CEHv8 module 09 social engineering

Mobile-based Social Engineering Factors that Make Companies social Engineering Through Sites identify Theft Phases in a Social Engineering Attack Social Engineering Countermeasures

Trang 2

FireEye, Inc has announced the release of “Top Words Used in Spear Phishing Attacks to Successfully

Compromise Enterprise Networks and Steal Data,” a report that identifies the social engineering

techniques cybercriminals use in email-based advanced cyber attacks According to the report, the top words cybercriminals use create a sense of urgency to trick unsuspecting recipients into downloading malicious files The top word category used to evade traditional IT security defenses in email-based attacks relates to express shipping

According to recent data from the FireEye “Advanced Threat Report,” for the first six months of 2012,

email-based attacks increased 56 percent Email-based advanced cyber attacks easily bypass traditional signature-based security defenses, preying on naive users to install malicious files

“Cybercriminals continue to evolve and refine their attack tactics to evade detection and use techniques

that work Spear phishing emails are on the rise because they work,” said Ashar Aziz, Founder and CEO, FireEye “Signature-based detection is ineffective against these constantly changing advanced attacks, solT security departments need to add a layer of advanced threat protection to their security defences.”

"Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal

Data,” explains that express shipping terms are included in about one quarter of attacks, including "DHL",

“UPS", and “delivery.'

Attp://diztech2.in.com

Trang 3

Học viện Công Nghệ Thông Tin Bach Khoa

Bi IModule O©®bjectives

What Is Social Engineering? Mobile-based Social Engineering

Factors that Make Companies social Engineering Through

Sites

identify Theft

Phases in a Social Engineering Attack

Social Engineering Countermeasures

Common Targets of Social Engineering How to Detect Phishing Emails Human-based Social Engineering identity Theft Countermeasures Computer-based Social Engineering Social Engineering Pen Testing

Trang 4

Trang 5

Trang 6

Behaviors Vulnerable to Attacks

t is the basis of any social engineering attack ¬

—.&)4

_—

Il and its effects among the workforce

makes the organization an easy target oe

et

ee

Ill Social engineers might threaten severe losses in case of 1

IV Social engineers lure the targets to divulge information by

| SN Targets are asked for help and they comply out of a sense of A A

Trang 7

Trang 8

Security policies are as strong as their weakest link, and hurnans are

It is difficult to detect social engineering attempts

There is no method to ensure complete security from social engineering attacks

There is no specific software or hardware for defending against a

social engineering attack

Trang 9

Warning Signs of an Attack

c= Internet attacks have become a business and attackers are

Warning Signs

Show haste and drop Show discomfort Make

the name inadvertently when questioned informal requests

Trang 10

= `” " an Dumpster diving, identify the frustrated ¬"¿ %e

= rang -_~ websites, employees, employees of the đề (đ%

tour company, etc target company

with the selected =

|= information, and current employees

technologies

Trang 11

Se Economic Losses

Loss of Privacy

Damage of Goodwill

Temporary or Permanent Closure

Lawsuits and Arbitrations

Trang 12

“Rebecca” and “Jessica”

Attackers use the term ` ‘Rebecca’ and J Rebecca and Jessica means a person who

“There was a at the bank and | am going to call her to extract the privileged information.”

Example: “IT met , she was an easy target for social engineering.”

“Do you have a in your company?”

Trang 13

Common Targets of Social

Receptionists and Help

Users and Clients

Trang 14

Common Targets of Social

Engineering: Office Workers

EG-Gouncil>

—_

Despite having the best firewall, Attackers can attempt | `

intrusion-detection, and antivirus systems, you are still!

Attacker making an attempt as a valid

employee to from the staff of a company

EEE EEE EERE RE RR RR RR RR RR RRR RRR eee eee ee eee ee ee

The victim employee gives information back assuming =

on office workers

to extract the :, such as:

Security policies Sensitive documents Office network infrastructure Passwords

Trang 15

Trang 16

Human-based Social Engineering

; Gathers sensitive information by

= J Attacks of this category , and

Computer-based Social Engineering @®

J Social engineering is carried out with the help of >

Mobile-based Social Engineering [a

4 itis carried out with the help of

Trang 17

4 Give identity and ask for the

“Hi! This is John, from Department X | have forgotten my password Can! get it?”

Posing asa VIP ofa

“Hil This is Kevin, CFO Secretary !’m working on an urgent project and lost my system password Can you help me out?”

ws

at

w/a

Posing as technical support

Call as t and request IDs and passwords to retrieve data

“Sir, this is Mathew, Technical support, X company Last night we had a system crash here, and we are checking for the lost data Can u give me your ID and password?”

Trang 18

ds that if he misses the deadline on a big ing project, his boss might fire him

he help desk worker feels sorry for him and

CALL - 467 45 966 74

WE WORKING 274 HOURS ADAT

Trang 19

Your department has 10 minutes to show

Trang 20

of the New York office | know

otice, but | have a group of

ts out in the car that I've been trying for

o outsource their security training needs to us

just a few miles away and I think that if | can give

our of our facilities, it should be enough to push them

dge and get them to sign up

yeah, they are particularly interested in what security precautions we've adopted Seems someone hacked _ into their website a while back, which is one

of the reasons they're considering

our company.” 13

Trang 21

Express Services We received a call `

that the computer room was getting too BN

warm and need to check your HVAC system 13 Using professional-sounding terms like HVAC '

(Heating, Ventilation, and Air Conditioning) may '

add just enough credibility to an intruder's ,

masquerade to allow him or her to gain

access to the targeted secured

resource

Trang 22

Human-based Social Engineering:

Eavesdropping and Shoulder Surfing

Eavesdropping tha Shoulder Surfing

Eavesdropping or + ’ Shoulder surfing uses direct

list or reading | observation techniques such as

of messages 3 looking over someone's shoulder to

: et information such as

Interception of any form such as audio, 8

: , ac 5, etc

video, or written trrn

Shoulder surfing can also be done form

a longer distance with the aid of

Trang 23

f Học viện Công Nghệ Thông Tin Bach Khoa

Human-based Social Engineering: Dumpster Diving

Trang 24

-! _BK ACAD

Social Engineering

Survey a target company to Refer to an important person An unauthorized person, wearing

collect information on: in the organization and try to a fake ID badge, enters a secured

collect data area by closely following an

“Mr George, our Finance authorized person through a door

requiring key access

Contact information Manager, asked that ! pick up

the audit reports Will you

please provide them to me?” - ~

Trang 25

Human-based Social Engineering

(Cont'd)

Reverse Social

: : Pi backin Engineering 9y 2

A situation in which an “| forgot my ID badge at home

attacker presents himself as Please help me.”

an s and the target

An authorized person allows {intentionally or unintentionally) anu | " to pass

Reverse social engineering through a secure door

Trang 27

PP Watch this IViovie

Social Engineering

In the 2003 movie “ “ Nicolas

Cage plays a con artist residing in Los Angeles

and operates a fake lottery, selling overpriced

water filtration systems to unsuspecting

customers, in the process collecting over a

million dollars

This movie is an excellent study in the art of

social engineering, the

into performing actions or divulging confidential information

Trang 28

Computer-based Social Engineering

unsolicited email to collect - ƒ issue ' to the user

the 1 Na i” onnew viruses, Trojans, or

user’s system

Gathering 5 Chain letters are emails that offer

tị with a selected online user such as money and

to get information such as birth <ihwars on the condition that the

dates and maiden names user has to f

Trang 29

Computer-based Social Engineering: Pop-Ups

Pop-ups trick users into ‘ that redirects

them to asking for personal information, or —%y

downloads malicious programs such keyloggers, Trojans, or —

oe spyware

Can@ et detm na!

Hyon II]

visitor this week! arrears

se ‘ ø chan = 2 Vews We 7 Poker « Hom a* ~ Peee ep erte eet » Pate ~~ trajens ow SAIL uamtce Hi"

Trang 30

Computer-based Social Engineering: Phishing

An falsely claiming to be froma

to acquire the user’s personal or account information Phishing emails or pop-ups redirect users to of mimicking trustworthy sites that ask them to submit their personal information

Trang 31

Dear Valued Customer — —

Our new secunty tvyvxtern will hẹlp you to avod frequentty

fraud transactions and to keep your Crecit/Deb« Card details safety

[ae # ®‹ †x a! update we recormmend you to reactivate your card

Ple k on the link Detow to proceed Update MatterCarc

We aporeciate you Dusiness its truly o pleasure to serve yo

MasterCara istormer Care

T ora « foe 0ứx)ytií to“ oO poses « ly

@ id: 1248471

-

- ” Your online berkong is biocted t- Marwe‹*

Wwe ae 4 row ec > a ect that w Matwe

Be ~ f “ a = bya we ut? et pert

Metewit Bare ~~ Gare s - ˆ

Pease ucdciste fr£covds 6 before 45 hou ata e pdate ` ` `

tec ” “4 "”Ẻ

HSBC

Dear HSBC Ontire user,

As part of Ger secus My measures, the HSEC Bark has

- ped a sex ty program agamst the fraucuiem attempts and acct thet mefore Cam tysher ecauntes further acco t ntorrmmatic

Were ast onformation tro vt for the followirg reason We need to verity <a > ` v1 f wider to insure the safety arc ntegr ty of sery =

Uh « 'ollow The * btw 8 proce Proceed to Accourt Verte atior

- yOu loge, yOu w be provided with steps to « piete the veriitaAtwx e -

` wetvy we ve ory "ie‹tr cx proced al safeguarck that avoly with federa

- abhor t v.v tthe int wa tic you to provide t« "

Trang 32

Computer-based Social Engineering: Spear Phishing

Spear phishing is a direct, targeted phishing attack aimed oe @

_— " - : =

in contrast to normal phishing attack where attackers send out

hundreds of generic messages to random email addresses, attackers use spear

= phishing to send a message with specialized,

directed ata ora

<< Spear phishing rate when

compared to normal phishing attack

Trang 33

IMobile-based Social Engineering:

Publishing Malicious Apps

Attackers create ic with attractive features and to that

of popular apps, and publish them on major

Attacker publishes — malicious mobile

apps on app store

Creates malicious mobile application

Malicious Gaming Application

sends to the attacker &€) Py : ù < the malicious mobile application

User

Trang 34

IMobile-based Social Engineering:

Repackaging Legitimate Apps

Malicious developer downloads a legitimate game K¿ and repackagesit with malware

User credentials sends to the malicious

Uploads game

to third party app store

Third-Party App Store

Trang 35

Fake Security Applications

1 Attacker infects the v

2 The victim logs onto their I

3 Malware in PCy ne: telling the victim to d load an applicati

phone in order to receive security messages

4 Victim down! ithe mailici ppli | on his phone

application on app stere ME cn cee e enn cence ŸÝ kh ke “Hệ

Attacker’s App Store

User logs to bank account

POP -upPs 2a Message appears

telling the user to download an application onto his/her phone

Trang 36

Wiobile-based Social Engineering:

Using SMS

Tracy received an * text message, ostensibly from the security department at XIM Bank It claimed to be urgent and that Tracy should call the included phone number faa immediately Worried, she called to check on her account

She called thinking it was a XIM Bank customer service number, and it was a asking to provide her credit card or debit card number

Unsurprisingly, Jonny | | tion due to the fraudulent texts

Định dạng
Số trang	72
Dung lượng	4,76 MB