Social Engineering
This chapter we will be going through the 7 principles that are used to exploit a person and the different types of socially engineer attacks there are
The Seven Principles
There are 7 principles that are leveraged to successfully exploit a person
Authority
People will take orders from someone who appears to be in charge or knowledgeable
Intimidation
This relies on scaring/bullying the individual to get the desired outcome
Consensus based
This relies on herd mentality in which others have clicked on the link so they may as well too
Scarcity
Makes something look more desirable as it has limited availability
Familiarity based attacks
This relies on the individual liking the person/organisation who is trying to exploit them
Trust
This is similar to the familiarity based attacks which relies on the connection to the individual they are targeting. This works by building a connection with the individual which gains their trust
Urgency
This is similar to the scarcity and uses the tactic of the action being required quickly due to limited availability
These all work by needing the target to respond which is when humans are at their most vulnerable.
Different Types
Phishing
This is a broad term used to describe the fraudulent acquisition of information
Normally focussed on credential harvesting.
There are three types of phishing
Smishing = SMS (text phishing)
Vishing = Voice (phone call phishing)
Phishing = email (email phishing)
The most common is email phishing but the others are also commonly used
There are different terms for the targeting of the phishing campaigns
Spear Phishing
Targets groups within an organisation
Whaling
Targets specific senior employees for example CEO’s
Credential harvesting
This is the process of gathering credentials like usernames and passwords
This is normally done by phishing but it can also be done via a system compromise which results in the malicious actor gaining access to the user database
Website attacks
One of the key attacks that are done on websites is pharming which are used to redirect traffic away from the legitimate website to the malicious one.
Typo squatters are another attack which rely on the end user mistyping the url of the website which they will have a similar malicious website registered to
Waterhole attacks rely on a website that targets usually visit, the aim here is to compromise the website or an advertising service usually via malware
Spam
Spam or Junk emails are often is used to get the user to open the email or attachments or links
The point here is if you send enough someone is bound to open the link
SPIM which will come up on the exam = Spam over instant messaging : instant messaging spam
In person attacks
Dumpster diving
This is used to gather information about an organisation and can be very effective due to companies throwing out sensitive information
Shoulder surfing
This works by looking over the targets shoulder or via a mirror to gain information such as passwords
Tailgating
This is a physical entry attack and works by the actor following someone in who has authorized access
Elicitation
This is when the actor is gathering information on the target without them realising they are giving the actor sensitive /useful information
Identity fraud and impersonation
This is when the attacker pretends to be someone they are not
Pretexting is the process of creating a made up situation to why you are approaching an individual
Identity fraud can be used to impersonate someone else and is usually used for financial gain but can be used to gain access to an organisation (this can be used for penetration tests)
Invoice scams can be used to send the organisation an invoice for a made up service and see if they pay.
Reconnaissance and impersonation
Social engineering can be used to gain very useful information about an organisation and many attackers use it at the reconnaissance stage of an attack
Influence campaigns
check out hybrid warfare 2017 russian
Password attacks
There are many password attacks that are used:
Brute force
Tries a list of passwords provided till it finds one that works
Password spraying
This is a form of brute force which attacks multiple accounts with a small password list
Dictionary attacks
Uses a list of words to test accounts, can find a list of millions of passwords which can be used for the attack
To protect you can use salt and pepper : adds extra text to the password before its hashed to protect against rainbow tables
Physical attacks
Malicious usbs
These fall into two categories, pen testers and potential attackers, the drives are dropped around a carpark for example waiting for the targets to pick them up and plug them into their devices
Malicious usb cables
Any devices with the capability of storing files has the potential of being used for malicious activities
Card cloning
This focuses on capturing information from cards, for example RFIDs and magnetic stripe cards another method is skimming which uses fake readers to capture/skim the cards data ready to be cloned
Supply chain attacks
This focuses on compromising the systems/devices before it even reaches the organisation