Chapter 4: Social Engineering – Exploring TheBunce

Social Engineering

This chapter we will be going through the 7 principles that are used to exploit a person and the different types of socially engineer attacks there are

The Seven Principles

There are 7 principles that are leveraged to successfully exploit a person

Authority

People will take orders from someone who appears to be in charge or knowledgeable

Intimidation

This relies on scaring/bullying the individual to get the desired outcome

Consensus based

This relies on herd mentality in which others have clicked on the link so they may as well too

Scarcity

Makes something look more desirable as it has limited availability

Familiarity based attacks

This relies on the individual liking the person/organisation who is trying to exploit them

Trust

This is similar to the familiarity based attacks which relies on the connection to the individual they are targeting. This works by building a connection with the individual which gains their trust

Urgency

This is similar to the scarcity and uses the tactic of the action being required quickly due to limited availability

These all work by needing the target to respond which is when humans are at their most vulnerable.

Different Types

Phishing

This is a broad term used to describe the fraudulent acquisition of information

Normally focussed on credential harvesting.

There are three types of phishing

Smishing = SMS (text phishing)

Vishing = Voice (phone call phishing)

Phishing = email (email phishing)

The most common is email phishing but the others are also commonly used

There are different terms for the targeting of the phishing campaigns

Spear Phishing

Targets groups within an organisation

Whaling

Targets specific senior employees for example CEO’s

Credential harvesting

This is the process of gathering credentials like usernames and passwords

This is normally done by phishing but it can also be done via a system compromise which results in the malicious actor gaining access to the user database

Website attacks

One of the key attacks that are done on websites is pharming which are used to redirect traffic away from the legitimate website to the malicious one.

Typo squatters are another attack which rely on the end user mistyping the url of the website which they will have a similar malicious website registered to

Waterhole attacks rely on a website that targets usually visit, the aim here is to compromise the website or an advertising service usually via malware

Spam

Spam or Junk emails are often is used to get the user to open the email or attachments or links

The point here is if you send enough someone is bound to open the link

SPIM which will come up on the exam = Spam over instant messaging : instant messaging spam

In person attacks

Dumpster diving

This is used to gather information about an organisation and can be very effective due to companies throwing out sensitive information

Shoulder surfing

This works by looking over the targets shoulder or via a mirror to gain information such as passwords

Tailgating

This is a physical entry attack and works by the actor following someone in who has authorized access

Elicitation

This is when the actor is gathering information on the target without them realising they are giving the actor sensitive /useful information

Identity fraud and impersonation

This is when the attacker pretends to be someone they are not

Pretexting is the process of creating a made up situation to why you are approaching an individual

Identity fraud can be used to impersonate someone else and is usually used for financial gain but can be used to gain access to an organisation (this can be used for penetration tests)

Invoice scams can be used to send the organisation an invoice for a made up service and see if they pay.

Reconnaissance and impersonation

Social engineering can be used to gain very useful information about an organisation and many attackers use it at the reconnaissance stage of an attack

Influence campaigns

check out hybrid warfare 2017 russian

Password attacks

There are many password attacks that are used:

Brute force

Tries a list of passwords provided till it finds one that works

Password spraying

This is a form of brute force which attacks multiple accounts with a small password list

Dictionary attacks

Uses a list of words to test accounts, can find a list of millions of passwords which can be used for the attack

To protect you can use salt and pepper : adds extra text to the password before its hashed to protect against rainbow tables

Physical attacks

Malicious usbs

These fall into two categories, pen testers and potential attackers, the drives are dropped around a carpark for example waiting for the targets to pick them up and plug them into their devices

Malicious usb cables

Any devices with the capability of storing files has the potential of being used for malicious activities

Card cloning

This focuses on capturing information from cards, for example RFIDs and magnetic stripe cards another method is skimming which uses fake readers to capture/skim the cards data ready to be cloned

Supply chain attacks

This focuses on compromising the systems/devices before it even reaches the organisation