9.1 Understand social engineering Exam Focus: Understand social engineering. Objective includes: Understand social engineering. Understand human weakness. Social engineering Social engineering is an art used to convince people and make them disclose useful information, such as account names and passwords. Hackers further exploit this information to gain access to a user's computer or network. In social engineering, the mental ability of people is involved to trick someone rather than their technical skills. Users should always distrust people who ask them for their account name, password, computer name, IP address, employee ID, or other information that can be misused. Attackers can try social engineering attacks on office workers in order to extract the sensitive data, such as security policies, sensitive documents, office network infrastructure, and passwords. An attacker imitates as a valid employee and collects information from the staff of a company. The victim employee provides information to the attacker, thinking him as a valid employee. Social engineering is effective due to the following reasons: Security policies are as strong as their weakest link. Humans are the most susceptible factor. Social engineering attempts are difficult to detect. No method is available to ensure complete security from social engineering attacks. No specific software or hardware is available for defending against a social engineering attack. Sometimes users are enticed to download an application that will allow them to see SMS messages online of other people. Alternative filenames, including sms.exe, freetrial.exe, and smstrap.exe are used by the download file. Common targets of social engineering The following are common targets of social engineering: Receptionists and help desk personnel Technical support executives System administrators Vendors of the target organization Users and clients Behaviors that are vulnerable to attacks Any social engineering attack is based on human nature of trust. Organizations become an easy target when social engineering and its effect among the workforce are ignored. In case of noncompliance with the request of social engineers, they may threaten severe losses. Social engineers promise something for nothing to attract the targets to reveal information. Targets agree with a sense of moral obligation when asked for help. Phases in a social engineering attack The following are phases in a social engineering attack: Researching on a target company Selecting victims by identifying frustrated employees of the target's company Developing relationship with the selected employees Exploiting the relationship and collecting sensitive account information, financial information, and current technologies Factors that make companies vulnerable to attacks The following factors make companies vulnerable to attacks: Insufficient security training Easy access of information Several organizational units Lack of security policies Warning signs of an attack The following are warning signs of an attack: Showing haste and dropping the name inadvertently Unusually complaining or praising Showing discomfort when questioned Claiming authority and threatening if information is not provided Making informal requests Showing inability to give valid callback number Command injection attacks The following are command injection attacks: Online: Internet connectivity facilitates attackers to approach employees from an anonymous Internet source and convince them to provide information via a trusted user. Telephone: The telephone system can be accessed and remote access to computer systems can be gained by requesting information, usually imitating as a legitimate user. Personal approaches: In personal approaches, attackers directly ask for information. Impacts of social engineering on an organization The following are the impacts of social engineering on an organization: Economic losses Dangers of terrorism Lawsuits and arbitrations Temporary or permanent closure Damage of goodwill Social engineering on Facebook A fake user group is created on Facebook by attackers and is identified as "Employee of" the company. Attackers then use the false identity to send a friend request or invite employees to the fake group. Many times users join the group and give their personal information. Attackers can compromise a secured facility in order to access the building by using details of employees. 9.2 Identify the different types of social engineering Exam Focus: Identify the different types of social engineering. Objective includes: Identify the different types of social engineering. Learn warning signs of an attack. Types of social engineering The following are the types of social engineering: Human-based: In human-based social engineering, sensitive information is gathered by human interaction. Trust, fear, and helping nature of humans are exploited by attacks of this category. Computer-based: Computers are used to perform social engineering. Computer-based social engineering Computer-based social engineering can be categorized in the following manner: Mail/IM attachments: The attacker can send malicious attachments to an innocent victim via mail/IM. Pop-up windows: Pop-up windows simulate an urgent condition on a user's computer and request sensitive information to restore it to the normal state. Pop-ups trick users into clicking a hyperlink. The hyperlinks redirects users to fake webpages that download malicious programs, such as keyloggers, Trojans, and spyware, or ask for personal information. Spam mail: Spam mail can contain fraudulent billing information, etc. and can make payment requests or ask for other information. Web sites: Fake Web sites can be used to request confidential information, such as the password or social security number of financial institutions. Chain letters: Chain letters are emails that urge the recipient to forward these emails to other people. Forwarding chain letters wastes network bandwidth and the user's time Hoax letters: Hoax letters are emails issuing warning to users on new viruses, Trojans, or worms, which may harm the system of a user. Instant chat messenger: Chatting with a selected online user in order to gather personal information. Pretexting Pretexting involves creating and using an invented scenario (the pretext) to engage a targeted victim in a way that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie because it most often involves some prior research or setup and use a priori information for impersonation (e.g., date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. This technique can be used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records, and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc. Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that are needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet. Diversion theft Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London. In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere hence, "round the corner". With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else". The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load. The social engineering skills of these thieves are well rehearsed, and are extremely effective. Most companies do not prepare their staff for this type of deception. Baiting Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. In either case, as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted. Person-to-person social engineering Person-to-person social engineering works on the personal level. It can be classified as follows: Impersonation: In an impersonation social engineering attack, the attacker pretends to be someone else, for example, the employee's friend, a repairman, or a delivery person. Attackers imitate or copy the behavior or actions of others to gather organization details, professional details, contacts and connection, and personal details. Social engineering through impersonation on social networking sites can take place in the following ways: o Confidential information can be gathered from social networking sites and accounts can be created in other's name. o Social engineering techniques can be used to create other's profiles by creating large networks of friends and extracting information. o Gathered information can also be used to perform other forms of social engineering attacks. In person attack: In this attack, the attacker just visits the organization and collects information, such as current technologies and contact information. To accomplish such an attack, the attacker can call the victim on the phone, or might simply walk into an office and pretend to be a client or a new worker. Tailgating: It involves the following authorized persons in order to gain access to the environment. In tailgating, an authorized person wears a fake ID badge, enters a secured area, and closely follows an authorized person for key access. Important user posing: In this attack, the attacker pretends to be an important member of the organization. This attack works because there is a common belief that it is not good to question authority. Third-party authorization: In this attack, the attacker tries to make the victim believe that he has the approval of a third party. This works because people believe that most people are good and they are being truthful about what they are saying. Risks of social networking to corporate networks The following are the risks of social networking to corporate networks: Data theft: Many individuals access a social networking site. This increases the risk of information exploitation. Involuntary information leakage: Employees may unknowingly post sensitive data regarding their company on social networking sites if there is no strong policy. Targeted attacks: In a targeted attack, information on social networking sites can be used for preliminary reconnaissance. Network vulnerability: Vulnerabilities in the company's network may occur as all social networking sites are subject to flaws and bugs. Threat statistics 2010 The following is the threat statistic 2010: There were 75% fraud attacks on existing credit card accounts. There were 13% victims who knew crimes were committed. There was 4.8% of population victimized by identity fraud. There were 11.1 million adults victims of identity theft. The total amount of fraud was $54 billion. 9.3 Understand dumpster diving, human-based social engineering, and insider attack Exam Focus: Understand dumpster diving, human-based social engineering, and insider attack. Objective includes: Understand dumpster diving. Understand human-based social engineering. Understand insider attack and its countermeasures. Gain insights on social engineering threats and defense. Comprehend identity theft. Dumpster diving Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Dumpster divers check and separate items from commercial or residential trash to get the information they desire. This information may be used for identity theft and for breaking physical information security. You may collect contact information, financial information, operations information, and phone bills by using dumpster diving. Human-based social engineering Human-based social engineering refers to person-to-person interaction to retrieve the desired information. Human based attackers normally impersonate a legitimate role to gain access to information; for example, by impersonating an IT support technician, an attacker may easily be able to get past the front desk of an office and even gain access to the server room. The following are some examples of human-based social engineering: Technical support example: A man calls a company's help desk and says he has forgotten his password. He adds that his boss might fire him if he misses the deadline on a big advertising project. The help desk worker quickly resets the password as he feels sorry for him and unintentionally gives the attacker clear entrance into the corporate network. Authority support example: A man calls and says that he is with an external auditor and they have been asked to perform a surprise inspection of disaster recovery procedures. He adds that you have 8 minutes to show him how you will recover from a website crash. Shoulder surfing Shoulder surfing is a type of in person attack. In shoulder surfing, the attacker collects information about the premises of an organization. This attack is often carried out by looking surreptitiously at the keyboard of an employee's computer while the employee is typing his password at any access point, such as a terminal/Web site. The attacker can also collect information by viewing open documents on the employee's desk. Eavesdropping Eavesdropping is an intentional interception of data (such as e-mail, username, password, credit card, or calling card number) as it passes from a user's computer to a server, or vice versa. There are high-tech methods of eavesdropping. It has been demonstrated that a laser can be bounced off a window and vibrations caused by the sounds inside the building can be collected and turned back into those sounds. The cost of high-tech surveillance has made such instruments available only to the professional information gatherer, however. But as with all high-tech electronics, falling prices are making these more affordable to a wider audience. Reverse social engineering attack A reverse social engineering attack is a person-to-person attack. In this attack, the attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem. Reverse social engineering is performed through the following steps: The attacker first damages the target's equipment. He next advertises himself as a person of authority, ably skilled in solving that problem. In this step, he gains the trust of the target and obtains access to sensitive information. If this reverse social engineering is performed well enough to convince the target, he often calls the attacker and asks for help. Piggybacking Piggybacking refers to access of a wireless Internet connection by bringing one's own computer within the range of another's wireless connection, and using that service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary in jurisdictions around the world. While completely outlawed in some jurisdictions, it is permitted in others. The process of sending data along with the acknowledgment is called piggybacking. Insider attack An insider attack is an attack originating from inside a protected network. It usually refers to an attack by a trusted member of the community, such as an employee. Insider attacks are particularly insidious and difficult to protect because these attackers not only get immediate access to the network, but they also require such access in order to serve their functions. Even one disgruntled person can take revenge and compromise your company. An attacker can steal critical secrets, cause damage to your organization, or put you out of the business. For this, the attacker just needs to find a job opening, prepare a person to pass the interview, have that person hired, and the person will be in the organization. Disgruntled employee A disgruntled employee is an individual who has lost respect and integrity as an employee in an organization. Most of the time, he/she has more knowledge than a script kiddie. Such an individual is ranked a potentially high risk since he/she is an insider and may have more internal knowledge about the organization than any outside attacker. The risk becomes higher if access rights and privileges were also provided to such an individual. Preventing insider threats Insider threats can be prevented by using the following: Separation and rotation of duties Least privilege Controlled access Logging and auditing Legal policies Archiving critical data Common intrusion tactics and strategies for prevention The following are the areas of risks: Phone (help desk): Attackers often use tactics of impersonation and persuasion to gather details of employees. Employees/ help desk should be trained to never reveal passwords or other information by phone. Building entrance: Unauthorized physical access can be prevented using tight badge security, employee training, and security officers. Office: In offices, attackers can use tactics of shoulder surfing. A user should not type passwords if someone else is present. If you have to type a password in someone else presence, type it quickly. All guests should be escorted when they wander through halls searching for open offices. Mail room: Mail room should be locked and monitored in order to avoid insertion of forged memos. Machine room/ phone closet: Phone closets, server rooms, etc. should be kept locked every time and inventory on equipment should be kept updated since an attacker can try to gain access, remove equipment, and/or attach a protocol analyzer to obtain the confidential data. Phone and PBX: Overseas and long-distance calls should be controlled so that an attacker cannot steal phone toll access. Identity theft Identity theft involves stealing someone's identity in order to access resources or obtain credit and other benefits in that person's name. The victim of identity theft can suffer adverse consequences if they are held accountable for the perpetrator's actions. Identity theft takes place when someone uses another's personally identifying information, such as their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The following ways can be used to minimize the risk of identity theft: Secure personal information in the workplace and at home. Look over credit card reports. The following are identity thefts: Theft of personal information: Identity theft takes place when your name and other information are stolen for fraudulent purposes. Loss of social security numbers: In this crime, imposter obtains personal information, such as social security or driver's license numbers. There are also some easy methods for identifying thefts. Using information for fraudulent purposes has become easy for an identity thief by using cyberspace. 9.4 Understand phishing attacks, identify online scams, and understand URL obfuscation Exam Focus: Understand phishing attacks, identify online scams, and understand URL obfuscation. Objective includes: Understand phishing attacks. Identify Online scams. Understand URL obfuscation. Phishing Phishing is a type of scam that entices a user to disclose personal information such as social security number, bank account details, or credit card number. For example, a fraudulent e-mail appears to come from a user's bank, asks to change his online banking password. Clicking the link available on the e-mail directs the user to a phishing site that replicates the original bank site. The phishing site entices the user to provide his personal information. Netcraft and PhishTank are anti-phishing tools. Detecting phishing emails Phishing emails can be detected on the following basis: Phishing emails include links that result in spoofed websites. The websites ask to enter personal information when links included in phishing emails are clicked. Phishing emails appears as if they have been sent from a bank, financial institution, company, or social networking sites. Phishing emails seem to be from a person listed in your email address book. Phishing emails may direct to call a phone number to give up account number, personal identification number, password, or confidential number. Phishing emails include official-looking logos and other information taken directly from legitimate websites, which convince users to disclose their personnel details. Online scams As the use of the Internet is increasing, the number of Internet scams and scammers are also increasing. Scams are particularly designed to take advantage of the ways of working of the Internet. Most Internet scams take place without the victim even noticing them. It is only when their credit card statements or phone bills arrive that the person realizes that they have been scammed. There are, however, some ways to protect you from the Internet scams. They are simple but essential precautions that you can take because you are not always sure with whom you are dealing on the Internet. Auction and shopping scams: Online auctions are used to target someone for a scam outside of the auction site. They can be ended up with a dud product or nothing at all for money. Domain name renewal scams: Scams send a fake renewal notice for an actual domain name or a misleading invoice for a domain name that is very similar to someone's own. Spam (junk mail) offers: Spam e-mails, SMS, or MMS usually offer free goods or 'prizes', very cheap products or promises of wealth. Responding to spam messages can result in problems for the computer and for bank accounts. Free offers on the Internet: Free offers on the Internet may include 'free' Website access, downloads, holidays, shares, or product trials that ask to supply credit card or other personal details. Modem jacking: Secretly changes the phone number dial-up modems use to access the Internet to an overseas or premium rate phone number. You can pay hundreds of dollars extra. Keylogger: Keylogger is a software tool that traces all or specific activities of a user on a computer. Once a keylogger is installed on a victim's computer, it can be used for recording all keystrokes on the victim's computer in a predefined log file. An attacker can configure a log file in such a manner that it can be automatically sent to a predefined email address. URL obfuscation URL obfuscation is a technique through which an attacker changes the format of URLs to bypass filters or other application defenses that have been put in place to block particular IP addresses. URL obfuscation can be used to redirect an innocent victim to the phishing Web site where secret information such as passwords or SSN can be gathered. A number of ways of obscuring URLs such as representing the URL in Hexadecimal format, expressing the decimal IP address in different formats, adding irreverent text after http:// and before the @ symbol, etc. are available. 9.5 Identify social engineering countermeasures Exam Focus: Identify social engineering countermeasures. Objective includes: Social engineering countermeasures Theft countermeasures Social engineering pen testing Countermeasures of social engineering The following are social engineering countermeasures: Sensitivity of information must be decided. In an organization, employees must be trained to verify the identity of a person who is requesting for sensitive information. If the person cannot be verified, then the employee must be trained to politely refuse the request. An efficient training program should include all security policies and methods for increasing awareness of social engineering. Security must be tested periodically, and these tests must be unannounced. It should be ensured that there is authorized use of resources. Two-factor authentication should be used instead of fixed passwords for high-risk network services such as VPNs and modem pools. Multiple layers of antivirus defenses such as at end-user desktops and at mail gateways should be used to minimize social engineering attacks. A documented change-management process is considered more secure than the ad-hoc process. Information should be classified as top secret, proprietary, for internal use only, for public use, etc. Administrator, user, and guest accounts should be available with proper authorization. There should be background check of employees and proper termination process. Insiders with a criminal background and terminated employees are easy targets to obtain information. There should be proper incidence response time. Proper guidelines should be followed for reacting if someone tries social engineering. It is necessary that policies and procedures are taught and reinforced by the employees, otherwise good policies and procedures will be ineffective. Employees should sign a statement that acknowledges that they understand the policies after they have received the training. Countermeasures of social engineering using password policies Password policies are also a part of countermeasures of the social engineering. Some of the password policies are as follows: Periodic password change Avoiding guessable passwords Account blocking after failed attempts Length and complexity of passwords Minimum number of characters, use of special characters, and numbers, etc. e.g. ar1f23#$g Secrecy of passwords Do not reveal if asked, or write on anything to remember them Countermeasures of social engineering using physical security policy The following are countermeasures of social engineering using physical security policy: Identification of employees, such as issuing of ID cards, uniforms, etc. Escorting the visitors Accessing area restrictions Proper shredding of useless documents Theft countermeasures The following are theft countermeasures: All documents including private information should be secured or shredded. The mailbox should be quickly emptied to keep the mail secure. Users should ensure that their names are not present in the marketer's hit list. All the requests for personal data should be suspected and verified. Users should review credit card reports regularly. Users should not let credit card out of their sight. Users should protect personal information from being published. Users should not give any personal information on the phone. Users should not display account/contact numbers unless necessary. Social engineering pen testing Social engineering pen testing is required to test the strength of human factors in a security chain within an organization. It is generally used for raising the level of security awareness among employees. For a social engineering pen test, a tester should demonstrate extreme care and professionalism as legal issues such as violation of privacy may be involved and lead to an embarrassing situation for the organization. A pen tester should have the following skills: Good interpersonal skills Good communication skills Creativity Talkative and friendly nature Take the following actions during social engineering pen testing: Obtain management's explicit authorization and details that will support in specifying the scope of pen test such as list of departments, employees that are required to be testing or level of physical intrusion permitted. Use techniques such as dumpster diving, email guessing, USENET and web search, and email spider tools, such as Email Extractor, to collect email addresses and contact details of target organization and its human resources. Use footprinting techniques to extract as much information as possible regarding the identified targets. Create a script according the collected information considering both positive and negative results of an attempt. Social engineering pen testing using emails Take the following actions during social engineering pen testing using emails: Send an email to employees and ask for personal information such as their user names and passwords by pretending as a network administrator, senior manager, tech support, etc., from a different department on pretext of an emergency. Send emails to targets with malicious attachments and use tools such as ReadNotify to monitor the treatment of targets with attachments. Send phishing emails to targets as if email is from a bank and asking for sensitive information. Social engineering pen testing using a phone Take the following actions during social engineering pen testing using phone: Call a target impersonating as a colleague and ask for the sensitive information. Call a target user impersonating as an important user. Call a target impersonating as technical support and ask for the sensitive information. Refer to an important person in the organization and try to collect data. Call a target and provide rewards in place of personal information. Threaten the target with the dire consequences in order to obtain information. Use reverse social engineering to get information from targets. Chapter Summary In this chapter, we learned about social engineering, behaviors that are vulnerable to attacks, different types of social engineering, and social engineering countermeasures. In this chapter, we discussed dumpster diving, human-based social engineering, and insider attack. This chapter also focused on phishing attacks, identifying online scams, and understanding URL obfuscation. Glossary Dictionary attack A dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. Dumpster diving Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Eavesdropping Eavesdropping is the intentional interception of data (such as e-mail, username, password, credit card, or calling card number) as it passes from a user's computer to a server, or vice versa. Human-based social engineering Human-based social engineering refers to person-to-person interaction to retrieve the desired information. Phishing Phishing is a type of scam that entices a user to disclose personal information such as social security number, bank account details, or credit card number. Piggybacking Piggybacking refers to access of a wireless Internet connection by bringing one's own computer within the range of another's wireless connection, and using that service without the subscriber's explicit permission or knowledge. Pretexting Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. Shoulder surfing Shoulder surfing is a type of in person attack in which the attacker gathers information about the premises of an organization. Social engineering Social engineering is the art of convincing people and making them disclose useful information such as account names and passwords.