Module Objectives
This module provides an overview of social engineering. Although this module focuses on fallacies and advocates effective countermeasures, the possible methods of extracting information from another human being rely on attackers' ingenuity. The features of these techniques make them an art, but the psychological nature of some of these techniques makes them a science. The "bottom line" is that there is no defense against social engineering; only constant vigilance can circumvent some social engineering techniques used by the attackers.
This module provides insight into human-based, computer-based, and mobile-based social engineering techniques. It also discusses various insider threats -- impersonation on social networking sites, identity theft, as well as possible countermeasures. The module ends with an overview of pen-testing steps an ethical hacker should follow to assess the security of the target.
At the end of this module, you will be able to:
■ Describe the social engineering concepts
■ Perform social engineering using various techniques
■ Describe insider threats
■ Perform impersonation on social networking sites
■ Describe identity theft
■ Apply social engineering countermeasures
■ Apply insider threats and identity theft countermeasures
■ Perform social engineering penetration testing
Social Engineering Concepts
There is no single security mechanism that can protect from social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attackers' chances of success. Before going ahead with this module, let's first discuss various social engineering concepts.
This section describes social engineering, frequent targets of social engineering, behaviors vulnerable to attacks, factors making companies vulnerable to attacks, why social engineering is effective, and phases of a social engineering attack.
What is Social Engineering?
Prior to performing social engineering attack, an attacker gathers information about the target organization from various sources such as:
■ Official websites of the target organizations, where employees1 IDs, names, and email addresses are shared.
■ Advertisements of the target organization through the type of print media required for high-tech workers trained in Oracle databases or UNIX servers
■ Blogs, forums, etc. where employees share basic personal and organizational information.
After information gathering, an attacker executes social engineering attack using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and so on.
Social engineering is an art of manipulating people to divulge sensitive information to perform some malicious action. Despite security policies, attackers can compromise organization's sensitive information using social engineering as it targets the weakness of people. Most often, employees are not even aware of a security lapse on their part and reveal organization's critical information inadvertently. For instance, unwittingly answering the questions of strangers and replying to spam email.
To succeed, attackers take a special interest in developing social engineering skills and can be so proficient that the victims might not even notice the fraud. Attackers always look for new ways to access information. They also ensure that they know the organization's perimeter and the people on the perimeter, for example, security guards, receptionists, and help-desk workers to exploit human oversight. People have conditioned themselves not to be overly suspicious and they associate certain behavior and appearances with known entities. For instance, a man in a uniform carrying a pile of packages for delivery will be considered a delivery person. With the help of social engineering tricks, attackers succeed in obtaining confidential information, authorization and access details of people by deceiving and manipulating human vulnerability.
Common Targets of Social Engineering
A social engineer uses the vulnerability of human nature as their most effective tool. Usually, people believe and trust others and derive fulfillment from helping the needy. Discussed below are the most common targets of social engineering in an organization:
■ Receptionists and Help-Desk Personnel: Social engineers generally target service-desk or help-desk personnel of the target organization by tricking them into divulging confidential information about the organization. To extract information, such as a phone number or a password, the attacker first wins the trust of the individual with the information. On winning their trust, the attacker manipulates them to get valuable information. Receptionists and help-desk staff may readily share information if they feel they are doing so to help a customer.
■ Technical Support Executives: Another target of social engineers are technical support executives. The social engineers may take the approach of contacting technical support executives to obtain sensitive information by pretending to be a senior management, customer, vendor, and so on.
■ System Administrators: A system administrator in an organization is responsible for maintaining the systems and thus he/she may have critical information such as the type and version of OS, admin passwords, and so on, that could be helpful for an attacker in planning an attack.
■ Users and Clients: Attackers could approach users and clients of the target organization, pretending to be a tech support person to extract sensitive information.
■ Vendors of the Target Organization: Attackers may also target the vendors of the organization to gain critical information that could be helpful in executing other attacks.
Impact of Social Engineering Attack on Organization
Social engineering does not seem to be a serious threat, but it can lead to heavy losses for organizations. The impact of social engineering attack on organizations include:
■ Economic Losses: Competitors may use social engineering techniques to steal sensitive information such as development plans and marketing strategies of a target company, which can result into a economic loss to the target company.
■ Damage to Goodwill: For an organization, goodwill is important for attracting customers. Social engineering attacks may damage that goodwill by leaking sensitive organizational data.
■ Loss of Privacy: Privacy is a major concern, especially for big organizations. If an organization is unable to maintain the privacy of its stakeholders or customers, then people can lose trust in the company and may discontinue the business association with the organization. Consequently, the organization could face losses.
■ Dangers of Terrorism: Terrorism and anti-social elements pose a threat to an organization's assets - people and property. Terrorists may use social engineering techniques to make blueprints of their targets to infiltrate their targets.
■ Lawsuits and Arbitration: Lawsuits and arbitration result in negative publicity for an organization and affects the business's performance.
■ Temporary or Permanent Closure: Social engineering attacks can result in loss of goodwill. Lawsuits and arbitration may force a temporary or permanent closure of an organization and its business activities.
Behaviors Vulnerable to Attacks
■ Natural human tendency to trust others is the basis of any social engineering attack
■ Ignorance about social engineering and its effects on the workforce makes the organization an easy target
■ Fear of severe losses in case of non-compliance with the social engineer's request ■ Social engineers lure the targets to divulge information by promising something for
nothing (greediness)
■ Targets are asked for help and they comply with as a moral duty
Factors that Make Companies Vulnerable to Attacks
Many factors make companies vulnerable to social engineering attacks, some of them are as follows:
■ Insufficient Security Training
Employees can be ignorant about social engineering tricks used by an attacker to lure them into divulging sensitive data about the organization. Therefore, the minimum responsibility of any organization is to educate their employees about social engineering techniques and the threats associated with them to prevent social engineering attacks.
■ Unregulated Access to the Information
For any company, one of the main assets is its database. Providing unlimited access or allowing everyone an access to the sensitive data might land them in trouble. Therefore, companies must ensure proper surveillance and training to key personnel accessing the sensitive data.
■ Several Organizational Units
Some organizations have their units at different geographic locations making it difficult to manage the system. On the other hand, it becomes easier for an attacker to access the organization's sensitive information.
■ Lack of Security Policies
Security policy forms the foundation of security infrastructure. It is a high-level document describing the security controls implemented in a company. An organization should take extreme measures related to every possible security threat or vulnerability. Implementation of certain security measures, such as password change policy, information sharing policy, access privileges, unique user identification, and centralized security, prove to be beneficial.
Why is Social Engineering Effective?
Like other techniques, social engineering does not deal with network security issues instead, it deals with the psychological manipulation of the human being to extract desired information.
Following are the reasons why social engineering continues to be effective:
■ Despite various security policies, preventing socially engineering is a challenge because human beings are most susceptible to variation.
■ It is challenging to detect social engineering attempts. Social engineering is the art and science of manipulating people into divulging information. And using this trick, attackers sneak into an organization's vault of information.
■ No method guarantees complete security from social engineering attacks.
■ No specific hardware or software is available to safeguard from social engineering attacks. ■ This approach is relatively easy to implement and free of cost.
Phases of a Social Engineering Attack
Attackerstake following steps to execute a successful social engineering attack:
■ Research on Target Company
Before attacking the target organization's network, an attacker gathers sufficient information to infiltrate the system. Social engineering is one such technique that helps in extracting information. Initially, the attacker carries out research to collect basic information about the target organization such as the nature of the business, location, number of employees, and so on. While researching, the attacker indulges in dumpster diving, browsing the company's website, finding employee details, and so on.
■ Selecting Target
After research, the attacker selects his target to extract sensitive information about the organization. Usually, attackers try to strike a chord with disgruntled employees because it is easier to manipulate them and extract information.
■ Develop the Relationship
Once the target is identified, the attacker builds a relationship with that employee to accomplish his/her task.
■ Exploit the Relationship
Next step is to exploit the relationship and extract sensitive information about the accounts, finance information, technologies in use, and upcoming plans.
Social Engineering Techniques
Attackers implement various social engineering techniques to gather sensitive information from people or organizations that might help him/her to commit fraud or other criminal activities.
This section deals with various human-based, computer-based, and mobile-based social engineering techniques, coded with examples for a better understanding.
Types of Social Engineering
In a social engineering attack, the attacker uses social skills to trick the victim into disclosing personal information such as credit card numbers, bank account numbers, phone numbers, or confidential information about their organization or computer system, and use them to either launch an attack or to commit fraud. Social engineering attacks are categorized into three parts: human-based, computer-based, and mobile-based.
■ Human-based Social Engineering
Human-based social engineering involves human interaction. On the pretext of a legitimate person, the attacker interacts with the employee of a target organization to collect sensitive information about the organization such as business plans, network, etc. that might help him/her in launching an attack. For example, impersonating as an IT support technician, the attacker can easily access the server room.
An attacker can perform human-based social engineering by using the following
techniques:
o Impersonating
o Eavesdropping
o Shoulder Surfing
o Dumpster Diving
o Reverse Social Engineering
o Piggybacking
o Tailgating
o Vishing
Computer-based Social Engineering
Computer-based social engineering relies on computers and Internet systems to carry out the targeted action.
Following techniques can be used for computer-based social engineering:
o Phishing
o Spam mail
o Instant chat messenger
o Pop-up window attacks
Mobile-Based Social Engineering
Attackers use mobile applications to carry out mobile-based social engineering. Attackers trick the users by imitating popular applications and creating malicious mobile applications with attractive features and submitting them with the same name to the major app stores. Users unknowingly download the malicious app, and thus malware infects the device.
Listed below are techniques an attacker uses to perform mobile-based social engineering:
o Publishing malicious apps
o Repackaging legitimate apps
o Using fake security applications
o SMiShing (SMS Phishing)
Human-based Social Engineering
Impersonation
Impersonation is a common human-based social engineering technique where an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use the phone or other communication medium to mislead target and trick them into revealing information. The attacker might impersonate a courier/delivery person, janitor, businessman, client, technician, or he/she may pretend to be a visitor. Using this technique, an attacker gathers sensitive information by scanning terminals for passwords, searching important documents on the desks, rummaging bins, and so on. The attacker may even try to overhear confidential conversations and "shoulder surf' to obtain sensitive information.
Types of impersonation used in social engineering:
■ Posing as a legitimate end user
■ Posing as an important user
■ Posing as a technical support
■ Internal Employee/Client/Vendor
■ Repairman
■ Over helpfulness of help desk
■ Third-party authorization
■ Tech support
■ Trusted authority
Some impersonation tricks that an attacker performs to gather sensitive information about the target organization by exploiting human nature of trust, fear, moral obligation, and so on are discussed below:
■ Posing as a Legitimate End User
An attacker might impersonate an employee and then resort to deviant methods to gain access to privileged data. He or she may provide a false identity to obtain sensitive information. Another example is when a "friend" of an employee asks him/her to retrieve information that a bedridden employee supposedly needs. There is a well-recognized rule in social interaction that a favor begets a favor, even if the original "favor" is offered without a request from the recipient in a method known as reciprocation. Corporate environments deal with reciprocation on a daily basis. Employees help each another, expecting a favor in return. Social engineers try to take advantage of this social trait via impersonation.
Example:
"Hi! This is John, from the finance department. I have forgotten my password. Can I get it?"
■ Posing as an Important User
Attackers take impersonation to a higher level by assuming the identity of an important employee to add an element of intimidation. The reciprocation factor also plays a role in this scenario where lower-level employees might go out of their way to help a higher- authority, so that their favor gets the positive attention needed for their survival in the corporate environment. Another behavioral factor that aids a social engineer is people's habit of not questioning authorities. People often go out of their way for those whom they perceive to have an authority. An attacker posing as an important individual — such as a vice president or director — can often manipulate an unprepared employee. This technique assumes greater significance when the attacker may consider it a challenge to get away with impersonating an authority figure. For example, it is less likely a help-desk employee will turn down a request from a vice president who is hard pressed for time and needs some important information for a meeting. In case an employee refuses to divulge information, social engineers may use authority to intimidate employees or may even threaten to report the employees' misconduct to their supervisors.
Example:
"Hi! This is Kevin, CFO Secretary. I'm working on an urgent project and lost my system password. Can you help me out?"
■ Posing as a Technical Support
Another technique involves an attacker masquerading as a technical support, particularly when the victim is not proficient in technical areas. The attacker may pretend to be a hardware vendor, a technician, or a computer- supplier while approaching the target. One demonstration at a hacker meeting had the speaker calling Starbucks and asking its employee whether their broadband connection was working properly. The perplexed employee replied that it was the modem that was giving them trouble. The hacker, without giving any credentials, went on to make him read out the credit card number of the last transaction. In a corporate scenario, the attacker may ask employees to reveal their login information including a password, to fix a nonexistent problem.
Example:
"Sir, this is Mathew, Technical support, X Company. Last night we had a system crash here, and we are checking for the lost data. Can you give me your ID and password?'
■ Internal Employee/Client/Vendor
The attacker usually dresses up in business clothes or a suitable uniform. He/She would enter an organization's building pretending to be a contractor, client, or service personnel, or other authorized person. Then he/she will roam around unnoticed, and look for password stuck on terminals, extract critical data from bins, papers lying on the desks, and so on. The attacker may also implement other social engineering techniques such as shoulder surfing (observing users typing login credentials or other sensitive information), eavesdropping (purposely overhearing confidential conversation between employees), and so on to gather sensitive information that might be helpful in launching an attack on the organization.
■ Repairman
Computer technicians, electricians, and telephone repairpersons are generally unsuspected people. Attackers might impersonate a technician or repairperson and enter the organization. He/she performs normal activities associated with his/her duty while looking for hidden passwords, critical information on desks, trash bins, and so on, or even plant a snooping device in a hidden location.
Impersonation (Vishing)
Vishing (voice or VoIP phishing) is an impersonation technique in which attacker uses Voice over IP (VoIP) technology to trick individuals into revealing their critical financial and personal information and uses the information for his/her financial gain. The attacker uses caller ID spoofing to forge identification. In many cases, Vishing includes pre-recorded messages and instructions resembling a legitimate financial institution. In this way, the attacker tricks the victim to provide bank account or credit card details for identity verification over the phone.
The attacker also sends a fake SMS or email message to the victim asking the victim to call the financial institution for credit card or bank account verification. In some cases, the victim receives a voice call from the attacker. When the victim calls on the number mentioned in the message or receives the call, the victim hears recorded instructions that insist him/her to provide personal and financial information like name, date of birth, social security numbers, bank account numbers, credit card numbers, credentials like usernames, passwords, etc. Once the victim provides the information, the recorded message confirms verification of the victim's account.
Discussed below are some tricks attacker uses for Vishing to gather sensitive information.
■ Over-Helpfulness of Help Desk
Help desks are common targets of social engineering attacks for a reason. The staff trained to be helpful to the users and they often give away sensitive information such as passwords, network information, and so on without verifying the authenticity of the caller.
To be effective, the attacker should know employees' names and details about the person he is trying to impersonate. Attacker may call a company's help desk pretending to be a senior official someone and would try to extract sensitive information out of the help desk.
"A man would call a company's help desk saying he has forgotten his password. He would sound distressed and add if he would miss the deadline of an important advertising project his boss may fire him.
Feeling sorry for the caller, the help desk worker would quickly reset the password, thus unwittingly giving access to the corporate network to the attacker.
■ Third-party Authorization
Another popular technique used by an attacker is to represent himself/herself as an agent authorized by some senior authority in an organization to obtain information on their behalf.
For instance, an attacker knows the name of the authorized employee in the target organization who provides access to the required information and keeps a vigil on him/her so that he can access the required data in the absence of the concerned employee. In this case, the attacker can approach the help desk or other personnel in the company claiming that the particular employee (authority figure) has requested for information.
Even though there might suspicion attached to the authenticity of the request, people tend to overlook this in an effort to be helpful in the workplace. People tend to believe that others are being honest when they give reference of an important person and provide them required information.
This technique is effective particularly when the authority figure is on vacation or travelling, and instant verification is not possible.
Example:
"Hi I am John, I spoke with Mr. XYZ last week before he went on vacation and he said that you would be able to provide me with the information in his absence. Could you help me out?"
■ Tech Support
An attacker can pretend to be a technical support staff of the target organization's software vendor or contractor to obtain sensitive information. The attacker may pretend troubleshooting a network problem and ask for the user ID and password of a particular computer to detect the problem. Believing him/her to be a troubleshooter, a user would provide the required information.
Example:
Attacker: "Hi, this is Mike for tech support. Some folks in your office have reported slowdown in logging. Is this true?"
Employee: "Yes, it has seemed slow lately."
Attacker: "Well, we have moved you to a new server, and your service should be much better now. If you want to give me your password, I can check your service. Things will be better from now on/'
■ Trusted Authority Figure
The most effective method of social engineering is posing as a trusted authority figure. An attacker might pretend to be a fire marshal, superintendent, auditor, director, and so on over the phone or in person to obtain sensitive information from the target.
Example:
1. Hi, I am John Brown. I’m with the external auditors Arthur Sanderson. We've been requested by the corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash.
2. Hi, I'm Sharon, a sales rep out of the New York office. I know this is short notice, but I have a group of prospective clients out in the car that I've been trying for months to get to outsource their security training needs to us.
They're located just a few miles away and I think that if I can give them a quick tour of our facilities, it would be enough to push them over the edge and get them to sign up.
Oh yeah, they are particularly interested in what security precautions we've adopted. Seems someone hacked into their website a while back, which is one of the reasons they're considering our company.
3. Hi, I'm with Aircon Express Services. We received a call that the computer room was getting too warm, so I need to check your HVAC system. Using professional-sounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to access the targeted secured resource.
Eavesdropping
Eavesdropping refers to an unauthorized person listening to a conversation or reading others' messages. It includes interception of any form of communication, including audio, video, or written, using channels such as telephone lines, email, and instant messaging. An attacker can obtain sensitive information such as passwords, business plans, phone numbers, and addresses.
Shoulder Surfing
Shoulder surfing is the technique of observing or looking over someone's shoulder as he/she keys in information into a device. Attackers use shoulder surfing to find out passwords, personal identification numbers, account numbers, and other information. Attackers sometimes even uses binoculars or other optical devices, or install small cameras to record actions performed on victim's system, to obtain login details and other sensitive information.
Dumpster Diving
Dumpster diving is the process of retrieving sensitive personal or organizational information by searching through trash bins. Attackers can extract confidential data such as user IDs, passwords, policy numbers, network diagrams, account numbers, bank statements, salary data, source code, sales forecasts, access codes, phone lists, credit card numbers, calendars, and organizational charts on paper or disk. Attackers can then use this information to perform various malicious activities. Sometimes attackers even use pretexts to support their dumpster diving initiatives, such as posing as a repairperson, technician, cleaner, and so on.
Information that attackers can obtain by searching through trash bins includes:
■ Phone lists: Disclose employees' names and contact numbers.
■ Organizational charts: Disclose details about structure of the company, physical infrastructure, server rooms, restricted areas, etc.
■ Email printouts, notes, faxes, memos: Reveal personal details of a particular employee, passwords, contacts, inside working operations, certain useful instructions, etc.
■ Policy manuals: Reveal information regarding employment, system use, or operations. ■ Event notes, calendars or computer use logs: Reveal information regarding user's log on
and off timings, which helps the attacker to decide on the best time to plan an attack.
Reverse Social Engineering
Generally, reverse social engineering is difficult to carry out. This is primarily because it needs a lot of preparation and skills to execute it. In reverse social engineering, a perpetrator assumes the role of a person in authority so that employees ask him/her for the information. The attacker usually manipulates questions to draw out required information.
First, the social engineer will cause some incident, creating a problem, and then present himself- herself as the problem solver through general conversation, encouraging employees to ask questions as well. For example, an employee may ask how this problem has affected particular files, servers, or equipment. This provides pertinent information to the social engineer. Many different skills and experiences are required to carry out this tactic successfully. Provided below are some of the techniques involved in reverse social engineering:
■ Sabotage: Once the attacker gets access, he will corrupt the workstation or make it appear as corrupted. Under such circumstances, users seek help as they face problems.
■ Marketing: To ensure that the user calls the attacker, the attacker must advertise. The attacker can do this by either leaving his or her business card in the targets office or by placing his or her contact number on the error message itself.
■ Support: Although the attacker has already acquired required information, he or she may continue to assist the users so that they remain ignorant about the hacker's identity.
A good example of a reverse social engineering virus is the "My Part/' worm. This reverse social engineering virus does not rely on sensational subject lines, but makes use of inoffensive and realistic names for its attachments. By using realistic words, the attacker gains the user’s trust, confirms the user's ignorance, and completes the task of information gathering.
Piggybacking
Piggybacking usually implies entry into the building or security area with the consent of the authorized person. For example, attackers would request an authorized person to unlock a security door, saying that they have forgotten their ID badge. In the interest of common courtesy, the authorized person will allow the attacker to pass through the door.
Tailgating
Tailgating implies access to a building or secured area without the consent of the authorized person. It is the act of following an authorized person through a secure entrance, as a polite user would open and hold the door for those following him. An attacker, wearing a fake badge, attempts to enter the secured area by closely following an authorized person through a door requiring key access. He/she then tries to enter the restricted area by pretending to be an authorized person.
Computer-based Social Engineering
Attackers perform computer-based social engineering using various malicious programs such as viruses, Trojans, and spyware, and software applications such as email and instant messaging. Discussed below are types of computer-based social engineering attacks:
■ Pop-Up Windows
Pop-ups trick compels users into clicking a hyperlink that redirects them to fake web pages asking for personal information or downloading malicious programs such as keyloggers, Trojans, or spyware.
The common method of enticing a user to click a button in a pop-up window is by warning of a problem, such as displaying a realistic operating system or application error message, or by offering additional services. A window appears on the screen requesting the user to re-login or warning about the interruption in the host connection and the network connection needs re-authentication. When the user follows these instructions, the malicious program installs, extracts the targets sensitive information, and sends it to the attacker's email address or to a remote site. This type of attack uses Trojans and viruses.
■ Hoax Letters
Hoax is a message warning the recipients of a non-existent computer virus threat. It relies on social engineering to spread its reach. Usually, they do not cause any physical damage or loss of information; they cause a loss of productivity and use an organization's valuable network resources.
■ Chain Letters
A chain letter is a message offering free gifts such as money and software on condition that the user will forward the email to a predetermined number of recipients. Common approaches used in chain letters is emotionally convincing stories, "get-rich-quick" pyramid schemes, spiritual beliefs, superstitious threats of bad luck to the recipient if he/she "breaks the chain" and does not pass on the message, or simply refuses to read its content. Chain letters also rely on social engineering to spread.
■ Instant Chat Messenger
An attacker chats via instant chat messengers with selected online users and tries to gather their personal information such as date of birth, maiden names, etc. He/she then uses the acquired information to crack users' accounts.
■ Spam Email
Chain letters are irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information. Attackers send spam messages to the target to collect sensitive information such as bank details. Attackers may also send email attachments with hidden malicious programs such as viruses and Trojans. Social engineers try to hide the file extension by giving the attachment a long filename.
Phishing
Phishing is a technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information. The attacker registers a fake domain name, builds a lookalike website, and then mails the fake website's link to several users. When a user clicks on the email link, it redirects him/her to the fake webpage, where he/she is lured to share sensitive details such as address and credit card information without knowing that it is a phishing site. Some of the reasons behind the success of phishing scams include users' lack of knowledge, being visually deceived, and not paying attention to security indicators.
The images above show an example of an illegitimate email that claims to be from a legitimate sender. The email link redirects users to a fake webpage and asks them to submit their personal or financial details.
Types of Phishing
■ Spear Phishing
Instead of sending thousands of emails, some attackers opt for "spear phishing" and use specialized social engineering content directed at a specific employee or small group of employees in a particular organization to steal sensitive data such as financial information and trade secrets.
Spear phishing messages seems to be from a trusted source with an official-looking website. The email also appears to be from an individual from the recipient's company, generally someone in position of authority. But the message is actually sent by an attacker attempting to obtain critical information about a specific recipient and his/her organization, such as login credentials, credit card details, bank account numbers, passwords, confidential documents, financial information, and trade secrets. Spear phishing generates a higher response rate when compared to a normal phishing attack, as it appears to be from a trusted company source.
■ Whaling
Whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities with complete access to confidential and highly valuable information. It is a social engineering trick in which the attacker tricks the victim to reveal critical corporate and personal information (like bank account details, employee details, customer information and credit card details etc.,) generally, through email or website spoofing. Whaling is different from the phishing attack, the email or website i.e., used for the attack is carefully designed usually targeting someone in the executive leadership in particular.
Pharming
Pharming is a social engineering technique in which the attacker executes malicious programs on a victim's computer or server and when the victim enters any URL or domain name, it automatically redirects victim's traffic to a website controlled by the attacker. This attack is also known as "Phishing without a Lure". The attacker steals confidential information like credentials, banking details and other information related to web-based services.
Pharming attack can be performed in two ways: DNS Cache Poisoning and Host File Modification
DNS Cache Poisoning:
o The attacker performs DNS Cache Poisoning on the targeted DNS server.
o The attacker modifies the IP address of the target website www.targetwebsite.com to a fake website www.hackerwebsite.com.
o When the victim enters target website's URL in the browsers address bar, a request is sent to the DNS server to obtain IP address of the target website.
o The DNS server returns to a fake IP address already modified by the attacker, o Finally, the victim is redirected to the fake website controlled by the hacker.
Host File Modification:
o Attacker sends a malicious code as an email attachment.
o When the user clicks on the attachment, the code executes and modifies local host files on a personal computer.
o When the victim enters the target website's URL in the browsers address bar, the compromised host file automatically redirects the user's traffic to the fraudulent website controlled by the hacker.
Pharming attacks can also be performed using malware like Trojan horses, worms etc.,
Spimming
SPIM, (Spam over Instant Messaging) exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer. Spimmer generally makes use of bots (an application that executes automated tasks over the network) to harvest Instant Message IDs and forwards the spam message to the harvested Instant Message IDs. SPIM messages, similar to email spam, generally include advertisements and malware as an attachment or embedded hyperlink. The user clicks the attachment and redirected to a malicious website and collects financial and personal information like credentials, bank account, and credit card details, etc.
Mobile-based Social Engineering
Publishing Malicious Apps
In mobile-based social engineering, the attacker performs a social engineering attack using malicious mobile apps. The attacker first creates the malicious application—such as a gaming app with attractive features and publishes them on major application stores using the popular names. Unaware of the malicious application, users download it on their mobile devices believing it to be a genuine one. Once the application is installed, the users' device is infected by the malware and sends users' credentials (usernames, passwords), contact details, and so on to the attacker.
Repackaging Legitimate Apps
A legitimate developer creates legitimate gaming applications. Platform vendors create centralized marketplaces to allow mobile users to conveniently browse and install these games and apps. Usually, developers submit gaming applications to these marketplaces, making them available to thousands of mobile users. The malicious developer downloads a legitimate game, repackages it with malware, and uploads the game to the third-party application store. Once a user downloads the malicious application, the malicious program installed on the user's mobile, collects the user's information and sends it to the attacker.
Fake Security Applications
Sending fake security application is a technique used by the attackers for performing mobile based social engineering. For this attack, the attacker first infects the victim's computer by sending something malicious. He/she then uploads a malicious application to an app store. When the victim logs on to his or her bank account, a malware in the system displays a pop-up message telling the victim that he or she needs to download an application on his/her phone to receive security message. The victim downloads the application on his/her device from the attacker's app store believing he/she is downloading a genuine app. Once the user downloads the application, the attacker obtains confidential information such as bank account login credentials (username and password) and then a second authentication is send by the bank to the victim via SMS. Using that information, an attacker accesses the victim's bank account.
SMiShing (SMS Phishing)
Sending SMS is another technique used by attackers for performing mobile-based social engineering. In SMiShing (SMS Phishing), SMS text messaging system is used to lure users into instant action such as downloading malware, visiting a malicious webpage or calling a fraudulent phone number. SMiShing messages are crafted to provoke an instant action from the victim, requiring them to divulge their personal information and account details.
Let us consider Tracy, a software engineer working in reputed company. She receives an SMS ostensibly from the security department of XIM Bank. It claims to be urgent and the message says that Tracy should call up the phone number mentioned in the SMS immediately. Worried, she calls up to check on her account, believing it to be an XIM Bank customer service number. A recorded message asks her to provide her credit card or debit card number, as well as password. Tracy believes it is a genuine message and shares the sensitive information.
Sometimes a message claims that the user has won money or is a randomly selected as a lucky winner and he/she merely needs to pay a nominal amount of money and share his/her email ID, contact number, or other information.
Insider Threats
An insider is any employee (trusted person) having access to critical assets of an organization. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. It is difficult to figure out an insider attack. Insider attacks may also cause great loss to the company. About 60% of attacks occur from behind the firewall. It is easier to launch an insider attack, and preventing such attacks is difficult.
■ Privileged Users: Attacks may come from most trusted employees of the company such as managers, system administrators, who have access to company's confidential data, with a higher probability to misusing the data, either intentionally or unintentionally.
■ Disgruntled Employees: Attacks may come from unhappy employees or contract workers. Disgruntled employees, who intend to take revenge on their company, first acquire information, and then wait for the right time to compromise the organization's resources.
■ Terminated Employees: Some employees take valuable information about the company with them when terminated. These employees access company's data even after termination using backdoors, malware, or their old credentials because they are not disabled.
■ Accident-Prone Employees: Accidentally if an employee has lost his device or an email is send to incorrect recipients or system loaded with confidential data is left logged-in, leads to unintentional data disclosure.
■ Third Parties: Third parties like remote employees, partners, dealers, vendors, etc. have access to company's information. Security of the systems used by them and about the persons accessing company's information is unpredictable.
■ Undertrained Staff: A trusted employee becomes an unintentional insider due to lack of cyber security training. He/she fails to adhere to cyber security policies, procedures, guidelines, and best practices.
Companies where insider attacks are common include credit card companies, health-care companies, network service providers, as well as financial and exchange service providers. Reasons for Insider Attacks
■ Financial Gain
An attacker performs insider threat mainly for financial gain. The insider sells sensitive information of the company to its competitor, steals a colleague's financial details for personal use, or manipulates companies or personnel financial records.
■ Steal Confidential Data
A competitor may inflict damage to the target organization, steal critical information, or put them out of business, by just finding a job opening, preparing someone to get through the interview, and having that person hired by the competitor.
■ Revenge
It takes only one disgruntled person to take revenge and your company is compromised. Attacks may come from unhappy employees or contract workers with negative opinions about the company.
■ Become Future Competitor
Current employees may plan to start their own competing business and by using company's confidential data. These employees may access and alter company's clients list.
■ Perform Competitors Bidding
Due to corporate espionage, even the most honest and trustworthy employees are forced to reveal company's critical information by offering them bribery or through blackmailing.
■ Public Announcement
A disgruntled employee may want to announce a political or social statement and leak or damage company's confidential data.
Type of Insider Threats
There are four types of insider threats. They are:
■ Malicious Insider
Malicious insider threats come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network.
■ Negligent Insider
Insiders, who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. A large number of insider attacks result from employee's laxity towards security measures, policies, and practices.
■ Professional Insider
Professional insiders are the most harmful insiders where they use their technical knowledge to identify weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black market bidders.
■ Compromised Insider
An outsider compromises insiders having access to critical assets or computing devices of an organization. This type of threat is more difficult to detect since the outsider masquerades as a genuine insider.
Why is Insider Attack Effective?
An insider attack is effective because of the following reasons
■ Insider attacks go undetectable for years together and remediation is expensive. ■ An insider attack is easy to launch.
■ Preventing insider attack is difficult. ■ The inside attacker can easily succeed.
■ It is very difficult to differentiate harmful actions from employee's regular work. It is hard to identify whether employees are performing malicious activities or not.
■ Even after detection of malicious activities of the employee, he/she may refuse to accept by claiming it is a mistake done unintentionally.
■ It is easy for employees to cover their actions by editing or deleting logs to hide their malicious activities.
Example of Insider Attack: Disgruntled Employee
Most cases of insider abuse can be traced to individuals who are introvert, incapable of managing stress, experiencing conflict with management, frustrated with their job or office politics, lacking in respect or promotion, transferred, demoted, issued an employment termination notice, among other reasons. Disgruntled employees may pass company secrets and intellectual property to competitors for monetary gain, thus harming the organization.
Disgruntled employees can use steganography programs to hide company secrets and later send the information as an innocuous-looking message such as a picture, image, or sound file to competitors, using a work email account. Thus, no one suspects him/her because the attacker hides the sensitive information in the picture or image.
Impersonation on Social Networking Sites
Today social networking sites are widely used by many people that allow them to build online profiles, share information, pictures, blog entries, music clips, and so on. Thus, it is relatively easier for an attacker to impersonate someone. The victim is likely to trust them and eventually reveal information that would help the attacker gain access to a system.
This section describes how to perform social engineering through impersonation using various social networking sites such as Facebook, Linkedln, and Twitter, and highlights risks these sites pose to corporate networks.
Social Engineering through Impersonation on Social Networking Sites
As social networking sites such as Facebook, Twitter, and Linkedln are widely used, attackers used them as a vehicle for impersonation. There are two ways an attacker can use an impersonation strategy on social networking sites:
■ By creating a fictitious profile of the victim on the social media site
■ By stealing the victim's password or indirectly gaining access to the victim's social media account
Social networking sites are a treasure trove for attackers because people share their personal and professional information on these sites, such as name, address, mobile number, date of birth, project details, job designation, company name, location, etc. The more information people share on a social networking site, the more likely an attacker would impersonate them to launch attacks against them, their associates, or organization. They may also try to join the target organization's employee groups to extract corporate data.
In general, the information attackers gather from social networking sites include organization details, professional details, contacts and connections, and personal details and use the information to execute other forms of social engineering attacks.
