Chapter 04 - Social Engineering and Password Attacks.pdf

Full Transcript

Chapter 4
Social Engineering and Password Attacks

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 2.0: Threats, Vulnerabilities, and Mitigations
2.2. Explain common threat vectors and attack surfaces.
Human vectors/social engineering (Phishing, Vishing, Smishing,
Misinformation/disinformation, Impersonation, Business email
compromise, Pretexting, Watering hole, Brand impersonation,
Typosquatting).
2.4. Given a scenario, analyze indicators of malicious activity.
Password attacks (Spraying, Brute force)

Social engineering techniques focus on the human side of information security. Using
social engineering techniques, security professionals and attackers can accomplish a
variety of tasks ranging from acquiring information to gaining access to buildings,
systems, and networks.
This chapter explores social engineering techniques and related practices, from phishing
to typosquatting. We discuss the principles that underlie social engineering attacks, as
well as how modern influence campaigns use social engineering concepts and social
media to sway opinions and reactions. Social engineering and phishing attacks often
precede password attacks, and later in this chapter you will review password attack
methods like brute-force attacks and password spraying.

Social Engineering and Human Vectors
Social engineering is the practice of manipulating people through a variety of strategies
to accomplish desired actions. Social engineers work to influence their targets to take
actions that they might not otherwise have taken.
A number of key principles are leveraged to successfully social engineer an individual.
Although the list of principles and their names vary depending on the source you read, a
few of the most common are:
Authority, which relies on the fact that most people will obey someone who appears
to be in charge or knowledgeable, regardless of whether or not they actually are. A
social engineer using the principle of authority may claim to be a manager, a
government official, or some other person who would have authority in the situation
they are operating in.
Intimidation relies on scaring or bullying an individual into taking a desired action.
 The individual who is targeted will feel threatened and respond by doing what the
social engineer wants them to do.
Consensus-based social engineering uses the fact that people tend to want to do what
others are doing to persuade them to take an action. A consensus-based social
engineering attack might point out that everyone else in a department had already
clicked on a link, or might provide fake testimonials about a product making it look
safe. Consensus is called “social proof” in some categorization schemes.
Scarcity is used for social engineering in scenarios that make something look more
desirable because it may be the last one available.
Familiarity-based attacks rely on you liking the individual or even the organization
the individual is claiming to represent.
Trust, much like familiarity, relies on a connection with the individual they are
targeting. Unlike with familiarity, which relies on targets thinking that something is
normal and thus familiar, social engineers who use this technique work to build a
connection with their targets so that they will take the actions that they want them to
take.
Urgency relies on creating a feeling that the action must be taken quickly due to
some reason or reasons.

You may have noticed that each of these social engineering principles works because it
causes the target to react to a situation and that many make the target nervous or
worried about a result or scenario. Social engineering relies on human reactions, and we
are most vulnerable when we are responding instead of thinking clearly.
Many, if not most, social engineering efforts in the real world combine multiple
principles into a single attack. If a penetration tester calls, claiming to be a senior
leader's assistant in another part of your company (thus leading authority and possibly
familiarity responses), and then insists that that senior leader has an urgent need
(urgency) and informs their target that they could lose their job if they don't do
something immediately (intimidation), they are more likely to be successful in many
cases than if they only used one principle. A key part of social engineering is
understanding the target, how humans react, and how stress reactions can be leveraged
to meet a goal.

Exam Note

The Security+ exam doesn't expect you to be able to categorize attacks based on the
principles they rely on, but those principles are extremely helpful as a tool to think
about why an attack might succeed and how it can be prevented or limited.

Social Engineering Techniques
Social engineering involves more than the principles you just read. There are both
technical and nontechnical attacks that leverage those principles to get results that are
desired by both attackers and penetration testers. As a security professional, you need to
be aware of these techniques, what they involve, and what makes each of them different
from the others.

Phishing
Phishing is a broad term used to describe the fraudulent acquisition of information,
often focused on credentials like usernames and passwords, as well as sensitive personal
information like credit card numbers and related data. Phishing is most often done via
email, but a wide range of phishing techniques exist, including things like smishing,
which is phishing via SMS (text) messages, and vishing, or phishing via telephone.
Specific terms are also used for specific targeting of phishing attempts. Spear phishing
targets specific individuals or groups in an organization in an attempt to gather desired
information or access. Whaling, much like spear phishing, targets specific people, but
whaling is aimed at senior employees like CEOs and CFOs—“big fish” in the company,
thus the term whaling.
Like most social engineering techniques, one of the most common defenses against
phishing of all types is awareness. Teaching staff members about phishing and how to
recognize and respond to phishing attacks, and even staging periodic exercises, are all
common means of decreasing the risk of successful phishing attacks. Technical means
also exist, including filtering that helps prevent phishing using reputation tools,
keyword and text pattern matching, and other technical methods of detecting likely
phishing emails, calls, or texts.

Vishing
Vishing is phishing accomplished via voice or voicemail messages. Vishing attacks rely
on phone calls to social-engineer targets into disclosing personal, financial, or other
useful information, or to send funds. Common vishing scams include requests to help a
relative or friend in another country, leading to wire fraud; various tax scams,
particularly during tax season in the United States; threats of law enforcement action;
and requests for a staff member to perform a task for a senior executive.
Like many social engineering efforts, vishing often relies on a sense of urgency, with an
imminent threat or issue that needs to be resolved. Vishers may attempt to acquire
personal information, and frequently present themselves as authorities.

Smishing
Smishing relies on text messages as part of the phishing scam. Whereas other scams
often rely on targets disclosing information via social engineering, smishing scams
frequently attempt to get users to click on a link in a text message. The link may take
them to a fake site to capture credentials, may attempt to infect the recipient's phone
with malware, may request multifactor authentication (MFA) information like an SMS
code, or could target some other information or action.
Smishing attacks rely on similar pretexts to many other phishing attacks with attempts
to build trust or urgency, or to establish authority often included as part of the
messages.

Misinformation and Disinformation
As cyberwarfare and traditional warfare have continued to cross over in deeper and
more meaningful ways, online influence campaigns—which have traditionally focused
on social media, email, and other online-centric mediums—have become common and
have increasingly been used by governments and other groups as part of
misinformation and disinformation campaigns. A very visible example was the
influence campaigns targeting political campaigns that were a major topic in the U.S.
2016 and 2020 elections, resulting in a growing public awareness of the issue.
It can be a bit confusing distinguishing between misinformation and disinformation.
Remember that misinformation is incorrect information, often resulting from getting
facts wrong. Disinformation is incorrect, inaccurate, or outright false information that is
intentionally provided to serve an individual or organization's goals.
Individuals and organizations conduct influence campaigns to turn public opinion in
directions of their choosing. Even advertising campaigns can be considered a form of
influence campaign, but in general, most influence campaigns in the context of the
Security+ exam are associated with disinformation and misinformation campaigns.

Another term you may encounter in this context is “malinformation.”
These three types of information are sometimes abbreviated as “MDM” or
misinformation, disinformation, and malinformation. CISA provides a guide on
them at www.cisa.gov/sites/default/files/publications/mdm-incident-response-
guide_508.pdf.

The CISA recommends a five-step “TRUST” process to counter misinformation and
disinformation campaigns:
1. Tell your story.
2. Ready your team.
3. Understand and assess MDM.
4. Strategize response.
5. Track outcomes.

Misinformation campaigns can appear quickly, and their source can be hard to identify.
That means that organizations must monitor for misinformation and be ready to
counter them using actions like those described in the TRUST model. The CISA's
recommendations for preparedness include assessing the information environment,
identifying vulnerabilities, fortifying communication channels, engaging in proactive
communications, and developing an incident response plan.
Impersonation
Pretending to be someone else, or impersonation, is a key tool in a social engineer's
toolkit, and like all of the other social engineering techniques we have discussed, it can
be used for malicious purposes. Each of these techniques combines the willingness of
the target or targets to believe the impersonator with the principles of social engineering
to create a scenario where the social engineer will get the access, data, or other results
they desire.
Identity fraud, or identity theft, is the use of someone else's identity. Although identity
fraud is typically used for financial gain by malicious actors, identity fraud may be used
as part of penetration tests or other security efforts as well. In fact, in some cases
impersonation, where you act as if you are someone else, can be a limited form of
identity fraud. In other cases, impersonation is less specific, and the social engineer or
attacker who uses it may simply pretend to be a delivery driver or an employee of a
service provider rather than claiming a specific identity.

Business Email Compromises
Business email compromise, often called BEC, relies on using apparently legitimate
email addresses to conduct scams and other attacks. Common examples of this include
invoice scams, gift card scams, data theft, and account compromise/account access
attacks. As with other types of email-focused scams and attacks, there are multiple
methods that may be used to create legitimate appearing email, including:
Using compromised accounts
Sending spoofed emails
Using common fake but similar domain techniques
Using malware or other tools

Microsoft provides a detailed writeup on BEC as part of their Security 101 at
www.microsoft.com/en-us/security/business/security-101/what-is-business-email-
compromise-bec.

You may sometimes find BEC called EAC, or email account
compromise, a less specific term than business email compromise.

Mitigation methods for business email compromise commonly involve multifactor
authentication, awareness training, and policies that help to support appropriate use
and behaviors.

Pretexting
Pretexting is the process of using a made-up scenario to justify why you are approaching
an individual. Pretexting is often used as part of impersonation efforts to make the
impersonator more believable. An aware target can ask questions or require verification
that can help defeat pretexting and impersonation attacks. In many cases, simply
making a verification call can defeat such attempts.

Watering Hole Attacks
Watering hole attacks use websites that targets frequent to attack them. These
frequently visited sites act like a watering hole for animals and allow the attackers to
stage an attack, knowing that the victims will visit the site. Once they know what site
their targets will use, attackers can focus on compromising it, either by targeting the site
or deploying malware through other means such as an advertising network.

Brand Impersonation
Another type of phishing attack is brand impersonation or brand spoofing. This
common form of attack uses emails that are intended to appear to be from a legitimate
brand, relying on name recognition and even using email templates used by the brand
itself.
Brand impersonation is often used in attempts to get users to log into their existing
accounts, particularly for stores and banks. They may also request payment, gather
passwords or other sensitive information, or may simply have malware attached with
instructions to access a file or run an executable.
As with scam email of all sorts the quality of brand impersonation email varies from
email that is indistinguishable from legitimate messages to poorly constructed scams
like the PayPal scam shown in Figure 4.1.
 FIGURE 4.1 Brand impersonation email

Typosquatting
Typosquatters use misspelled and slightly off but similar to the legitimate site URLs to
conduct typosquatting attacks. Typosquatters rely on the fact that people will mistype
URLs and end up on their sites, thus driving ad traffic or even sometimes using the
typo-based website to drive sales of similar but not legitimate products.

Typosquatting is hard to prevent, but organizations often register the
most common typos for their domains if they're concerned about it. You can see an
example of this by visiting amason.com, which redirects to Amazon.com!

A related form of attack is known as pharming. Unlike typosquatting, pharming relies
either on changing a system's hosts file (which is the first reference a system checks
when looking up DNS entries), or on active malware on the system that changes the
system's DNS servers. A successful pharming attack using a hosts-file-based technique
will modify a host’s file and redirect unsuspecting victims to a lookalike site.

Password Attacks
Although social engineering is often used to acquire passwords or access, there are other
ways to attack passwords as well. Everything from trying password after password in a
brute-force attack, to technical attacks that leverage precomputed password hashes in
lookup systems to check acquired password hashes against a known database, can help
attackers and penetration testers attack passwords.
The Security+ exam focuses on two password-related attacks:
Brute-force attacks, which iterate through passwords until they find one that works.
Actual brute-force methods can be more complex than just using a list of passwords
and often involve word lists that use common passwords, words specifically picked
as likely to be used by the target, and modification rules to help account for
complexity rules. Regardless of how elegant or well thought out their input is, in the
end, brute force is simply a process that involves trying different variations until it
succeeds.
Password spraying attacks are a form of brute-force attack that attempts to use a
single password or small set of passwords against many accounts. This approach can
be particularly effective if you know that a target uses a specific default password or
a set of passwords. For example, if you were going to attack a sports team's fan
website, common chants for the fans, names of well-known players, and other
common terms related to the team might be good candidates for a password
spraying attack.
Dictionary attacks are yet another form of brute-force attack that uses a list of
words for their attempts. Commonly available brute-force dictionaries exist, and
tools like John the Ripper, a popular open source password cracking tool, have word
lists (dictionaries) built in. Many penetration testers build their own custom
dictionaries as part of their intelligence gathering and reconnaissance processes.

Exam Note

The SY0-701 Exam Outline focuses on just two types of password attacks: spraying
and brute force. Dictionary attacks and the use of rainbow tables remain common
as well, and help provide context for password attacks in general. We've included
them here so you'll have the full picture—they just shouldn't show up on the exam.

Regardless of the password attack mechanism, an important differentiator between
attack methods is whether they occur online, and thus against a live system that may
have defenses in place, or if they are offline against a compromised or captured
password store. If you can capture hashed passwords from a password store, tools like
rainbow tables can be very useful and will typically be far faster than brute-force
attacks. Rainbow tables are an easily searchable database of precomputed hashes using
the same hashing methodology as the captured password file. Thus, if you captured a set
of passwords that were hashed using MD5 you could use a pre-computed hash rainbow
table to allow you to simply look up the hashed passwords.
 If you're not familiar with the concept of hashing, now is a good time
to review it. A hash is a one-way cryptographic function that takes an input and
generates a unique and repeatable output from that input. No two inputs should
ever generate the same hash, and a hash should not be reversible so that the
original input can be derived from the hash. Of course hash collisions do occur,
which leads to new hashing algorithms being designed and used. Rainbow tables
don't allow you to break hashes, but they brute-force the solution by using
computational power to create a database where hashes and the value that created
them can be looked up. You still aren't reversing the hash, but you are able to figure
out what plain text leads to that hash being created!

If you have captured a password file, you can also use a password cracker against it.
Password crackers like John the Ripper, shown in Figure 4.2, attempt to crack
passwords by trying brute-force and dictionary attacks against a variety of common
password storage formats.

FIGURE 4.2 John the Ripper

Learning how to use tools like John the Ripper can help you understand
both password cracking and how passwords are stored. You can find a variety of
exercises at https://openwall.info/wiki/john/tutorials that will get you started.

Password cracking tools like John the Ripper can also be used as password assessment
tools. Some organizations continue to periodically test for weak and easily cracked
passwords by using a password cracker on their password stores. In many cases, use of
MFA paired with password complexity requirements have largely replaced this
assessment process, and that trend is likely to continue.
Of course, not every system is well maintained, and a penetration tester or attacker's
favorite opportunity is finding plain-text or unencrypted passwords to acquire. Without
some form of protection, passwords that are just maintained in a list can be easily
acquired and reused by even the most casual of attackers. As noted earlier, using a
strong password hashing mechanism, as well as techniques like using a salt and a
pepper (additional data added to passwords before they are hashed, making it harder to
use tools like rainbow tables) can help protect passwords. In fact, best practices for
password storage don't rely on encryption; they rely on passwords never being stored
and instead using a well-constructed password hash to verify passwords at login.

If you want to learn more about secure password storage, OWASP
maintains a great cheat sheet at
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Summary
Social engineering techniques focus on human reactions and psychology to gather
information and to perform attacks against individuals and organizations. A broad
range of human vectors are used to accomplish attackers' goals.
Security professionals need to be aware of how social engineering is leveraged in attacks
like phishing, impersonation, misinformation and disinformation, and other efforts.
Each technique has its own distinctive set of social engineering techniques and impacts
that help make it unique. Test takers need to be familiar with phishing, vishing, business
email compromise, pretexting, watering hole, brand impersonation, and typosquatting
attacks as well as the broad categories of phishing and impersonation, and
misinformation.
Test takers need to be aware of brute-force password attacks that try repeatedly using a
variety of usernames and passwords until they succeed. You'll also need to know about
spraying, a type of brute-force attack that uses a list of usernames and common
passwords to try to gain access to accounts.

Exam Essentials
Many techniques are used for social engineering. Many adversarial and security
techniques rely on social engineering. Phishing and its related techniques of smishing
and vishing seek to gain information using social engineering techniques.
Misinformation and disinformation campaigns are used to change opinions and to shift
narratives. Malicious actors will impersonate whomever they need to acquire
information, to gain access or credentials, or to persuade individuals to take action.
Pretexting is often used with impersonation to provide a believable reason for the action
or request. Business email compromise and brand impersonation are both used to make
malicious emails and other communications appear legitimate and thus more likely to
fool targets into taking desired action. Watering hole attacks focus on sites that target
frequently visit, while typosquatters rely on users who make typos while entering URLs.