Social Engineering Attacks

Phishing

• Typosquatting: Take advantage of typo/misspelling
• Pharming: Redirect a legit website to a bogus one, usual achieved by DNS poisoning. Can be combined with Phishing:
  • Pharming: Harvest a large group of people
  • Phishing: Collect access credentials
• Vishing (Voice Phishing): done over phone or voice mail
• Smishing (SMS Phishing): done over text messengers
• Spear Phishing: focus on creating a message tailored to a specific person.
  • Reconnaissance: Gather information using OSINT techniques: LinkedIn, Facebook, Corporate websites,…
  • Using above information to build a believable phishing campaign against a specified victims
  • Usually the targets are high up executives or important people
  • Spear phishing on the CEO is called Whaling

Impersonation

• Pretexting:
  • Before the attack, the trap is set. There’s an actor, and a story.
  • Lying, deceive to get victim to act on a may or may not fabricated situation.
  • Goal: get information
• E.g:
  • “Hey, this is John from Microsoft and your Windows machine has been reporting that it’s been infected with malware. I’m calling you to help clean it up. I just need you to do step one two and three,"
  • "Hello sir, my name is Wendy and I’m from Microsoft Windows. This is an urgent check up call for your computer as we have found several problems wit it."
  • "This is an enforcement action executed by US Treasury intending your serious attention.”
  • etc
• Attackers pretend to be someone they aren’t
• Use details attained from reconnaissance
• Attack the victim as someone higher in rank
• Eliciting information:
  • Extracting information from the victim: Victim doesn’t even realize this is happening
  • Vishing (Voice Phishing): can be easier to get this information over phone
  • Psychological tricks to get information, often using well documented techniques (it’s not like they can just ask you for your password immediately, no one is that dumb, right…?)
• Identity fraud:
  • When stolen, can be used by others
  • Credit card fraud: Open bank account with stolen identity or use CC info for other purposes
  • Bank fraud
  • Loan Fraud
  • Government benefits fraud: attacker obtains benefits on your behalf
• Protect against impersonation
  • Never volunteer information
  • Don’t disclose personal details
  • Always verify before revealing info: verifying through 3rd parties then call back before giving out any information

Dumpster diving

• Very valid way to gather important details from people threw out trashes.
• Most things that related to bills, unshredded documents, files that contains metadata you generate,…
• Is it legal?
  • US: yes
  • Other countries: Depends, but generally who cares, it’s trash.
  • Dumpsters on private property or “No Trespassing” sign may be restricted (duh!)
• Mitigation: Secure garbage, shred documents that are sensitives.

Shoulder surfing

• It’s simple, you open something on your computer in public, people can see it.
• Curiosity, industrial espionage, competitive advantage
• It’s surprisingly easy to do.
• Mitigation:
  • Be aware of surrounding before opening anything sensitive
  • Use privacy filters

Hoaxes

• Threat that doesn’t actually exist, but seem like they COULD be real
• Still consume lots of resources: time, attentions, human resources,…
• Often to entice people into doing something
  • fake virus, enticing to install bloatwares
  • fake updates
  • fake prizes
  • etc
• How to recognize:
  • If it’s too real to be true, then it probably is (most of the time)
  • Cross reference using 3rd parties, eg: https://www.snopes.com/
  • Spam filters

Watering hole attacks

• Instead of trying to get inside the network directly, attackers are now going to a 3rd party and hopefully you also visit the 3rd party as well.
• Once the user(s) of an organization get infected via the watering hole, attackers now have a way to get access into the network.
• Executing:
  • Determine which place, website victim group might uses
    • Could be local coffee with wifi, sandwich shop
    • Industry-related sites
  • Infect one of these 3rd party sites (3rd party vulnerabilities)
  • Infect all visitors, then looking for the specific victim
  • Pwned!
• Mitigation:
  • Defense-in-depth: Layered defense
  • Firewall, IPS within network, VLAN, segregation,…
  • Anti-virus / Anti-malware signature updates

Spam

• Unsolicited messages in email, forum, chat apps, etc…
• Spam over Instant Messaging (SPIM)
• Various content types:
  • Commercial advertising
  • Phishing attempts
• Significant tech issues: storage cost, security issues, resources consuming,…
• Mitigation:
  • Mail gateways
  • Allowed list: only receive email from trusted senders
  • SMTP standards checking
  • rDNS (Reverse DNS): Block email where sender’s domain doesn’t match IP address
  • Tarpitting: Intentionally slow down the server communicating protocol with the senders
  • Recipient filtering: block all email not address to valid recipient email address

Influences campaign

• Hacking public opinion:
  • Influence campaigns: sway public opinion on political and social issues
  • Nation-state actors: Divide, distract, persuade, bioluminescent government worker
  • Advertising as an option: buy your way to broadcast to more people
• Process:
  1. Fake users create fake content
  2. Fake contents being posted on social media
  3. Amplify fake contents/messages
  4. Real users share the contents/messages
  5. Mass media picks up the fake story
• Hybrid warfare:
  • Military strategy: one country trying to change another country’s people to a different way of thinking. Manipulating votes, policies into existence.
  • Cyberwarfare: Influence with a military spin: Influence foreign elections, etc.

Others techniques

• Tailgating: Use an authorized person to gain unauthorized access to a building by following them behind.
  • E.g: Johnny Long’s book No Tech Hacking
    • Blend in with clothing
    • impersonating 3rd party with a legitimate reason
    • Temporarily take up smoking, bringing snacks for people
  • Mitigation:
    • Policy for visitors: Identify and schedule anyone before allowing them clearance inside
    • One scan, one person
    • Access Control Vestibule / Airlock
• Invoice scam: starts with spear phishing, attacker knows who pays the invoice in the organization
  • Attacker sends fake invoice: Domain renewal, toner cartridges, etc with spoofed information.
  • Accounting pays the invoice
  • Attacker now has payment details
• Credential harvesting (password harvesting): attackers collect login credentials saved in computer
  • Chrome, Firefox, Outlook, Windows Credential Manager, etc
  • often via malicious macro embedded with Microsoft Word doc
  • very stealthy method

Principles of SE

Effectiveness

• Constantly changing: You never know what they’ll use next
• May involve multiple people, organizations
• May be in-person or electronic
  • Example: Phone calls from aggressive “customers”; Emailed funeral notifications of a friend or associate

Principles

I personally call this, just for the sake of easier to remember, C.I.A.S.T.F.U principles. It’s short for Consensus, Intimidation, Authority, Scarcity, Trust, Familiarity, and Urgency

• Consensus (social proof): convince based on what’s normally expected
• Intimidation: bad thing will happen if you don’t help
• Authority: calling from higher position to assert authority, force you to give them something.
• Scarcity: Clock’s ticking, must be done before time expires. Attack on the fear of missing out. Based on people’s greed
• Trust: Gain a level of trust, ex: I’m from IT department, etc…
• Familiarity (Liking): Someone common, known, etc
• Urgency: Works alongside scarcity; Act quickly, don’t think. Attack on the stress of the situation. Based on people’s fear of failing responsibility.