- Good day to everyone, today I will present some basic and advanced concepts that targets sophisticated attacks on the social basis, also I will write about some steps that can prevent this attacks from occuring, basically we will examine Social Engineering from the angle of attacker and victim, some people who are interested in security and work for middle-sized companys can learn and use something interesting from this post.
- Essentially Social Engineering is based on the human form manipulation, instead of using technology, people use social skills to find or exploit vulnerabilities in the systems that relies on technology.
People use social communication in day-to-day basis to gain specific type of information, but S.E. targets intensions based on gaining information about something profitable(On quantitative or qualitative basis).
- People use their fantasy to create plans, good side of S.E. - there is no law that can judge you because of what you did with words, my favorite slogan is - "Hey buddy, if you want to know, just ask ;)", also I don't like metrics, but fact is that any good attack would start with S.E. !
If you watched movie "Catch me if you can" Leonardo Dicaprio played Frank Abagnale, he learned some deep concepts about specifical professions and used that knowledge to manipulate with people, in most cases he gained quantitative - alsso called monetary profit, in other instances he catched a very handsome girls, we can define this like qualitative profit.
- Now when we understand what is foundation of Social Engineering, I will present some concepts that are in relationship with Information Technology, why S.E. works, and what policies we can implement, or just bare in mind to prevent it.
- Impersonating - From the angle of attacker, if I gain some info. about specific person, I can impersonate him/her and use his/hers business position to manipulate with lower-rang business people.
Example I know enough info. about System Administrator in one of the big companyes, in this sceniarios often people don't know each other, in this example victim is Lisa. I call her and say "Hello Lisa, today me and my team will do scheduled maintenance of the systems, we will install some updates, and your workstation will be down for some time, I informed you about that few days ago" Lisa: "What a problem, I must finish my work on the project today", I: "Hmm, maybe I can update your PC over the network, but you must give me your password for that to work", Lisa:"Ohh thanks, my password is...".
Impersonation can't be prevented on the social basis, but in technical world, we prevent this with Digital Signatures, good practice is user training awareness - in other words, don't give to anyone your PII and sensitive informations.
- Dumpster Diving - if you like garbage, maybe you can find something valuable in there, many companys don't have policies in place that stands how papers needs to be discarded, this type of S.E. is simple searching through the recycling container to gain some valuable info. We can prevent this with implementing strong policies(Every paper need to be shredded), after that we simply buy on Amazon one paper shredder for 45$.
- Shoulder Surfing - This type of attack is simply looking over the persons shoulder, in angle of attacker, we can use this to gain info. about credentials(Username and Password),PIN,PII,business info etc..
Prevention for this type of attack is mixed, first you must think what entity you want to secure, if you want to secure one monitor of the desktop just position it in the angle, where attacker coud not see them. In case of laptop's you can buy specific type of transparent-metalic foil that needs to be affixed on the screen, if someone surfs on your shoulder next to you,or behind you, he can't read anything.
In case of authentication systems that is placed on the doors, good practice is to use PIN's that have specific combination of numbers and some numbers needs to be pressed at the same time, this makes it difficult for an attacker to capture good order.
- Tailgating - practice of following other person closely to enter specific area without proper authentication(Credentials,PIN..).
Attackers often learns habits of victims, if Jane goes out from the companys building every day in the 3:00PM to smoke cigar, I will came at the same time, I will gentle ask Jane to let me in the building next to her, because i forgot my card that is used for authentication on the desk in the building. In reallity I will always hold open door for handsome girl that has something in her hands.
This type of attack is prevented with implementation of physical control - Mantraps, this type of control represents buffer area that only one person at the time can access, person need to close back door before front opens, before opening front doors system demands some type of authentication material.
- Phishing is the practice of sending email to user, or group of users with intension to trick them to click on the malicious link, or to reveal some sensitive personal information. Imagination is very usefull in this scenarios, you can impersonate good friend of the victim(Hey police in columbia arrested me, but they give me chance to contact someone who will help me, please send 1000$ to this bank accout etc..), or "I cidnaped your children, you must pay 1000$ if you wanna see them again, you can find in attachment their photo, in this scenario attacker tricks user to click on the photo that has embedded malicious code - Trojan Horse,Spyware etc... attacker uses victims curiosity.
- Spear Phishing represents email spoofing attack where attacker target specific user - in other word attacker would try to impersonate person that is high-ranked business head CEO for example, also attacker would try to spoof his email address, with this advantages he would try to trick specific user to give him some valuable info.
- Whaling is a form of Spear Phishing where attacker instead of impersonate high-ranked head and trick low-ranked head, impersonate someone high-ranked, or not impersonate at all, but in this scenario attacker tryes to trick high-positioned persons in the company. If you trick one CEO to give you huge amount of money, that is jack-pot in Social Engineering.
- Why Social Engineering Works
Attackers are often leaded with core principles, I will describe some of them:
- Authority - I'm CEO in this company, and my word is law, you must do what I say, or you're fired from the job. Most S.E. attack combine impersonation with authority concepts, authority concept often rely on grown respect.
- Intimidation - In some cases attacker attempts to intimidate person into taking action, this can be produced through bullying tactics and it is often combined with impersonation.
- Social Proof - Often people like something that someone else also like, so attackers often compromises or creates web-sites and posts fake comments about products that is advertised on that site, for example: Mike "I bought this Anti-Virus product, this is pure quallity, you must try it", when person see that someone else trust to this source, there is much more possibility that same person would use this source.
- Scarcity - If you can give someone exclusive access or right to do something or buy something, he will rarely refuse that chance, for example: New version of Kali Linux is not free and company want to sell only 100 operating systems, if you give someone malicious link with good formed text, you have good chance to trick him !
PS: Sorry because of grammar errors, my English is not native, best regards !!