CEH-Module9 - Social Engineering
Website Visitors:Social Engineering
Social engineering is a method used by cyber attackers to manipulate individuals into divulging confidential information, providing access to systems, or performing actions that may compromise the security of an organization or individual. Instead of relying on technical vulnerabilities, social engineering exploits the psychological aspects of human behavior.
Human Based and Computer Based
Social engineering attacks can be broadly categorized into two main types based on the primary method of manipulation: human-based social engineering and computer-based social engineering.
-
Human-Based Social Engineering:
- Pretexting: Attackers create a fake scenario or story to gain the trust of their target, often to obtain sensitive information or access to systems.
- Phishing: Attackers use email, phone, or text messages to trick victims into revealing sensitive information, such as passwords or credit card numbers.
- Baiting: Attackers leave a malware-infected device or storage media, such as a USB drive, in a public area or mail it to a target, hoping they will plug it in and install the malware.
- Quid Pro Quo: Attackers offer a service or benefit in exchange for sensitive information or access to systems.
- Whaling: Attackers target high-level executives or officials with sophisticated phishing attacks, often to gain access to sensitive information or systems.
- Vishing: Attackers use voice calls to trick victims into revealing sensitive information, such as passwords or credit card numbers.
- Smishing: Attackers use SMS or text messages to trick victims into revealing sensitive information, such as passwords or credit card numbers.
- Piggybacking: Attackers follow an authorized person into a secure area, often by posing as a delivery person or maintenance worker.
- Eavesdropping: Attackers listen in on conversations or monitor communications to gather sensitive information.
- Shoulder Surfing: Attackers observe victims entering sensitive information, such as passwords or credit card numbers, to gather sensitive information.
- Dumpster Diving: Attackers rummage through trash to find sensitive information, such as documents or passwords.
- Social Engineering by Email: Attackers use email to trick victims into revealing sensitive information, such as passwords or credit card numbers.
- Watering Hole Attack: Attackers compromise a website or network that is frequently visited by individuals in a specific industry or organization, in order to infect their devices with malware.
- CEO Fraud: Attackers impersonate a CEO or high-level executive to trick employees into transferring money or revealing sensitive information.
- Romance Scam: Attackers build a fake online relationship with a victim, often to gain access to sensitive information or money.
These are just a few examples of human-based social engineering attacks. It’s essential to be aware of these tactics to protect yourself and your organization from social engineering threats.
-
Computer-Based Social Engineering:
Here are some common types of computer-based social engineering attacks:
- Phishing Emails: Attackers send fraudulent emails that appear to come from a legitimate source, such as a bank or online retailer, to trick victims into revealing sensitive information.
- Malware: Attackers use malicious software to gain unauthorized access to a victim’s device or network, often to steal sensitive information or take control of the system.
- Ransomware: Attackers use malware to encrypt a victim’s files and demand payment in exchange for the decryption key.
- Trojan Horse: Attackers disguise malware as a legitimate program or file, which is then downloaded and installed by the victim, giving the attacker access to the system.
- Spyware: Attackers use software to secretly monitor a victim’s online activities, often to gather sensitive information or steal login credentials.
- Adware: Attackers use software to display unwanted advertisements on a victim’s device, often to generate revenue or steal sensitive information.
- Drive-by Downloads: Attackers use compromised websites to automatically download malware onto a victim’s device, often without their knowledge or consent.
- Exploit Kits: Attackers use software to identify vulnerabilities in a victim’s device or browser, and then exploit those vulnerabilities to gain unauthorized access.
- Keyloggers: Attackers use software to record a victim’s keystrokes, often to steal login credentials or sensitive information.
- Screen Scraping: Attackers use software to capture screenshots of a victim’s device, often to steal sensitive information or login credentials.
- Session Hijacking: Attackers use malware or other techniques to take control of a victim’s online session, often to steal sensitive information or login credentials.
- Man-in-the-Middle (MitM) Attacks: Attackers intercept communication between a victim’s device and a legitimate website or server, often to steal sensitive information or inject malware.
- DNS Spoofing: Attackers manipulate a victim’s DNS settings to redirect them to a fake website or server, often to steal sensitive information or inject malware.
- SQL Injection: Attackers use malicious code to manipulate a victim’s database, often to steal sensitive information or inject malware.
- Cross-Site Scripting (XSS): Attackers use malicious code to inject scripts into a victim’s website or application, often to steal sensitive information or inject malware.
These are just a few examples of computer-based social engineering attacks. It’s essential to be aware of these tactics to protect yourself and your organization from social engineering threats.
Here are some common types of social engineering attacks:
-
Phishing: Attackers send deceptive emails or messages that appear to be from a trustworthy source, such as a bank or a legitimate service provider. These messages often contain links or attachments that, when clicked, lead to malicious websites or install malware on the victim’s device.
-
Pretexting: Attackers create a fabricated scenario or pretext to trick individuals into providing sensitive information or taking specific actions. This could involve pretending to be a co-worker, IT support, or someone else in a position of authority.
-
Baiting: This involves offering something enticing, like a free software download or a USB drive labeled as important, to lure individuals into compromising their security. Once the bait is taken, malware may be introduced into the system.
-
Quizzes and Surveys: Attackers may use seemingly harmless quizzes or surveys on social media platforms to collect information about individuals, which can later be used for targeted attacks.
-
Impersonation: Attackers may impersonate someone the victim knows and trusts, such as a colleague, boss, or family member, to manipulate them into revealing sensitive information or performing actions that could lead to a security breach.
-
Tailgating (Piggybacking): In a physical setting, an attacker may follow an authorized person into a secure area by closely tailing them, taking advantage of the natural tendency to hold doors open for others.
-
Spear Phishing: Targeted phishing attacks where attackers tailor deceptive messages to a specific individual or group, often using personalized information. Example: Sending an email to an executive, posing as a colleague, to trick them into revealing sensitive information.
-
Whaling: A type of phishing that specifically targets high-profile individuals, such as top executives or decision-makers within an organization.
Example: Crafting a phishing email designed to deceive a CEO into taking a specific action, like authorizing a fraudulent financial transaction.
-
Pharming: Redirecting website traffic to a fraudulent site by manipulating the domain name system (DNS) or using other deceptive techniques.
Example: Exploiting a vulnerability to redirect users from a legitimate banking website to a fake site designed to steal login credentials.
-
Spimming: Combining spam and phishing, spimming involves sending unsolicited instant messages (usually through social media) with the intention of tricking recipients into revealing personal information.
Example: Sending deceptive messages on a social media platform, pretending to be a friend, and asking for sensitive information.
Social engineering attacks are successful because they exploit the natural human tendency to trust others and the desire to be helpful. Organizations often implement security awareness training to educate employees about the risks associated with social engineering and how to recognize and resist such attacks. Additionally, maintaining a strong security posture involves a combination of technical measures, policies, and user education to mitigate the risks posed by social engineering.
Impact Of Social Engineering Attack on Organizations
Social engineering attacks can have a significant impact on an organization, affecting not only its security but also its reputation, finances, and overall well-being. Here are some of the potential consequences:
- Data Breaches: Social engineering attacks can lead to unauthorized access to sensitive data, resulting in breaches of confidential information, intellectual property, or financial data.
- Financial Loss: Attacks can result in financial losses due to fraudulent transactions, stolen funds, or ransomware attacks.
- Reputation Damage: A successful social engineering attack can damage an organization’s reputation, leading to a loss of customer trust and potential business opportunities.
- Compliance Issues: Organizations may face regulatory fines and penalties for failing to comply with data protection regulations, such as GDPR or HIPAA.
- Productivity Loss: Social engineering attacks can disrupt business operations, causing downtime and productivity losses while systems are restored or repaired.
- Legal Liability: Organizations may be held legally liable for failing to protect sensitive information or for not having adequate security measures in place.
- Employee Turnover: Repeated social engineering attacks can lead to employee turnover, as staff may feel that the organization is not taking their security seriously.
- Intellectual Property Theft: Social engineering attacks can result in the theft of intellectual property, such as trade secrets, patents, or copyrights.
- Ransomware Attacks: Social engineering attacks can lead to ransomware attacks, where attackers demand payment in exchange for restoring access to encrypted data.
- Long-term Consequences: The impact of a social engineering attack can be long-lasting, with organizations facing ongoing security threats and potential future attacks.
Behavious Vulnerable to Social Engineering Attacks
Here are some common behaviors that can make individuals vulnerable to social engineering attacks:
- Curiosity: Clicking on suspicious links or opening attachments from unknown sources out of curiosity can lead to malware infections or phishing attacks.
- Trust: Trusting strangers or unfamiliar individuals with sensitive information or access to systems can lead to social engineering attacks.
- Fear: Reacting impulsively to threats or warnings, such as “Your account will be closed if you don’t respond immediately,” can lead to hasty decisions that compromise security.
- Urgency: Feeling pressured to respond quickly to a request or message can lead to mistakes, such as divulging sensitive information or clicking on malicious links.
- Lack of Verification: Failing to verify the identity of individuals or the authenticity of requests can lead to social engineering attacks.
- Over-Sharing: Sharing too much personal or sensitive information on social media or with strangers can make it easier for attackers to craft targeted attacks.
- Lack of Skepticism: Not questioning unusual or suspicious requests or messages can lead to social engineering attacks.
- Complacency: Feeling too comfortable or familiar with a situation can lead to a false sense of security, making individuals more vulnerable to attacks.
- Lack of Awareness: Not being aware of the latest social engineering tactics and threats can make individuals more susceptible to attacks.
- Emotional Manipulation: Being susceptible to emotional manipulation, such as feeling anxious or worried, can lead to impulsive decisions that compromise security.
- Lack of Password Hygiene: Using weak passwords, reusing passwords, or sharing passwords can make it easier for attackers to gain unauthorized access.
- Ignoring Red Flags: Ignoring suspicious signs, such as misspelled URLs or unfamiliar sender addresses, can lead to social engineering attacks.
- Not Keeping Software Up-to-Date: Failing to keep software and systems up-to-date can leave individuals vulnerable to known exploits and attacks.
- Using Public Wi-Fi: Using public Wi-Fi or unsecured networks to access sensitive information can make it easier for attackers to intercept data.
- Not Reporting Suspicious Activity: Failing to report suspicious activity or potential security incidents can allow attacks to go undetected and spread.
By being aware of these behaviors, individuals can take steps to mitigate their risk of falling victim to social engineering attacks.
Types of Insider Attacks
Insider threats refer to security risks that originate from individuals within an organization, such as employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Insider threats can be intentional or unintentional, and they pose a significant risk to the confidentiality, integrity, and availability of sensitive information. Here are different types of insider threats:
-
Malicious Insiders:
- Disgruntled Employees: Individuals who harbor resentment or dissatisfaction with the organization and intentionally engage in harmful activities, such as stealing sensitive data, sabotaging systems, or spreading malware.
- Espionage: Insiders who may work on behalf of external entities or competitors, seeking to gather and exfiltrate sensitive information for personal gain or to benefit a rival organization.
-
Negligent Insiders:
- Unintentional Actions: Employees or individuals who inadvertently compromise security through careless or negligent behavior, such as falling for phishing attacks, leaving sensitive information unsecured, or misconfiguring systems.
- Lack of Awareness: Insiders who are unaware of security best practices and policies, leading to unintentional security breaches due to ignorance or inadequate training.
-
Compromised Insiders:
- Employees with Compromised Credentials: Individuals whose login credentials have been compromised, either through phishing attacks, credential stuffing, or other means. Attackers may exploit these credentials to gain unauthorized access to systems and data.
- Insiders Unwittingly Used by External Threat Actors: Insiders who are unknowingly manipulated or coerced by external threat actors into assisting with a cyberattack.
-
Infiltrators:
- External Individuals Posing as Insiders: Individuals from outside the organization who manage to gain access to internal systems by posing as employees or contractors. This could happen through social engineering or exploiting weak authentication controls.
-
Careless Insiders:
- Inadvertent Data Exposure: Individuals who unintentionally expose sensitive data through actions like sharing confidential information with unauthorized parties, sending emails to the wrong recipients, or mishandling physical documents.
-
Saboteurs:
- Intentional Damage: Insiders who purposefully damage or disrupt organizational systems, networks, or data. This could be motivated by revenge, ideological reasons, or a desire to harm the organization.
-
Whistleblowers:
- Intentional Exposure for Ethical Reasons: Insiders who intentionally disclose sensitive information to external parties, often for ethical reasons such as exposing illegal activities or corporate misconduct.
Preventing and mitigating insider threats requires a combination of technical controls, employee education and awareness programs, regular monitoring of network activities, and clear security policies and procedures. It’s important for organizations to have a comprehensive approach to security that addresses both technical and human aspects of insider threats.
Anti-Phishing Tools
Netcraft has extensions available for different browsers which immediately warns users if a site is phishing website.
Phishtank has collection of phishing sites. You can search for a site if it is phishing or not.
OhPhish is a web-based portal for testing employees’ susceptibility to social engineering attacks. It is a phishing simulation tool that provides an organization with a platform to launch phishing simulation campaigns on its employees. The platform captures the responses and provides MIS reports and trends (on a real-time basis) that can be tracked according to the user, department, or designation.
Social Engineering toolkit
The Social-Engineer Toolkit (SET) is an open-source framework designed for penetration testing and ethical hacking, with a focus on social engineering attacks. Developed by TrustedSec, SET provides a collection of tools and resources to simulate various social engineering attacks and assess the security posture of organizations. It is essential to note that the Social-Engineer Toolkit should only be used for legitimate and legal purposes, such as security testing with proper authorization.
Run this SET toolkit in Parrot OS directly by running the command setoolkit
in elevated command prompt. Using social engineering attack/website attack vectors/credential harvester attack/site cloner options, create a fake website. Send your IP address to victim over email. Once they enter credentials, setoolkit will record the credentials and show it to you in plain text.
OhPhish is EC-Council’s anti phishing software.
Your inbox needs more DevOps articles.
Subscribe to get our latest content by email.