for security professionals,which requires designing security infrastructure that can efficiently monitor user permissions, access controls, and user actions • Deterrence Controls • The security framework must contain safeguards, recommended actions by the employee and IT professionals, separation of duties, assigning privileges, etc. • Security professionals can use tools such as DLP (Symantec Data Loss Prevention, SecureTrust Data Privacy, etc.) and IAM (SailPoint IdentityIQ, RSA SecurID Suite, etc.) to deter insider threats • Detection Controls • Security professionals must use a variety of security controls and tools to analyze and detect insider threats • Tools such as IDS/IPS (Check Point Quantum Intrusion Prevention System (IPS), IBM Security Network Intrusion Prevention System, etc.), Log Management(SolarWinds Security Event Manager, Splunk, etc.), and SIEM (ArcSight ESM, LogRhythm NextGen SIEM Platform, etc.) may be used
Insider Threats Countermeasures • Separation and rotation of duties • Least privileges • Controlled access • Logging and auditing • Employee monitoring Legal policies • Archive critical data • Employee training on cyber security • Periodic risk assessment • Employee background verification • Privileged users monitoring • Credentials deactivation for terminated employees
Identity Theft Countermeasures • Secure or shred all documents containing your private information • Ensure your name is not present in marketers’ hit lists • Review your credit card statement regularly and store it securely, out of reach of others • Never give any personal information over the phone • Keep your mail secure by emptying the mailbox quickly • Be cautious and verify all requests for personal data • Protect your personal information from being publicized • Do not display or share any account/contact numbers unless mandatory • Monitor online banking activities regularly • Never list any personal identifiers on social media
How to Detect Phishing Emails? • Appears to be from a bank, company, or social networking site, and has a generic greeting • Appears to be from a person listed in your email address book • Gives a sense of urgency or a veiled threat • May contain grammatical/spelling mistakes • Includes links to spoofed websites • May contain offers that seem to be too good to be true • Includes official-looking logos and other information taken from legitimate websites • May contain a malicious attachment
Anti-Phishing Toolbar • Netcraft • The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks • Phish Tank • PhishTank is a collaborative clearing house for data and information about phishing on the Internet • It provides an open API for developers and researchers to integrate anti-phishing data into their apps • Some additional tools to detect phishing attempts: • Scanurl (https://scanurl.net) • Isitphishing (https://isitphishing.org) • ThreatCop (https://www.threatcop.ai) • e.Veritas (https://www.emailveritas.com) • Virustotal (https://www.virustotal.com)
Social Engineering.pdf
Audit Organization's Security for Phishing Attacks using OhPhish The primary objective of launching phishing campaigns against employees of the client organization is to assess the employees ’susceptibility to phishing attacks and help the organization reduce risks that arise when the employees fall prey to phishing attacks sent by cyber-threat actor • OhPhish is a web-based portal to test employees’ susceptibility to social engineering attacks • OhPhish is a phishing simulation tool that provides the organization with a platform to launch phishing simulation campaigns on its employees
Module Summary In this module, we have discussed the following: • Social engineering concepts along with various kinds of social engineering attacks • Human-, computer-, and mobile-based social engineering techniques • Insider threats and the various forms they can take • Impersonation on social networking sites • Identity theft and the various forms it can take • Details of various countermeasures that can defend an organization against social engineering attacks, phishing attacks, insider threats, and identity theft

More Related Content

PPSX
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
PPTX
Social engineering hacking attack
Pankaj Dubey
 
PPTX
Social engineering
Alexander Zhuravlev
 
PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
PDF
Social engineering
Robert Hood
 
PDF
Social Engineering Basics
Luke Rusten
 
PDF
Social Engineering Attacks & Principles
LearningwithRayYT
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Social engineering hacking attack
Pankaj Dubey
 
Social engineering
Alexander Zhuravlev
 
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Social engineering
Robert Hood
 
Social Engineering Basics
Luke Rusten
 
Social Engineering Attacks & Principles
LearningwithRayYT
 
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 

What's hot (20)

PPT
Malware
Tuhin_Das
 
PDF
Social engineering
ankushmohanty
 
PDF
Ceh v5 module 09 social engineering
Vi Tính Hoàng Nam
 
PPT
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
PPTX
Reconnaissance and Social Engineering
Varunjeet Singh Rekhi
 
PPTX
Password based cryptography
Ishraq Al Fataftah
 
PDF
Ethical Hacking Tools
Multisoft Virtual Academy
 
PPTX
Social engineering presentation
pooja_doshi
 
PPTX
Ethical hacking - Footprinting.pptx
Nargis Parveen
 
PPT
Computer Worms
sadique_ghitm
 
PPTX
Ethical Hacking
BugRaptors
 
PDF
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
PPT
Security Vulnerabilities
Marius Vorster
 
PPTX
Ethical hacking
Prabhat kumar Suman
 
PPTX
Password Cracking
Sagar Verma
 
PPTX
Data breach presentation
Bradford Bach
 
PDF
Internet Security
Peter R. Egli
 
PPTX
The CIA triad.pptx
GulnurAzat
 
PPT
Spoofing
Sanjeev
 
PPTX
Footprinting and reconnaissance
NishaYadav177
 
Malware
Tuhin_Das
 
Social engineering
ankushmohanty
 
Ceh v5 module 09 social engineering
Vi Tính Hoàng Nam
 
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
Reconnaissance and Social Engineering
Varunjeet Singh Rekhi
 
Password based cryptography
Ishraq Al Fataftah
 
Ethical Hacking Tools
Multisoft Virtual Academy
 
Social engineering presentation
pooja_doshi
 
Ethical hacking - Footprinting.pptx
Nargis Parveen
 
Computer Worms
sadique_ghitm
 
Ethical Hacking
BugRaptors
 
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Security Vulnerabilities
Marius Vorster
 
Ethical hacking
Prabhat kumar Suman
 
Password Cracking
Sagar Verma
 
Data breach presentation
Bradford Bach
 
Internet Security
Peter R. Egli
 
The CIA triad.pptx
GulnurAzat
 
Spoofing
Sanjeev
 
Footprinting and reconnaissance
NishaYadav177
 
Ad

Similar to Social Engineering.pdf (20)

PPTX
social engineering
Ravi Patel
 
PDF
Airport IT&T 2013 John McCarthy
Russell Publishing
 
PDF
What is social engineering.pdf
uzair
 
PDF
Case Study On Social Engineering Techniques for Persuasion Full Text
graphhoc
 
PPT
Social Engineering threats and concern.ppt
asalahuddin317
 
PPT
Social engineering
Nicholas Davis
 
PPT
Social Engineering
Nicholas Davis
 
DOCX
social engineering attacks.docx
MehwishAnsari11
 
PPTX
cyber security.pptx
Tapan Khilar
 
PDF
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
PDF
- Social Engineering Unit- II Part- I.pdf
Ramya Nellutla
 
PPTX
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
PPTX
Cyber security ATTACK on Retired Personnel, MITIGATION and Best Practices
Oluwatobi Olowu
 
PPTX
Week 2 - Social Engineering attacks.pptx
juancx3
 
PPT
Module 3 social engineering-b
BbAOC
 
PDF
Social engineering attacks
Ramiro Cid
 
PDF
TH3 Professional Developper CEH social engineering
th3prodevelopper
 
PPT
Social Engineering: "The Cyber-Con"
abercius24
 
PPT
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
PDF
Module 9 (social engineering)
Wail Hassan
 
social engineering
Ravi Patel
 
Airport IT&T 2013 John McCarthy
Russell Publishing
 
What is social engineering.pdf
uzair
 
Case Study On Social Engineering Techniques for Persuasion Full Text
graphhoc
 
Social Engineering threats and concern.ppt
asalahuddin317
 
Social engineering
Nicholas Davis
 
Social Engineering
Nicholas Davis
 
social engineering attacks.docx
MehwishAnsari11
 
cyber security.pptx
Tapan Khilar
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
- Social Engineering Unit- II Part- I.pdf
Ramya Nellutla
 
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
Cyber security ATTACK on Retired Personnel, MITIGATION and Best Practices
Oluwatobi Olowu
 
Week 2 - Social Engineering attacks.pptx
juancx3
 
Module 3 social engineering-b
BbAOC
 
Social engineering attacks
Ramiro Cid
 
TH3 Professional Developper CEH social engineering
th3prodevelopper
 
Social Engineering: "The Cyber-Con"
abercius24
 
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
Module 9 (social engineering)
Wail Hassan
 
Ad

Recently uploaded (20)

PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
web development for engineering and engineering
keshriji700
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 

Social Engineering.pdf

  • 1. MODULE 9 Social Engineering EC-Council, . Certified Ethical Hacker (CEH) Version 12. Available from: VitalSource Bookshelf, (12th Edition). International Council of E- Commerce Consultants (EC Council), 2022.
  • 2. What is Social Engineering • Social engineering is the art of convincing people to reveal confidential information • Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc. • Social engineers depend on the fact that people are unaware of the valuable information to which they have access and are careless about protecting it Impact of Attack on an Organization • Economic losses • Damage of goodwill • Loss of privacy • Dangers of terrorism • Lawsuits and arbitration • Temporary or permanent closure Behaviors Vulnerable to Attacks • Authority • Intimidation • Consensus • Scarcity • Urgency • Familiarity • Trust • Greed
  • 3. What is Social Engineering (Cont’d) Factors that Make Companies Vulnerable to Attacks • Insufficient security training • Unregulated access to information • Several organizational units • Lack of security policies Why is Social Engineering Effective? • Security policies are as strong as their weakest link, and human behavior is the most susceptible factor • It is difficult to detect social engineering attempts • There is no method that can be applied to ensure complete security from social engineering attacks • There is no specific software or hardware to defend against a social engineering attack
  • 4. Phases of a Social Engineering Attack • Research the Target Company • Dumpster diving, websites, employees, tour of the company, etc. • Select a Target • Identify frustrated employees of the target company • Develop a Relationship • Develop a relationship with the selected employees • Exploit the Relationship • Collect sensitive account and financial information, as well as current technologies
  • 6. Types of Social Engineering Sensitive information is gathered by interaction Techniques: Sensitive information is gathered with the help of computers Techniques: Sensitive information is gathered with the help of mobile apps Techniques: Impersonation Vishing Eavesdropping Shoulder Surfing Dumpster Diving Reverse Social Engineering Piggybacking Tailgating Diversion Teft Honey Trap Baiting and Quid Pro Quo Elicitation Phishing Pop-up Window Attacks Spam Mail Instant Chat Messenger Scareware Publishing Malicious Apps Using Fake Security Apps Repackaging Legitimate Apps SMiShing (SMS Phishing) Human-based Social Engineering Mobile-based Social Engineering Computer-based Social Engineering
  • 7. Human-based Social Engineering • The attacker pretends to be someone legitimate or an authorized person • Attackers may impersonatea legitimate or authorized person either personally or using a communication medium such as phone, email, etc. • Impersonation helps attackers to trick a target into revealing sensitive information • The most common human-based social engineering technique Posing as a legitimate end user The attacker gives this identity and asks for the sensitive information “Hi! This is John from the Finance Department. I have forgotten my password. Can I get it?” Posing as an important user The attacker poses as a VIP of a target company, valuable customer, etc. “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost my system’s password. Can you help me out?” Posing as a technical support agent The attacker poses as technical support staff and requests IDs and passwords “Sir, this is Matthew, Technical Support, X company. Last night we had a system crash here, and we are checking for the lost data. Can you give me your ID and password?” Impersonation Examples Impersonation
  • 8. Human-based Social Engineering (Cont’d) • Vishing (voice or VoIP phishing) is an impersonation technique (electronic fraud) in which the attacker tricks individuals to reveal personal and financial information using voice technology such as the telephone system, VoIP, etc. Abusing the Over-Helpfulness of Help Desks • The attacker calls a company’s help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information from the help desk “A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker a clear entrance into the corporate network.” Third-party Authorization • The attacker obtains the name of the authorized employee of the targeted organization who has access to the information he/she wants • The attacker then places a call to the target organization where information is stored and claims that this employee has requested that such information be provided “Hi, I am John, I spoke with Mr. X last week before he went on vacation and he said that you would be able to provide me with this information in his absence. Can you help me out?” Tech Support • The attacker pretends to be technical support staff of the targeted organization’s software vendors or contractors • He/she may request user IDs and passwords for troubleshooting a problem in the organization Attacker: “Hi, this is Mike with tech support. We have had some people from your office report/complain about slowdowns in logging in lately. Is this true?” Employee: “Yes, it has been slow lately.” Attacker: “Well, we have moved you to a new server to improve your service. Could you give me your password so that I can check your service? Things should be better for you now.” Vishing Examples Impersonation (Vishing)
  • 9. Human-based Social Engineering (Cont’d) Reverse Social Engineering • The attacker presents him/herself as an authority and the target seeks his or her advice before or after offering the information that the attacker needs • An authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door e.g., “I forgot my ID badge at home. Please help me” • Piggybacking usually implies entry into a building or security area • The attacker, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door that requires key access • The attacker tricks a person responsible for making a genuine delivery into delivering the consignment to a location other than the intended location Piggybacking Tailgating Diversion Theft
  • 10. Human-based Social Engineering (Cont’d) Honey Trap • Attackers target a person inside the company online, pretending to be an attractive person. They then begin a fake online relationship to obtain confidential information about the target company • Attackers offer end users something alluring in exchange for important information such as login details and other sensitive data • A physical device such as USB flash drive containing malicious files is left in a location where people can easily find it • Attackers call numerous random numbers within a company, claiming to be from technical support They offer their service to end users in exchange for confidential data or login credentials • Attackers extract information from the victim by engaging him/her in normal and disarming conversations • Based on the victim’s interests, attackers must work to target their elicitation approach to extract the relevant information Baiting Quid Pro Quo Elicitation
  • 11. • Emails that issue warnings to the user about new viruses, Trojans, or worms that may harm the user’s system Computer-based Social Engineering Pop-Up • Windows that suddenly pop up while surfing the Internet and ask for user information to login or sign-in • Emails that offer free gifts such as money and software on condition that the user forwards the mail to a specified number of people • Gathering personal information by chatting with a selected user online to get information such as birth dates and maiden names Windows Hoax Letters Chain Letters Instant Chat Messenger • Malware that tricks computer users into visiting malware infested websites, or downloading/ buying potentially malicious software Spam Email • Irrelevant, unwanted, and unsolicited emails that attempt to collect financial information, social security numbers, and network information Scareware
  • 12. Computer-based Social Engineering: Phishing • Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information • Phishing emails or pop-ups redirect users to fake webpages that mimic trustworthy sites, which ask them to submit their personal information
  • 14. Computer-based Social Engineering: Phishing (Cont’d) Spear Phishing • A targeted phishing attack aimed at specific individuals within an organization Spear Phishing • Attackers send spear phishing to send a message with specialized, social engineering content directed at a specific person, or a small group of people • An attacker targets high profile executives like CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly valuable information • The attacker tricks the victim into revealing critical corporate and personal information through email or website spoofing • The attacker redirects web traffic to a fraudulent website by installing a malicious program on a personal computer or server • Also known as “phishing without a lure ” , dna demrofrep yb gnisu SND ehcaC gninosioP ro tsoH eliF notiacfiidoM • A variant of spam that exploits Instant Messaging platforms to flood spam across the networks • Attacker uses bots to harvest Instant Message IDs and spread spam Whaling Pharming Spimming
  • 15. Computer-based Social Engineering: Phishing (Cont’d) Angler Phishing • Attackers create a fake social media account impersonating an organization’s helpdesk account and connect to disgruntled customers by posting fake service links • When victims click on the link, malicious software gets installed on their system, or they are redirected to another site requesting them to provide their details Deepfake Attack • Attackers create false media of a target individual using advanced technologies such as AI/ML Attackers perform deep fakes using previously recorded audio and video samples of the target person and then cloning those clips • Attackers trick online users into believing that they are listening to original clippings, which often request donations Catfishing Attack • Attackers target a person on social media platforms and perform identity theft to create a fake social media account • Then, attackers use the fake account for communicating with other users via chat boxes to perform cyber bullying for monetary gain
  • 16. Phishing Tools Phishing tools can be used by attackers to generate fake login pages to capture usernames and passwords, send spoofed emails, and obtain the victim’s IP address and session cookies. This information can further be used by the attacker, who will use it to impersonate a legitimate user and launch further attacks on the target organization.
  • 17. Mobile-based Social Engineering: Publishing Malicious Apps and Repackaging Legitimate Apps
  • 18. Mobile-based Social Engineering: Fake Security Applications and SMiShing (SMS Phishing)
  • 20. Insider Threats/Insider Attacks • An insider is any employee (trusted person or people) with access to critical assets of the organization • An insider attack involves using privileged access to intentionally violate rules or cause threats of any form to the organization’s information or information systems • Such attacks are generally performed by privileged users, disgruntled employees, terminated employees, accident-prone employees, third parties, undertrained staff, etc. • Financial gain • Theft of confidential data • Revenge • Becoming a future competitor • Helping a competitor • Public announcement Reasons for Insider Attacks Insider Threat Statistics According to insider threat statistics for 2022, a majority of companies agree that privileged users, administrators, and C-level executives are the most dangerous insider threat actors
  • 21. Types of Insider Threats • Malicious Insider A disgruntled or terminated employee who steals data or destroys the company’s networks intentionally by introducing malware into the corporate network • Negligent Insider Insiders who are uneducated on potential security threats or who simply bypass general security procedures to meet workplace efficiency • Professional Insider Harmful insiders who use their technical knowledge to identify weaknesses and vulnerabilities in the company’s network and sell confidential information to competitors or black market bidders • Compromised Insider An insider with access to critical assets of an organization who is compromised by an outside threat actor • Accidental Insider Inadvertent exposure of data to an external entity by mistyping an email address, sending a valuable business document to an unknown user, or unintentionally clicking on a malicious hyperlink Why are Insider Attacks Effective? • Easy to launch • Prevention is difficult • Succeed easily • Employees can easily cover their tracks • Differentiating harmful actions from the employee’s regular work is very difficult • Can go undetected for years and remediation is very expensive
  • 22. Behavioral Indications of an Insider Threat • Data exfiltration alerts • Missing or modified network logs • Changes in network usage patterns • Multiple failed login attempts • Behavioral and temperament changes • Unusual time and location of access • Missing or modified critical data • Unauthorized downloading or copying of sensitive data • Logging of different user accounts from different systems • Temporal changes in revenue or expenditure • Unauthorized access to physical assets • Increase or decrease in productivity of employee • Inconsistent working hours • Unusual business activities Inconsistent working hours
  • 24. Identity Theft • Identity theft is a crime in which an imposter steals your personally identifiable information such as name, credit card number, social security or driver’s license numbers, etc. to commit fraud or other crimes • Attackers can use identity theft to impersonate employees of a target organization and physically access facilities • Child identity theft • Criminal identity theft • Financial identity theft • Driver’s license identity theft • Insurance identity theft • Medical identity theft • Tax identity theft • Identity cloning and Concealment • Synthetic identity theft • Social security identity theft Types of Identity Theft
  • 25. Identity Theft (Cont’d) Types of personally identifiable information stolen by identity thieves: • Name • Home and office address • Social security number • Phone number • Date of birth • Bank account number • Credit card information • Credit report • Driving license number • Passport number Indications of Identity Theft • Unfamiliar charges to your credit card that you do not recognize • No longer receiving credit card, bank, or utility statements • Getting calls from the debit or credit fraud control department • Charges for medical treatment or services you never received • No longer receiving electricity, gas, water, etc. service bills
  • 26. Identity Theft (Cont’d) The attacker steals people’s identity for fraudulent purposes such as: • To open new credit card accounts in the name of the user without paying the bills • To open a new phone or wireless account in the user’s name, or to run up charges on their existing account • To use the victims’ information to obtain utility services such as electricity, heating, or cable TV • To open bank accounts with the intention of writing bogus checks using the victim’s information • To clone an ATM or debit card to make electronic withdrawals from the victim’s accounts • To obtain loans for which the victim is liable • To obtain a driver’s license, passport, or other official ID card that contains the victim’s data with the attacker’s photos • Using the victim’s name and Social Security number to receive their government benefits • To impersonate an employee of a target organization to physically access its facility • To take over the victim’s insurance policies • To sell the victim’s personal information • To order goods online using a drop-site
  • 28. Social Engineering Countermeasures • Good policies and procedures are ineffective if they are not taught and reinforced by employees After receiving training, employees should sign a statement acknowledging that they understand the policies • The main objectives of social engineering defense strategies are to create user awareness, robust internal network controls, and secure policies, plans, and processes Password Policies • Periodic password changes • Avoiding guessable passwords • Account blocking after failed attempts • Increasing length and complexity of passwords • Improving secrecy of passwords Physical Security Policies • Identification of employees by issuing ID cards, uniforms, etc. • Escorting visitors • Restricting access to work areas • Proper shredding of useless documents • Employing security personnel Defense Strategy • Social engineering campaign • Gap analysis Remediation strategies
  • 29. Social Engineering Countermeasures (Cont’d) • Train individuals on security policies • Implement proper access privileges • Presence of proper incidence response time • Availability of resources only to authorized users • Scrutinize information • Background check and proper termination process • Anti-virus/anti-phishing defenses • Implement two-factor authentication • Adopt documented change management • Ensure software is regularly updated
  • 30. How to Defend against Phishing Attacks? • Educate individuals by conducting phishing campaigns • Enable spam filters that detect emails from suspicious sources • Hover over links to identify whether they point to the correct location • Check emails for generic salutations, spelling, and grammar mistakes • Confirm the sender before providing the information via email • Ensure that employees use HTTPS-protected websites • Verify the profile pictures of a suspicious account by performing a reverse image search • Immediately report social media accounts confirmed to be fake
  • 31. Detecting Insider Threats • Insider Risk Controls • Insider data risk presents another layer of complexity for security professionals,which requires designing security infrastructure that can efficiently monitor user permissions, access controls, and user actions • Deterrence Controls • The security framework must contain safeguards, recommended actions by the employee and IT professionals, separation of duties, assigning privileges, etc. • Security professionals can use tools such as DLP (Symantec Data Loss Prevention, SecureTrust Data Privacy, etc.) and IAM (SailPoint IdentityIQ, RSA SecurID Suite, etc.) to deter insider threats • Detection Controls • Security professionals must use a variety of security controls and tools to analyze and detect insider threats • Tools such as IDS/IPS (Check Point Quantum Intrusion Prevention System (IPS), IBM Security Network Intrusion Prevention System, etc.), Log Management(SolarWinds Security Event Manager, Splunk, etc.), and SIEM (ArcSight ESM, LogRhythm NextGen SIEM Platform, etc.) may be used
  • 32. Insider Threats Countermeasures • Separation and rotation of duties • Least privileges • Controlled access • Logging and auditing • Employee monitoring Legal policies • Archive critical data • Employee training on cyber security • Periodic risk assessment • Employee background verification • Privileged users monitoring • Credentials deactivation for terminated employees
  • 33. Identity Theft Countermeasures • Secure or shred all documents containing your private information • Ensure your name is not present in marketers’ hit lists • Review your credit card statement regularly and store it securely, out of reach of others • Never give any personal information over the phone • Keep your mail secure by emptying the mailbox quickly • Be cautious and verify all requests for personal data • Protect your personal information from being publicized • Do not display or share any account/contact numbers unless mandatory • Monitor online banking activities regularly • Never list any personal identifiers on social media
  • 34. How to Detect Phishing Emails? • Appears to be from a bank, company, or social networking site, and has a generic greeting • Appears to be from a person listed in your email address book • Gives a sense of urgency or a veiled threat • May contain grammatical/spelling mistakes • Includes links to spoofed websites • May contain offers that seem to be too good to be true • Includes official-looking logos and other information taken from legitimate websites • May contain a malicious attachment
  • 35. Anti-Phishing Toolbar • Netcraft • The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks • Phish Tank • PhishTank is a collaborative clearing house for data and information about phishing on the Internet • It provides an open API for developers and researchers to integrate anti-phishing data into their apps • Some additional tools to detect phishing attempts: • Scanurl (https://scanurl.net) • Isitphishing (https://isitphishing.org) • ThreatCop (https://www.threatcop.ai) • e.Veritas (https://www.emailveritas.com) • Virustotal (https://www.virustotal.com)
  • 37. Audit Organization's Security for Phishing Attacks using OhPhish The primary objective of launching phishing campaigns against employees of the client organization is to assess the employees ’susceptibility to phishing attacks and help the organization reduce risks that arise when the employees fall prey to phishing attacks sent by cyber-threat actor • OhPhish is a web-based portal to test employees’ susceptibility to social engineering attacks • OhPhish is a phishing simulation tool that provides the organization with a platform to launch phishing simulation campaigns on its employees
  • 38. Module Summary In this module, we have discussed the following: • Social engineering concepts along with various kinds of social engineering attacks • Human-, computer-, and mobile-based social engineering techniques • Insider threats and the various forms they can take • Impersonation on social networking sites • Identity theft and the various forms it can take • Details of various countermeasures that can defend an organization against social engineering attacks, phishing attacks, insider threats, and identity theft