Module 4:Social Engineering Attacks

Social Engineering Attacks

  1. Email Phishing — An administrative assistant at Protego reported receiving an email that contained a link to a site that resembled a valid, trusted resource. When they clicked the link, they were prompted to supply a username and password to login.
  2. Spear Phishing — The Protego Chief Technology Officer reported that the company spam filter blocked several emails that used Protego logos and came from a spoofed Protego email account.
  3. Whaling — The Vice President of Finance and Director of Accounting at Protego both received emails that contained links to an online survey regarding financial management. One of them clicked into the link and their anti-malware app blocked a malicious file download.
  4. Vishing — An employee reported receiving a phone call from someone who claimed to represent a vendor. The caller claimed that Protego was due a refund and a business account number was required to transfer money.
  5. A Short Message Service(SMS)Phishing — Several Protego employees received text messages that instructed them to click on a link to confirm an account and claim a bitcoin reward. The site required registration with personal and work-related information.
  6. Universal Serial Bus(USB)Drop key — An employee who was visiting an electronic gaming tradeshow found a USB drive that they inserted into their laptop. Malware infected the computer requiring it to be replaced.
  7. Watering Hole Attacks — Protego received an alert from a legitimate game developer's news website that the site had been experiencing unusual traffic including what appeared to be automated vulnerability scans.

Physical Attacks

  1. Tailgating — An unauthorized person tags along with an authorized person to gain entry to a restricted area without the consent of the authorized person.
  2. Piggybacking — An unauthorized person tags along with an authorized person to gain entry to a restricted area with the consent of the authorized person.
  3. Dumpster Diving —A person scavenges for private information in garbage and recycling containers.
  4. Shoulder Surfing —A person obtain information such as personally identifiable information(PII), passwords and other confidential data by looking over the victim's shoulder.
  5. Badge Cloning — A person clones a card used to access a building.

Social-Engineer Tools

  1. Social-Engineer Toolkit(SET) — The Social-Engineer Toolkit(SET)is a tool developed by David Kennedy. This tool can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET is installed by default in Kali Linux and Parrot Security. Step 1. Launch SET by using the setoolkit command. Step 2. Select 1) Social-Engineering Attacks from the menu to start the social engineering attack. Step 3. Select 1) Spear-Phishing Attack Vectors from the menu to start the spear-phishing attack. Step 4. To create a file format payload automatically, select 2) Create a File Format Payload. Step 5. Select 13) Adobe PDF Embedded EXE Social Engineering as the file format exploit to use. (The default is the PDF embedded EXE.) Step 6. To have SET generate a normal PDF with embedded EXE and use a built-in blank PDF file for the attack, select 2) Use built-in BLANK PDF for attack. Step 7. To use the Windows reverse TCP shell, select 1) Windows Reverse TCP Shell. Step 8. When SET asks you to enter the IP address or the URL for the payload listener, select the IP address of your attacking system (192.168.88.225 in this example), which is the default option since it automatically detects your IP address. The default port is 443, but you can change it to another port that is not in use in your attacking system. In this example, TCP port 1337 is used. After the payload is generated, the screen shown in Figure 4–9 appears. Step 9. When SET asks if you want to rename the payload, select 2. Rename the file, I want to be cool. and enter chapter2.pdf as the new name for the PDF file. Step 10. Select 1. E-Mail Attack Single Email Address. Step 11. When SET asks if you want to use a predefined email template or create a one-time email template, select 2. One-Time Use Email Template. Step 12. Follow along as SET guides you through the steps to create the one-time email message and enter the subject of the email. Step 13. When SET asks if you want to send the message as an HTML message or in plaintext, select the default, plaintext. Step 14. Enter the body of the message by typing or pasting in the text. Step 15. Enter the recipient email address and specify whether you want to use a Gmail account or use your own email server or an open mail relay. Step 16. Enter the "from" email address (the spoofed sender's email address) and the "from name" the user will see. Step 17. If you selected to use your own email server or open relay, enter the open-relay username and password (if applicable) when asked to do so. Step 18. Enter the SMTP email server address and the port number. (The default port is 25.) When asked if you want to flag this email as a high-priority message, make a selection. The email is then sent to the victim. Step 19. When asked if you want to set up a listener for the reverse TCP connection from the compromised system, make a selection.
  2. Browser Exploitation Framework(BeEF) In module 6, "Exploiting Application-Based Vulnerabilities," you will learn about web application vulnerabilities, such as cross-site scripting(XSS) and cross-site Request Forgery(CSRF). XSS vulnerabilities leverage input validation weaknesses on a web application. These vulnerabilities are often used to redirect users to malicious websites to steal cookies and other sensitive information. Browser Exploitation Framework(BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities. You can download BeEF from https://beefproject.com or https://github.com/beefproject/beef.
  3. Call Spoofing Tools You can very easily change the caller ID information that is displayed on a phone. There are several call spoofing tools that can be used in social engineering attacks. The following are a few examples of call spoofing tools: → SpoofApp: This is an Apple iOS and Android A → SpoofCard: This is an Apple iOS and Android app that can spoof a number and change your voice, record calls, generate different background noises, and send calls straight to voicemail. → Asterisk: Asterisk is a legitimate voice over IP(VoIP)management tool that can also be used to impersonate caller ID.
  4. Social Engineering Motivation techniques/methods → Authority — A social engineer shows confidence and perhaps authority-whether legal, organizational, or social authority. → Scarcity and Urgency — It is possible to use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients. Social engineers use similar techniques. → Social proof — Social proof is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. → Likeness — Individuals can be influenced by things or people they like. Social engineers strive for others to like the way they behave, look, and talk. Most individuals like what is aesthetically pleasing. People also like to be appreciated and to talk about themselves. Social engineers take advantage of these human vulnerabilities to manipulate their victims. → Fear —It is possible to manipulate a person with fear to prompt him or her to act promptly. Fear is an unpleasant emotion based on the belief that something bad or dangerous may take place. Using fear, social engineers force their victims to act quickly to avoid or rectify a dangerous or painful situation.