IN5290 Ethical HackingLecture 11: Social Engineering

Universitetet i OsloLaszlo Erdödi

IN5290 2018 L11 – Social Engineering 2

Lecture Overview

• What is social engineering and how it works• What are the main techniques that are used• Analysis of specific computer based social engineering

attacks

What is Social Engineering?

Social Engineering is the manipulation of people to performactions that leads to compromising something such asrevealing confidential information.• information gathering• fraud• system access• physical access

IN5290 2018 L11 – Social Engineering 3

Basis of Social Engineering

• Human nature of trustPeople are usually positive to each other. If there’s no negative indication(suspicious signs, bad previous experience) people prefer to assume thebest.

– Can you open that door for me? I left my card at home.– Please log in here using the link below.

• Trust based on the information providedTrust can be achieved by the information that is provided. If the attackermentions «accidently» something that refers to something that is onlyknown by privileged persons it can be the basis of trust.

– Hi Jane, this is John from the admins. Your boss George (knownfrom the website) asked me to update your profile while you’re onholiday (known from facebook). It’s kinda urgent, because …

IN5290 2018 L11 – Social Engineering 4

Basis of Social Engineering

• Moral obligationServing moral obligation can overwrite security policies. Personal interest(not to be rude to someone) can be more important then the company’sinterest even if it’s mixed with the nature of trust.

– Open the door for someone carrying heavy boxes

• Something promisingBy providing something promising can turn people to be less cautious.

– Win a new Iphone X, just click the link below– Cheaper prices in a web shop

• Confusing situationProviding misleading information. People feel stupid and think it’s theirfault. They try to solve the situation to be in the balance again that makesthem less cautious

IN5290 2018 L11 – Social Engineering 5

Basis of Social Engineering• HurryHurry makes people disposed to overlook details or make them lesscautious.

• IgnoranceIgnorant users easily overlook details or don’t care about security at all

• FearFear has also negative effective on the security. It hardens to make reliabledecisions that helps attackers

• Combination of multiple trickE.g: Trust based on the provided info + hurry + fear: The CIO (name frominfo gathering) is furious about the …(private story revealed from infogathering) you should immediately provide your credentials to check thatyour account is not affected. If we can’t check it then the CIO will …

IN5290 2018 L11 – Social Engineering 6

Social Engineering techniques

Impersonate someone– Posing as a legitimate user– Posing as privileged user– Posing as technical support– Posing as Repairman, Cleaning service, Pizza delivery, etc.

• EavesdroppingEavesdropping is the act of secretly or stealthily listening to theprivate conversation or communications of others without their consent.

• Shoulder surfingIt is used to obtain personal information (e.g. passwords) and otherconfidential data by looking over the victim's shoulder. This attack canbe performed either at close range (by directly looking over the victim'sshoulder) or from a longer range, for example by using telescope.IN5290 2018 L11 – Social Engineering 7

Social Engineering techniques

• Dumpster divingLooking for treasures in someone’s trash (calendar entries,passwords in post-it, phone numbers, emails, operation manuals)

• Piggybacking/TailgatingA person goes through a checkpoint (physical access) with another person who is authorized.

IN5290 2018 L11 – Social Engineering 8

Social Engineering techniques

Picture from the White House in the Social Media

IN5290 2018 L11 – Social Engineering 9

Computer based Social Engineering techniquesComputer based• Phishing• Spear phishing• Fake software

– Tool that has hidden function– Modified legitimate tool– Fake AV

IN5290 2018 L11 – Social Engineering 10

Phising attacks

Phishing is used to steal user data, including login credentials and creditcard numbers. It occurs when an attacker, masquerading as a trustedentity, dupes a victim into opening an email, instant message, or textmessage. The recipient is then tricked into clicking a malicious link,which can lead to the installation of malware, the freezing of the systemas part of a ransomware attack or the revealing of sensitive information.An attack can have devastating results. For individuals, this includesunauthorized purchases, the stealing of funds, or identify theft.Moreover, phishing is often used to gain a foothold in corporate orgovernmental networks as a part of a larger attack, such as an advancedpersistent threat (APT) event. In this latter scenario, employees arecompromised in order to bypass security perimeters, distribute malwareinside a closed environment, or gain privileged access to secured data.https://www.incapsula.com/web-application-security/phishing-attack-scam.html

IN5290 2018 L11 – Social Engineering 11

Phishing attack examples

The link redirects to myuniversity.edurenewal.com which is an attackercontrolled fake renewal page, but it looks like the same as the original.If the renewal page has XSS vulnerability then the attacker can redirectthe victim to the real renewal page, but steal the session variables withXSS script.

https://www.incapsula.com/web-application-security/phishing-attack-scam.html

IN5290 2018 L11 – Social Engineering 12

Spare phishing attack examples

Spear phishing targets a specific person or enterprise, as opposed torandom application users. It’s a more in depth version of phishing thatrequires special knowledge about an organization, including its powerstructure.The attacker can use personal information obtained from informationgathering (e.g. social media) to customize the story.

https://www.incapsula.com/web-application-security/phishing-attack-scam.htmlhttps://www.globaldots.com/recursive-dns-security-gaps-address/phishing-and-spear-phishing/

IN5290 2018 L11 – Social Engineering 13

Spare phising attack examples

IN5290 2018 L11 – Social Engineering 14

End of lecture

INF5290 2018 15L10 – Internal network hacking