Embed Size (px)
Citation preview
Social Engineering: A Human Hacking Framework
AUTHORSHUDARSHON CHAKI
Summary Social engineering is the specialty of persuading individuals to uncover secret
data. It includes gaining sensitive data or unseemly get to benefits by an outsider. Intruders endeavor social designing assaults on office specialists to
concentrate valuable information. Human-based social designing alludes to individual to-individual association to
recover the sought data. PC based social designing refers to having PC programming that endeavors to
retrieve the craved data. Data fraud happens when somebody takes your name and other individual
data for fake purposes. An effective safeguard relies on upon having great strategies and their
industrious usage.
Statistics 88% clicking links in the email are reported as phishing 77% of phishing are all socially based 90% of all emails are spam & virus 13.3 Million users reported phishing attacks in 2013 88% of the stolen data were personal information 2.4 M customers targeted for phone fraud all for 2012 2.3 M customers targeted for phone fraud for first half of 2013 Among them 26% lures the user for calling a number, 14% for replying
to text & 60% for clicking on a link Average victims lost $4,187 a year Top place for this attack was work area of personal and corporate
Introduction Passive penetration using social engineering depends on the fact that
users are unaware of their valuable information and they are not sincere enough to protect it against fraud.
Victims include help desk personnel, technical support executive, system admins, VIP, business person, corporate, bankers etc.
Several behaviors are vulnerable to attacks: human nature of trust, ignorance about social engineering, tendency to promise something for nothing, greediness & lack of moral obligation.
There are several factors that make corporates to vulnerable to this attack are: insufficient security training, unregulated access to information, several organizational units and lack of security policies.
Social Engineering leads an organization to economic loss, privacy loss, temporary or permanent closure, damage of goodwill etc.
Why this method is effective ? Difficult to detect social engineering attempts No software or hardware based approach to prevent human
stupidity No method to ensure complete security from social engineering As to err is human, so security policies are as somehow weakest
to a link Human does not continuously safeguard his/her activity and can
not change their behavioral pattern frequently. This thing suspects to social engineering vulnerability.
Diversifying the human nature everywhere is not absolutely possible. But lack of this practice drives them to social engineering attack.
Phases in social engineering
Researching upon target company includes: websites, whoislookups, pipl.com, employees, dumpster diving etc.
Selecting victim includes finding out the frustrated employees of the target company
Developing relationship with targeted employees Exploiting the relationship includes: collecting sensitive
information, financial information and current technologies Getting in touch with the sensitive data and retrieving personal
information from the victim.
Classification of Social Engineering
Social engineering falls into three category. They are human based, computer based and mobile based.
Human based social engineering refers to pretending some one legitimate or as an authorized person.
Computer based social engineering refers to use pop up windows, hoax, chain letters, spam emails to lure users for trapping.
Mobile based social engineering refers to publishing malicious apps on app store, publishing fake security applications, using SMS etc.
Attack Environment
We will discuss several social engineering based attack here. These attacks fall in different categories which are mentioned in the previous slide.
Social engineering is carried out through impersonation. Such as attempting to extract sensitive information from the help desk. Help desks are mostly a weakest link since they are in the place to help explicitly.
Attacker also apply third party authorization to retrieve valuable information from organization. At first they obtain the name of authorized employee having an access to the information attacker wants. Next the attacker tries to call the target organization demanding that the particular employee is in need of the information.
If target organization provides the attacker access to the information they get trapped.
Another technique the attackers use to apply this kind of attack is being tech support and repairman. Attacker pretends to be technical support staff of organizations software or hardware vendor. Then claims user ID and password for troubleshooting problem in the organization. Once these credentials are obtained then attacker looks for the information and retrieve it.
Again attacker may pose as cable/telephone technician to enter the target organization. After getting access in the organization they may plant snooping devices to gain hidden passwords of the employees.
Being a trusted authority figure attackers attempt to execute social engineering attack.
Cont..
Other popular classified social engineering attacks are eavesdropping and shoulder surfing. Eavesdropping refers to unauthorized listening of conversations or reading personal contents. Also covers interception audio, video or written medium of communication.
Shoulder surfing means to look over someone's shoulder to retrieve information like password, PIN or account numbers etc.
This strategy can also be implied with vision surfing devices such as binocular.
Another attempts of social engineering attack includes dumpster diving which means looking for valuable information in trash of target user.
Other attack strategies under social engineering includes piggybacking, tailgating & reverse social engineering.
Cont..
Cont.. Besides human based impersonation it is also popular to launch
computer based social engineering attack which consists of instant chat messenger, pop-up windows, spam email, chain letters etc.
One of the most popular social engineering attack is phasing. It is an illegitimate email luring users to provide their personal information. These messages falsely claim themselves from legitimate web sites.
Another derivation from the phishing is spear phishing which is targeted at specific individual within an organization. Basically it results in a higher response rate than conventional phishing.
Specialized messages are furnished for specialized attack for target individuals.
Alongside using computers, mobile are also a great medium for the attackers to execute social engineering attack. Since mobiles are highly available in comparing to other devices thus it is one of the key medium and top choices to the attackers.
Attackers publish apps with lucrative features, similar name to popular apps to attract users. Once users get these apps installed then they send user credential to the remote attackers. End user remain unware of these total facts.
Generally malicious developers download popular apps and repackage them with malwares. Then they re-upload them in the third party app store.
End users download these apps and get infected.
Cont..
Another widespread technique under social engineering is to temp the users to install fake security applications via pop-up, email etc.
Users suddenly feel unsecured without these applications and many of them without a second thought install these software. These software exploit all the user privileges, activities. They steal valuable information from the user computer and upload them to remote server.
Apart from apps based social engineering technique it is also popular to exploit user using text, phone call based approach.
Attacker send fake message to the target user’s phone and drive them to make a phone call to a specific number. When users dials to the number the he/she actually hears a recording asking the user for their credentials for any security issues.
If user get convinced then they reveal their sensitive information.
Cont..
Attackers also perform social engineering attack through social network websites like Facebook, twitter, LinkedIn, google plus etc. They create fake accounts in others name and gather confidential information about target users from the websites.
They create large network of friends and extract information from them via social engineering.
They try to join the employee group of large organizations where company share their various information.
They also use collected information to carry out other forms of social engineering attacks.
The information which attacker looks for are date of birth, educational qualification, spouse names etc.
Cont..
Another popular application of social engineering is identity theft. It happens when someone stelas ones identity for fraud purposes.
Personal information includes name, email, phone numbers, credit card number, social security number or driving licenses. After obtaining these information attacker commit several crimes.
They try to impersonate the employees of the organization and physically access into the corporation.
Sometimes they produce false proof of identity to request new identity which might often be threat for the information stolen person.
Cont..
Demonstration of attack
In previous slides we have talked about various social engineering attack scenario. Now we have demonstrated them if the following slides. Each images are unique and drawn using Microsoft Visio 2016.
These figures consists of the following social engineering techniques. They are impersonation, mobile based & computer based social engineering, tampering frustrated employees etc.
Countermeasure Social engineering can be countermeasure through good polices and
procedures. But these things are effective if and only if employees & individuals het
well trained and get adapted with these things. Some password policies include: parodic password change, avoiding
guessable password, blocking accounts after fail , attempts, complexity in password, secrecy of password, high dimensionality in the password providing techniques etc.
Some physical policies include: identifying employees through uniform, ID, badges etc., using garbage shredder for unnecessary documents, access are restriction, escorting the visitors etc.
Some countermeasure for social engineering includes: Training: Employees are required a lot of training to become conscious and
prevention techniques about this kind of attack in the organization. They should be aware of the security policies. Motivation for the employees are also needed to keep them away for organizational frustration.
Access Privileges: Administrator, guest, normal user accounts should be kept apart with proper authorization.
Operational Guidelines: Making sure that sensitive information get touched by only authorized users.
Classification of information: Information should be categorized as top secret, preparatory, internal use only, public etc.
There should be also good lessons on proper time incidence based response from the employees in case of social engineering.
Cont..
Along side humanoid approaches there should be also some software based approaches to counter social engineering. Multiple layers of antivirus defense and mail gateway levels should be protected with security soft wares to prevent social engineering.
Instead of password sometime biometric or two step authentication should be implied.
Document change management process should be applied rather than ad hoc processes.
Several toolbars can be used in the browser to prevent social engineering. Such as Netcraft, PhisTank etc,
Cont..
Apart from being safe internally into the organization it is also needed to put safeguard of the organization in the web.
Several techniques can be adopted to do so: Protecting personal information from being exposed Suspecting and verifying all personal data request No need to display account number or contact number unless
necessary Denying to provide personal information on the phone Checking mailboxes regularly and creating rules. Need to flag the
legitimate contacts. Never to do add unknown contacts in the social network website.
Cont..
To prevent social engineering attack, emails must be handled very carefully. Keeping the mailboxes empty as soon as possible makes it harder for the intruder.
Employees should be specially trained about good interpersonal skill, good communication skill, creativity and talkative and friendly nature of attackers.
Attackers often apply the mentioned behaviors to convince their target.
THANK YOU
