9.1 Understand social engineering
Exam Focus: Understand social engineering. Objective includes:


Understand social engineering.
Understand human weakness.
Social engineering
Social engineering is an art used to convince people and make them disclose useful information,
such as account names and passwords. Hackers further exploit this information to gain access to
a user's computer or network. In social engineering, the mental ability of people is involved to
trick someone rather than their technical skills. Users should always distrust people who ask
them for their account name, password, computer name, IP address, employee ID, or other
information that can be misused.
Attackers can try social engineering attacks on office workers in order to extract the sensitive
data, such as security policies, sensitive documents, office network infrastructure, and
passwords. An attacker imitates as a valid employee and collects information from the staff of a
company. The victim employee provides information to the attacker, thinking him as a valid
employee.
Social engineering is effective due to the following reasons:




Security policies are as strong as their weakest link. Humans are the most susceptible
factor.
Social engineering attempts are difficult to detect.
No method is available to ensure complete security from social engineering attacks.
No specific software or hardware is available for defending against a social engineering
attack.
Sometimes users are enticed to download an application that will allow them to see SMS
messages online of other people. Alternative filenames, including sms.exe, freetrial.exe, and
smstrap.exe are used by the download file.
Common targets of social engineering
The following are common targets of social engineering:





Receptionists and help desk personnel
Technical support executives
System administrators
Vendors of the target organization
Users and clients
Behaviors that are vulnerable to attacks
Any social engineering attack is based on human nature of trust. Organizations become an easy
target when social engineering and its effect among the workforce are ignored. In case of noncompliance with the request of social engineers, they may threaten severe losses. Social
engineers promise something for nothing to attract the targets to reveal information. Targets
agree with a sense of moral obligation when asked for help.
Phases in a social engineering attack
The following are phases in a social engineering attack:




Researching on a target company
Selecting victims by identifying frustrated employees of the target's company
Developing relationship with the selected employees
Exploiting the relationship and collecting sensitive account information, financial
information, and current technologies
Factors that make companies vulnerable to attacks
The following factors make companies vulnerable to attacks:




Insufficient security training
Easy access of information
Several organizational units
Lack of security policies
Warning signs of an attack
The following are warning signs of an attack:






Showing haste and dropping the name inadvertently
Unusually complaining or praising
Showing discomfort when questioned
Claiming authority and threatening if information is not provided
Making informal requests
Showing inability to give valid callback number
Command injection attacks
The following are command injection attacks:



Online: Internet connectivity facilitates attackers to approach employees from an
anonymous Internet source and convince them to provide information via a trusted user.
Telephone: The telephone system can be accessed and remote access to computer
systems can be gained by requesting information, usually imitating as a legitimate user.
Personal approaches: In personal approaches, attackers directly ask for information.
Impacts of social engineering on an organization
The following are the impacts of social engineering on an organization:





Economic losses
Dangers of terrorism
Lawsuits and arbitrations
Temporary or permanent closure
Damage of goodwill
Social engineering on Facebook
A fake user group is created on Facebook by attackers and is identified as "Employee of" the
company. Attackers then use the false identity to send a friend request or invite employees to the
fake group. Many times users join the group and give their personal information. Attackers can
compromise a secured facility in order to access the building by using details of employees.
9.2 Identify the different types of social engineering
Exam Focus: Identify the different types of social engineering. Objective includes:


Identify the different types of social engineering.
Learn warning signs of an attack.
Types of social engineering
The following are the types of social engineering:


Human-based: In human-based social engineering, sensitive information is gathered by
human interaction. Trust, fear, and helping nature of humans are exploited by attacks of
this category.
Computer-based: Computers are used to perform social engineering.
Computer-based social engineering
Computer-based social engineering can be categorized in the following manner:



Mail/IM attachments: The attacker can send malicious attachments to an innocent
victim via mail/IM.
Pop-up windows: Pop-up windows simulate an urgent condition on a user's computer
and request sensitive information to restore it to the normal state. Pop-ups trick users into
clicking a hyperlink. The hyperlinks redirects users to fake webpages that download
malicious programs, such as keyloggers, Trojans, and spyware, or ask for personal
information.
Spam mail: Spam mail can contain fraudulent billing information, etc. and can make
payment requests or ask for other information.




Web sites: Fake Web sites can be used to request confidential information, such as the
password or social security number of financial institutions.
Chain letters: Chain letters are emails that urge the recipient to forward these emails to
other people. Forwarding chain letters wastes network bandwidth and the user's time
Hoax letters: Hoax letters are emails issuing warning to users on new viruses, Trojans,
or worms, which may harm the system of a user.
Instant chat messenger: Chatting with a selected online user in order to gather personal
information.
Pretexting
Pretexting involves creating and using an invented scenario (the pretext) to engage a targeted
victim in a way that increases the chance the victim will divulge information or perform actions
that would be unlikely in ordinary circumstances. It is more than a simple lie because it most
often involves some prior research or setup and use a priori information for impersonation (e.g.,
date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the
target.
This technique can be used to fool a business into disclosing customer information as well as by
private investigators to obtain telephone records, utility records, banking records, and other
information directly from junior company service representatives. The information can then be
used to establish even greater legitimacy under tougher questioning with a manager, e.g., to
make account changes, get specific balances, etc.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance
investigators or any other individual who could have perceived authority or right-to-know in the
mind of the targeted victim. The pretexter must simply prepare answers to questions that might
be asked by the victim. In some cases, all that are needed is a voice that sounds authoritative, an
earnest tone, and an ability to think on one's feet.
Diversion theft
Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in
the East End of London. In summary, diversion theft is a "con" exercised by professional thieves,
normally against a transport or courier company. The objective is to persuade the persons
responsible for a legitimate delivery that the consignment is requested elsewhere hence, "round
the corner". With a load/consignment redirected, the thieves persuade the driver to unload the
consignment near to, or away from, the consignee's address, in the pretense that it is "going
straight out" or "urgently required somewhere else". The "con" or deception has many different
facets, which include social engineering techniques to persuade legitimate administrative or
traffic personnel of a transport or courier company to issue instructions to the driver to redirect
the consignment or load. The social engineering skills of these thieves are well rehearsed, and
are extremely effective. Most companies do not prepare their staff for this type of deception.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or
greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD ROM,
or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot),
gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use
the device. In either case, as a consequence of merely inserting the disk into a computer to see
the contents, the user would unknowingly install malware on it, likely giving an attacker
unfettered access to the victim's PC and perhaps, the targeted company's internal computer
network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may
be compromised as soon as a rogue disk is inserted.
Person-to-person social engineering
Person-to-person social engineering works on the personal level. It can be classified as follows:





Impersonation: In an impersonation social engineering attack, the attacker pretends to
be someone else, for example, the employee's friend, a repairman, or a delivery person.
Attackers imitate or copy the behavior or actions of others to gather organization details,
professional details, contacts and connection, and personal details. Social engineering
through impersonation on social networking sites can take place in the following ways:
o Confidential information can be gathered from social networking sites and
accounts can be created in other's name.
o Social engineering techniques can be used to create other's profiles by creating
large networks of friends and extracting information.
o Gathered information can also be used to perform other forms of social
engineering attacks.
In person attack: In this attack, the attacker just visits the organization and collects
information, such as current technologies and contact information. To accomplish such
an attack, the attacker can call the victim on the phone, or might simply walk into an
office and pretend to be a client or a new worker.
Tailgating: It involves the following authorized persons in order to gain access to the
environment. In tailgating, an authorized person wears a fake ID badge, enters a secured
area, and closely follows an authorized person for key access.
Important user posing: In this attack, the attacker pretends to be an important member
of the organization. This attack works because there is a common belief that it is not good
to question authority.
Third-party authorization: In this attack, the attacker tries to make the victim believe
that he has the approval of a third party. This works because people believe that most
people are good and they are being truthful about what they are saying.
Risks of social networking to corporate networks
The following are the risks of social networking to corporate networks:



Data theft: Many individuals access a social networking site. This increases the risk of
information exploitation.
Involuntary information leakage: Employees may unknowingly post sensitive data
regarding their company on social networking sites if there is no strong policy.
Targeted attacks: In a targeted attack, information on social networking sites can be
used for preliminary reconnaissance.

Network vulnerability: Vulnerabilities in the company's network may occur as all social
networking sites are subject to flaws and bugs.
Threat statistics 2010
The following is the threat statistic 2010:





There were 75% fraud attacks on existing credit card accounts.
There were 13% victims who knew crimes were committed.
There was 4.8% of population victimized by identity fraud.
There were 11.1 million adults victims of identity theft.
The total amount of fraud was $54 billion.
9.3 Understand dumpster diving, human-based social engineering, and insider attack
Exam Focus: Understand dumpster diving, human-based social engineering, and insider attack.
Objective includes:





Understand dumpster diving.
Understand human-based social engineering.
Understand insider attack and its countermeasures.
Gain insights on social engineering threats and defense.
Comprehend identity theft.
Dumpster diving
Dumpster diving is a term that refers to going through someone's trash in an attempt to find out
useful or confidential information. Dumpster divers check and separate items from commercial
or residential trash to get the information they desire. This information may be used for identity
theft and for breaking physical information security. You may collect contact information,
financial information, operations information, and phone bills by using dumpster diving.
Human-based social engineering
Human-based social engineering refers to person-to-person interaction to retrieve the desired
information. Human based attackers normally impersonate a legitimate role to gain access to
information; for example, by impersonating an IT support technician, an attacker may easily be
able to get past the front desk of an office and even gain access to the server room. The following
are some examples of human-based social engineering:

Technical support example: A man calls a company's help desk and says he has
forgotten his password. He adds that his boss might fire him if he misses the deadline on
a big advertising project. The help desk worker quickly resets the password as he feels
sorry for him and unintentionally gives the attacker clear entrance into the corporate
network.

Authority support example: A man calls and says that he is with an external auditor and
they have been asked to perform a surprise inspection of disaster recovery procedures. He
adds that you have 8 minutes to show him how you will recover from a website crash.
Shoulder surfing
Shoulder surfing is a type of in person attack. In shoulder surfing, the attacker collects
information about the premises of an organization. This attack is often carried out by looking
surreptitiously at the keyboard of an employee's computer while the employee is typing his
password at any access point, such as a terminal/Web site. The attacker can also collect
information by viewing open documents on the employee's desk.
Eavesdropping
Eavesdropping is an intentional interception of data (such as e-mail, username, password, credit
card, or calling card number) as it passes from a user's computer to a server, or vice versa. There
are high-tech methods of eavesdropping. It has been demonstrated that a laser can be bounced off
a window and vibrations caused by the sounds inside the building can be collected and turned
back into those sounds. The cost of high-tech surveillance has made such instruments available
only to the professional information gatherer, however. But as with all high-tech electronics,
falling prices are making these more affordable to a wider audience.
Reverse social engineering attack
A reverse social engineering attack is a person-to-person attack. In this attack, the attacker
convinces the target that he or she has a problem or might have a certain problem in the future
and that he, the attacker, is ready to help solve the problem. Reverse social engineering is
performed through the following steps:



The attacker first damages the target's equipment.
He next advertises himself as a person of authority, ably skilled in solving that problem.
In this step, he gains the trust of the target and obtains access to sensitive information.
If this reverse social engineering is performed well enough to convince the target, he often calls
the attacker and asks for help.
Piggybacking
Piggybacking refers to access of a wireless Internet connection by bringing one's own computer
within the range of another's wireless connection, and using that service without the subscriber's
explicit permission or knowledge. It is a legally and ethically controversial practice, with laws
that vary in jurisdictions around the world. While completely outlawed in some jurisdictions, it is
permitted in others. The process of sending data along with the acknowledgment is called
piggybacking.
Insider attack
An insider attack is an attack originating from inside a protected network. It usually refers to an
attack by a trusted member of the community, such as an employee. Insider attacks are
particularly insidious and difficult to protect because these attackers not only get immediate
access to the network, but they also require such access in order to serve their functions. Even
one disgruntled person can take revenge and compromise your company.
An attacker can steal critical secrets, cause damage to your organization, or put you out of the
business. For this, the attacker just needs to find a job opening, prepare a person to pass the
interview, have that person hired, and the person will be in the organization.
Disgruntled employee
A disgruntled employee is an individual who has lost respect and integrity as an employee in an
organization. Most of the time, he/she has more knowledge than a script kiddie. Such an
individual is ranked a potentially high risk since he/she is an insider and may have more internal
knowledge about the organization than any outside attacker. The risk becomes higher if access
rights and privileges were also provided to such an individual.
Preventing insider threats
Insider threats can be prevented by using the following:






Separation and rotation of duties
Least privilege
Controlled access
Logging and auditing
Legal policies
Archiving critical data
Common intrusion tactics and strategies for prevention
The following are the areas of risks:






Phone (help desk): Attackers often use tactics of impersonation and persuasion to gather
details of employees. Employees/ help desk should be trained to never reveal passwords
or other information by phone.
Building entrance: Unauthorized physical access can be prevented using tight badge
security, employee training, and security officers.
Office: In offices, attackers can use tactics of shoulder surfing. A user should not type
passwords if someone else is present. If you have to type a password in someone else
presence, type it quickly. All guests should be escorted when they wander through halls
searching for open offices.
Mail room: Mail room should be locked and monitored in order to avoid insertion of
forged memos.
Machine room/ phone closet: Phone closets, server rooms, etc. should be kept locked
every time and inventory on equipment should be kept updated since an attacker can try
to gain access, remove equipment, and/or attach a protocol analyzer to obtain the
confidential data.
Phone and PBX: Overseas and long-distance calls should be controlled so that an
attacker cannot steal phone toll access.
Identity theft
Identity theft involves stealing someone's identity in order to access resources or obtain credit
and other benefits in that person's name. The victim of identity theft can suffer adverse
consequences if they are held accountable for the perpetrator's actions. Identity theft takes place
when someone uses another's personally identifying information, such as their name, identifying
number, or credit card number, without their permission, to commit fraud or other crimes. The
following ways can be used to minimize the risk of identity theft:


Secure personal information in the workplace and at home.
Look over credit card reports.
The following are identity thefts:


Theft of personal information: Identity theft takes place when your name and other
information are stolen for fraudulent purposes.
Loss of social security numbers: In this crime, imposter obtains personal information,
such as social security or driver's license numbers.
There are also some easy methods for identifying thefts. Using information for fraudulent
purposes has become easy for an identity thief by using cyberspace.
9.4 Understand phishing attacks, identify online scams, and understand URL obfuscation
Exam Focus: Understand phishing attacks, identify online scams, and understand URL
obfuscation. Objective includes:



Understand phishing attacks.
Identify Online scams.
Understand URL obfuscation.
Phishing
Phishing is a type of scam that entices a user to disclose personal information such as social
security number, bank account details, or credit card number. For example, a fraudulent e-mail
appears to come from a user's bank, asks to change his online banking password. Clicking the
link available on the e-mail directs the user to a phishing site that replicates the original bank
site. The phishing site entices the user to provide his personal information. Netcraft and
PhishTank are anti-phishing tools.
Detecting phishing emails
Phishing emails can be detected on the following basis:


Phishing emails include links that result in spoofed websites. The websites ask to enter
personal information when links included in phishing emails are clicked.
Phishing emails appears as if they have been sent from a bank, financial institution,
company, or social networking sites.



Phishing emails seem to be from a person listed in your email address book.
Phishing emails may direct to call a phone number to give up account number, personal
identification number, password, or confidential number.
Phishing emails include official-looking logos and other information taken directly from
legitimate websites, which convince users to disclose their personnel details.
Online scams
As the use of the Internet is increasing, the number of Internet scams and scammers are also
increasing. Scams are particularly designed to take advantage of the ways of working of the
Internet. Most Internet scams take place without the victim even noticing them. It is only when
their credit card statements or phone bills arrive that the person realizes that they have been
scammed. There are, however, some ways to protect you from the Internet scams. They are
simple but essential precautions that you can take because you are not always sure with whom
you are dealing on the Internet. Auction and shopping scams: Online auctions are used to target
someone for a scam outside of the auction site. They can be ended up with a dud product or
nothing at all for money.
Domain name renewal scams: Scams send a fake renewal notice for an actual domain name or a
misleading invoice for a domain name that is very similar to someone's own.




Spam (junk mail) offers: Spam e-mails, SMS, or MMS usually offer free goods or
'prizes', very cheap products or promises of wealth. Responding to spam messages can
result in problems for the computer and for bank accounts.
Free offers on the Internet: Free offers on the Internet may include 'free' Website
access, downloads, holidays, shares, or product trials that ask to supply credit card or
other personal details.
Modem jacking: Secretly changes the phone number dial-up modems use to access the
Internet to an overseas or premium rate phone number. You can pay hundreds of dollars
extra.
Keylogger: Keylogger is a software tool that traces all or specific activities of a user on a
computer. Once a keylogger is installed on a victim's computer, it can be used for
recording all keystrokes on the victim's computer in a predefined log file. An attacker can
configure a log file in such a manner that it can be automatically sent to a predefined email address.
URL obfuscation
URL obfuscation is a technique through which an attacker changes the format of URLs to bypass
filters or other application defenses that have been put in place to block particular IP addresses.
URL obfuscation can be used to redirect an innocent victim to the phishing Web site where
secret information such as passwords or SSN can be gathered. A number of ways of obscuring
URLs such as representing the URL in Hexadecimal format, expressing the decimal IP address
in different formats, adding irreverent text after http:// and before the @ symbol, etc. are
available.
9.5 Identify social engineering countermeasures
Exam Focus: Identify social engineering countermeasures. Objective includes:



Social engineering countermeasures
Theft countermeasures
Social engineering pen testing
Countermeasures of social engineering
The following are social engineering countermeasures:












Sensitivity of information must be decided.
In an organization, employees must be trained to verify the identity of a person who is
requesting for sensitive information. If the person cannot be verified, then the employee
must be trained to politely refuse the request. An efficient training program should
include all security policies and methods for increasing awareness of social engineering.
Security must be tested periodically, and these tests must be unannounced. It should be
ensured that there is authorized use of resources.
Two-factor authentication should be used instead of fixed passwords for high-risk
network services such as VPNs and modem pools.
Multiple layers of antivirus defenses such as at end-user desktops and at mail gateways
should be used to minimize social engineering attacks.
A documented change-management process is considered more secure than the ad-hoc
process.
Information should be classified as top secret, proprietary, for internal use only, for
public use, etc.
Administrator, user, and guest accounts should be available with proper authorization.
There should be background check of employees and proper termination process. Insiders
with a criminal background and terminated employees are easy targets to obtain
information.
There should be proper incidence response time. Proper guidelines should be followed
for reacting if someone tries social engineering.
It is necessary that policies and procedures are taught and reinforced by the employees,
otherwise good policies and procedures will be ineffective.
Employees should sign a statement that acknowledges that they understand the policies
after they have received the training.
Countermeasures of social engineering using password policies
Password policies are also a part of countermeasures of the social engineering. Some of the
password policies are as follows:




Periodic password change
Avoiding guessable passwords
Account blocking after failed attempts
Length and complexity of passwords



Minimum number of characters, use of special characters, and numbers, etc. e.g.
ar1f23#$g
Secrecy of passwords
Do not reveal if asked, or write on anything to remember them
Countermeasures of social engineering using physical security policy
The following are countermeasures of social engineering using physical security policy:




Identification of employees, such as issuing of ID cards, uniforms, etc.
Escorting the visitors
Accessing area restrictions
Proper shredding of useless documents
Theft countermeasures
The following are theft countermeasures:









All documents including private information should be secured or shredded.
The mailbox should be quickly emptied to keep the mail secure.
Users should ensure that their names are not present in the marketer's hit list.
All the requests for personal data should be suspected and verified.
Users should review credit card reports regularly.
Users should not let credit card out of their sight.
Users should protect personal information from being published.
Users should not give any personal information on the phone.
Users should not display account/contact numbers unless necessary.
Social engineering pen testing
Social engineering pen testing is required to test the strength of human factors in a security chain
within an organization. It is generally used for raising the level of security awareness among
employees. For a social engineering pen test, a tester should demonstrate extreme care and
professionalism as legal issues such as violation of privacy may be involved and lead to an
embarrassing situation for the organization. A pen tester should have the following skills:




Good interpersonal skills
Good communication skills
Creativity
Talkative and friendly nature
Take the following actions during social engineering pen testing:

Obtain management's explicit authorization and details that will support in specifying the
scope of pen test such as list of departments, employees that are required to be testing or
level of physical intrusion permitted.



Use techniques such as dumpster diving, email guessing, USENET and web search, and
email spider tools, such as Email Extractor, to collect email addresses and contact details
of target organization and its human resources.
Use footprinting techniques to extract as much information as possible regarding the
identified targets.
Create a script according the collected information considering both positive and negative
results of an attempt.
Social engineering pen testing using emails
Take the following actions during social engineering pen testing using emails:



Send an email to employees and ask for personal information such as their user names
and passwords by pretending as a network administrator, senior manager, tech support,
etc., from a different department on pretext of an emergency.
Send emails to targets with malicious attachments and use tools such as ReadNotify to
monitor the treatment of targets with attachments.
Send phishing emails to targets as if email is from a bank and asking for sensitive
information.
Social engineering pen testing using a phone
Take the following actions during social engineering pen testing using phone:







Call a target impersonating as a colleague and ask for the sensitive information.
Call a target user impersonating as an important user.
Call a target impersonating as technical support and ask for the sensitive information.
Refer to an important person in the organization and try to collect data.
Call a target and provide rewards in place of personal information.
Threaten the target with the dire consequences in order to obtain information.
Use reverse social engineering to get information from targets.
Chapter Summary
In this chapter, we learned about social engineering, behaviors that are vulnerable to attacks,
different types of social engineering, and social engineering countermeasures. In this chapter, we
discussed dumpster diving, human-based social engineering, and insider attack. This chapter also
focused on phishing attacks, identifying online scams, and understanding URL obfuscation.
Glossary
Dictionary attack
A dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of
common words to find out the password of a user.
Dumpster diving
Dumpster diving is a term that refers to going through someone's trash in an attempt to find out
useful or confidential information.
Eavesdropping
Eavesdropping is the intentional interception of data (such as e-mail, username, password, credit
card, or calling card number) as it passes from a user's computer to a server, or vice versa.
Human-based social engineering
Human-based social engineering refers to person-to-person interaction to retrieve the desired
information.
Phishing
Phishing is a type of scam that entices a user to disclose personal information such as social
security number, bank account details, or credit card number.
Piggybacking
Piggybacking refers to access of a wireless Internet connection by bringing one's own computer
within the range of another's wireless connection, and using that service without the subscriber's
explicit permission or knowledge.
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted
victim in a manner that increases the chance the victim will divulge information or perform
actions that would be unlikely in ordinary circumstances.
Shoulder surfing
Shoulder surfing is a type of in person attack in which the attacker gathers information about the
premises of an organization.
Social engineering
Social engineering is the art of convincing people and making them disclose useful information
such as account names and passwords.