Social Engineering Attack

Social Engineering Attack

• It is the tactic of manipulating, influencing, or deceiving a victim to
gain control over a computer system, or to steal personal and
financial information.
• It uses psychological manipulation to trick users into making security
mistakes or giving away sensitive information.
Social Engineering Attack Life Cycle
Types of Social Engineering Attacks
1. Technology Based Attack
2. Human Based Attack
Technology Based Attack
• Baiting:
• It uses a false promise to temper a victim’s greed or curiosity.
• They lure users into a trap that steals their personal information or inflicts their
systems with malware.
• The most reviled form of baiting uses physical media to disperse malware.
• For example, attackers leave the bait typically malware-infected flash drives in
conspicuous areas where potential victims are certain to see them (e.g., bathrooms,
elevators, the parking lot of a targeted company).
• The bait has an authentic look to it, such as a label presenting it as the company’s
payroll list.
• Victims pick up the bait out of curiosity and insert it into a work or home computer,
resulting in automatic malware installation on the system.
• Baiting scams don’t necessarily have to be carried out in the physical world. Online
forms of baiting consist of enticing ads that lead to malicious sites or that encourage
users to download a malware-infected application.
• Watering hole
• Websites of governments, regulatory bodies and financial authorities are preferred targets
for "watering hole" attacks on finance, investment and compliance professionals.
• These online resources make it easy for attackers to target their victims.
• So-called watering hole (a.k.a. "water holing") attacks are probably the most economical of
online exploits.
• Instead of identifying and tracking down individual targets one-by-one, the threat actors first
research and identify a vulnerable website frequently sought out by key professionals in the
targeted industry or organization.
• In the second step, they install an exploit kit that may allow the attackers to target that site’s
users even more selectively, for instance based on their IP number. Like lions hidden in the
savannah grass, they then lay and lurk.
• Once their prey shows up at the "water hole", the victim’s locally installed browser takes
care of the rest. Because the browser is designed to indiscriminately fetch and execute code
from the web on the local machine, it will silently download the malware from the infected
site.
• This then allows the attackers to steal the visitor’s corporate network credentials and stage a
lateral attack within the victim's organization, for instance by following up with a pinpointed
phishing emails to employees reporting to the victim.
• Phishing
• The process of attempting to acquire sensitive information such as usernames,
passwords, and credit card details by masquerading as a trustworthy entity using
bulk email, SMS text messaging, or by phone.
• Phishing messages create a sense of urgency, curiosity, or fear in the recipients of
the message.
• Categories of phishing:
• Email phishing
• Spear phishing
• Whaling
• Vishing
• Smishing
Email Phishing
Spear Phishing
• Spear phishing is a malicious email spoofing attack that targets a specific
organization or individual, seeking unauthorized access to sensitive information.
• Spear phishing attempts are not typically initiated by random hackers but are
more likely to be conducted by perpetrators out for financial gain, trade secrets
or military information.
• Like emails sent in regular phishing attacks, spear phishing messages also appear
to come from a trusted source.
• Phishing messages usually appear to come from a large and well-known company
or website with a broad user base, such as Google or PayPal.
• In the case of spear phishing, however, the source of the email is likely to be an
individual within the recipient's own company, generally, someone in a position
of authority or someone the target knows personally.
Whaling
• Whale phishing is a cyberattack that specifically targets high-level
executives (CEOs and CTOs) within an organization, aiming to steal
sensitive information or authorize fraudulent financial transactions by
impersonating trust
• Whaling is a specific type of spear phishing attack. While spear
phishing can target any individual, whaling targets high-value
individuals who are more likely to have access to data or funds.
• Like spear phishing attacks, whaling attacks use tactical emails that are
personalized to convince individuals to act. Whaling attackers will not
send mass emails and may even use follow-up calls to appear more
legitimate.
Vishing Attack
 Smishing Attack
• Smishing is a social engineering attack
that uses fake mobile text messages to
trick people into downloading
malware, sharing sensitive information
or sending money to cybercriminals.
The term “smishing” is a combination
of “SMS”—or “short message service,”
the technology behind text
messages—and “phishing.
2. Human Based Attack
• Shoulder surfing
• Dumpster diving
• Reverse social Engineering
 Shoulder surfing

• It is a social engineering attack, where unauthorized individuals or shoulder surfers,

secretly attempt to access your private information by observing your activities or
screens over your shoulder.
• Their primary purpose is to steal sensitive data, including PINs, passwords, bank
details, and other personal information.
• They use various methods, like direct observation or the usage of devices like cameras
or binoculars, to capture this data for malicious intentions, including identity theft,
unauthorized transactions, or different fraudulent activities.
• This malicious tactic is prevalent in public places, like offices, cafes, during travel, or
at ATMs
How to prevent Shoulder Surfing?
• Be Aware of Your Surroundings
• Always be careful of your surroundings, especially in public areas.
• Choose secure spots to prevent easy observation of your screen.
• Password Security
• Use complex and strong passwords.
• Avoid common or predictable passwords.
• Consider implementing a password manager for secure password management.
• Multi-factor Authentication
• Implement Multi-factor Authentication (MFA) for an extra layer of security. It makes unauthorized
access difficult even if the password is observed.
• Avoid public Wi-Fi
• Avoid public Wi-Fi for sensitive transactions.
• Use secure connections like mobile data or a VPN, as it encrypts your data, providing an additional
layer of security.
• Biometric Authentication
• Utilize biometrics like fingerprint or facial recognition for device and application logins.
• Privacy Screens or Filters
• Use privacy screen protectors or filters to limit screen visibility. It reduces the chance of
shoulder surfers viewing your information.
• Physical Barriers
• Position your body strategically to block the view of your ATM screen or keypad from
onlookers.
• Use your body as a shield when entering passwords on your phone.
• Secure your device
• Lock screens or log out when devices are not in use.
• Report lost or stolen devices promptly.
• Disable SMS preview on the Lock Screen
• Disable SMS preview on the lock screen to protect MFA messages.
• Be Cautious of Strangers
• Be vigilant for potential distractions or individuals showing undue interest in your activities.
• Awareness and Discretion in Conversation
• Avoid discussing sensitive information in public areas.
• Be discreet during phone calls to prevent overhearing.
Dumpster
diving
Reverse Social Engineering
Example
Social Engineering counter measures
• Don't open email attachments from suspicious sources. Even if you do know the sender and the message seems
suspicious, it's best to contact that person directly to confirm the authenticity of the message.
• Use Multi-Factor Authentication (MFA). One of the most valuable pieces of information attackers seeks are user
credentials. Using MFA helps to ensure your account's protection in the event of an account compromise. Follow Computing
Services instructions for downloading DUO two-factor authentication to add another layer of protection for your Andrew
account.
• Be wary of tempting offers. If an offer seems too good to be true, it's probably because it is. Use a search engine to look up
the topic which can help you quickly determine whether you're dealing with a legitimate offer or a trap.
• Clean up your social media. Social engineers clean the Internet searching for any kind of information they can find on a
person. The more information you have posted about yourself, the more likely it is that a criminal can send you a targeted
spear phishing attack.
• Install and update antivirus and other software. Make sure automatic updates are turned on. Periodically check to make
sure that the updates have been applied and scan your system daily for possible infections. Visit Secure Your Computer on
the Computing Services website for more instructions on using and updating antivirus software.
• Back up your data regularly. If you were to fall victim to a social engineering attack in which your entire hard drive was
corrupted, it is essential that you have a backup on an external hard drive or saved in the cloud.
• Avoid plugging an unknown USB into your computer. When a USB drive is found unattended, please give it to a cluster
consultant, the Computer Services Help Center, a residence assistant (RA), or to Carnegie Mellon campus police.
• You should also Disable Autorun on your machine. Autorun is a feature that allows Windows to automatically run the
startup program when a CD, DVD, or USB device is inserted into a drive.
Social Engineering Toolkit
THE SOCIAL-ENGINEER TOOLKIT (SET)
• The Social-Engineer Toolkit (SET) was created and written by Dave
Kennedy, the founder of TrustedSec.
• It is an open-source Python-driven tool aimed at penetration testing
around Social-Engineering.
• It has been presented at large-scale conferences including Blackhat,
DerbyCon, Defcon, and ShmooCon. With over two million downloads,
it is the standard for social-engineering penetration tests and
supported heavily within the security community
• Next create a simple html file with the anchor tag.
• Href: can be ip address or the url address.
• The victim may receive this link through mail.
• When the link is clicked, he /she will be directed to the page similar to
the google page.
• Mostly the victim doesn’t look after the url.