Chapter 2 - 05 - Understand Social Engineering Attacks - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Behaviors Vulnerable to Attacks

Authority

n

Intimidation

@

Consensus
or Social Proof

Q//

Scarcity

n

Urgency

Familiarity or Liking

/5\

Trust.

Greed

Copyright © by

EC-{

cil Al Rights Reserved. Reproduction
is Strictly Prohibited

Behaviors Vulnerable to Attacks

Authority
Authority implies the right to exercise power in an organization. Attackers take
advantage of this by presenting themselves as a person of authority, such as a
technician or an executive, in a target organization to steal important data.

For example, an attacker can call a user on the phone and can claim to be working as a
network administrator in the target organization. The attacker then informs the victim
about a security incident in the network and asks them to provide their account
credentials to protect their data against theft. After obtaining the victim’s credentials,
the attacker steals sensitive information from the victim’s account.
Intimidation

Intimidation refers to an attempt to intimidate a victim into taking several actions by
using bullying tactics. It is usually performed by impersonating some other person and
manipulating users into disclosing sensitive information.
For example, an attacker might call the executive’s receptionist with this request:

“Mr. Tibiyani is about to give a big presentation to the customers, but he is unable to
open his files; it seems they are corrupt. He told me to call you and ask you to send the
files to me immediately so that he can start his talk.”
Consensus or Social Proof

Consensus or social proof refers to the fact that people are usually willing to like things
or do things that other people like or do.

Module 02 Page 292

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Attackers take advantage of this by doing things like creating websites and posting fake
testimonials from users about the benefits of certain products such as anti-malware
(rogueware). Therefore, if users search the Internet to download

the rogueware, they

encounter these websites and believe the forged testimonials. Further,
download the malicious product, attackers may install a trojan along with it.
=

if users

Scarcity

Scarcity implies the state of being scarce. In the context of social engineering, scarcity
often implies creating a feeling of urgency in a decision-making process. Due to this
urgency, attackers can control the information provided to victims and manipulate the
decision-making process.
For example, when Apple releases a new iPhone product that sells out and goes out of
stock, attackers can take advantage of this situation by sending a phishing email to the
target users, encouraging them to click on a link provided in the email to buy the
product. If the users click on this link, they get redirected to some malicious website
controlled by the attacker. As a result, the user might end up revealing their account
details or downloading some malicious programs such as trojans.
=

Urgency

Urgency implies encouraging people to take immediate action. Attackers
advantage of this by tricking victims into performing unintended tasks.

can

take

For example, ransomware often uses the urgency principle, which makes the victim take
urgent action under a time-limit. The victims see the countdown timer running on their
infected systems and know that failure to make the required decision within the given
time can result in the loss of important data.
Similarly, attackers can send phishing
at a low price and that to buy it, the
tricked, and they click on the link
redirected to a malicious website
downloading a virus file.
*

emails indicating that a certain product is available
user should click on the “Buy Now” link. The user is
to take immediate action. As a result, they are
and end up revealing their account details or

Familiarity or Liking
Familiarity or liking implies that people are more likely to be persuaded to do something
when they are asked by someone whom they like. This indicates that people are more
likely to buy products if they are advertised by an admired celebrity.
For example, people are more likely to allow someone to look over their shoulder if they

like that person or they are familiar with them. If people do not like the person, they
immediately recognize the shoulder surfing attack and prevent it. Similarly, people often
allow someone to tailgate them if they like that person or are familiar with them. In
some cases, social engineers use a charming smile and sweet-talk to deceive the other
person into liking them.

Module 02 Page 293

Certified Cybersecurity Technician Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

=

Exam 212-82

Trust

Attackers often attempt to build a trusting relationship with victims.
For example, an attacker can call a victim and introduce themself as a security expert.
Then, they may claim that they were working with XYZ company, and they noticed some
unusual

errors sent from

the victim’s system. The

attacker

builds trust by using the

company name and their experience in the security field. After establishing trust, the
attacker guides the victim to follow a series of steps to “view and disable the system

errors.” They later send an email containing a malicious file and persuade the victim to
click on and download it. Through this process, the attacker successfully installs
malware on the victim’s system, infecting it and allowing the attacker to steal important
information.
*

Greed

Some people are possessive by nature and seek to acquire vast amounts of wealth
through illegal activities. Social engineers lure their targets to divulge information by
promising something for nothing (appealing to their greed).
For example, an attacker may pretend to be a competitor and lure the employees of the
target into revealing critical information by offering a considerable reward.

Module 02 Page 294

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Impersonation
o

0O

The attacker pretends to be someone legitimate or an authorized person

Q Attackers may impersonate a legitimate or authorized person either personally or
QO
using a communication medium such as phone, email, etc.
to reveal sensitive information

Impersonation
Examples

Posing as a Legitimate End User

Posing as an Important User

The attacker gives this identity and asks
for the sensitive information

The attacker poses as a VIP of a target company,
valuable customer, etc.

“Hi! This is John from the Finance
Department. | have forgotten my
password. Can | get it?”

“Hi! This is Kevin, CFO Secretary. I'm working on an
urgent project and lost my system’s password. Can
you help me out?”
Copyright © by EC

L L All Rights Reserved. Reproduction
is Strictly Prohibited

Impersonation
Impersonation is a common human-based social engineering technique where an attacker
pretends to be a legitimate or authorized person. Attackers perform impersonation attacks
personally or use a phone or another communication medium to mislead their target and trick
them into revealing information. The attacker might impersonate a courier or delivery person,
janitor, businessman, client, technician, or they may pretend to be a visitor. Using this
technique, the attacker gathers sensitive information by scanning terminals for passwords,
searching for important documents on employees’ desks, rummaging through bins, and
through other tactics. The attacker may even try to overhear confidential conversations and
“shoulder surf” to obtain sensitive information.
Types of impersonation used in social engineering:
=

Posing as a legitimate end-user

=

Posing as an important user

=

Posing as a technical support agent

=

Posing as an internal employee, client, or vendor

=

Posing as a repairman

=

Abusing the over-helpfulness of the help desk

=®

Posing as someone with third-party authorization

=®

Posing as a tech support agent through vishing

*®

Posing as a trusted authority

Module 02 Page 295

EG-Council
Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Some impersonation tricks that an attacker performs to gather sensitive information about the
target organization exploit the human nature of trust, fear, and moral obligation.
Posing as a Legitimate End User

An attacker might impersonate an employee and then resort to deviant methods to gain
access to privileged data. They may provide a false identity to obtain sensitive
information.

Another example is when a “friend” of an employee asks them to retrieve information
that a bedridden employee supposedly needs. There is a well-recognized rule in social
interaction that a favor begets a favor, even if the original “favor” is offered without a
request from the recipient. This is known as reciprocation. Corporate environments deal
with reciprocation daily. Social engineers try to take advantage of this social trait via
impersonation.
Example:
“Hi! This is John from the finance department. | have forgotten my password. Can | get

it?”

Posing as an Important User
Another behavioral factor that aids a social engineer is people’s habit of not questioning
authority. People often go out of their way for those whom they perceive to have
authority. An attacker posing as an important individual — such as a vice president or
director — can often manipulate an unprepared employee. Attackers who take
impersonation to a higher level by assuming the identity of an important employee add
an element of intimidation. The reciprocation factor also plays a role in this scenario
where lower-level employees might go out of their way to help a higher-authority. For
example, it is less likely that a help-desk employee will turn down a request from a vice
president who is hard-pressed for time and needs some vital information for a meeting.
In case an employee refuses to divulge information, social engineers may use authority

to intimidate employees and may even threaten to report the employee’s misconduct to
their supervisors. This technique assumes greater significance when the attacker
considers it a challenge to get away with impersonating an authority figure.
Example:

“Hil This is Kevin, the CFQ’s Secretary. I’'m working on an urgent project, and | forgot my
system password. Can you help me out?”
Posing as a Technical Support Agent
Another

technique

involves

an attacker

masquerading

as a technical

support

agent,

particularly when the victim is not proficient in technical areas. The attacker may
pretend to be a hardware vendor, a technician, or a computer supplier. One
demonstration at a hacker meeting had the speaker calling Starbucks and asking its
employees whether their broadband connection was properly working. The perplexed
employee replied that it was the modem that was giving them trouble. The hacker,

Module 02 Page 296

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

without giving any credentials, went on to make him read out the credit card number of
the last transaction. In a corporate scenario, the attacker may ask employees to reveal
their login information, including their password, to fix a nonexistent problem.
Example:

“Sir, this is Mathew, technical support at X Company. Last night we had a system crash
here, and we are checking for lost data. Can you give me your ID and password?”
=

Posing as an Internal Employee, Client, or Vendor
The attacker usually dresses up in business clothes or another suitable uniform. They
enter an organization’s building while pretending to be a contractor, client, service
personnel, or another authorized

person. Then they roam

around

unnoticed

and look

for passwords stuck on terminals, extract critical data from wastepaper bins, papers
lying on desks, and perform other information gathering. The attacker may also
implement other social engineering techniques such as shoulder surfing (observing
users typing login credentials or other sensitive information) and eavesdropping
(purposely overhearing confidential conversations between employees) to gather
sensitive information that might help launch an attack on the organization.
*

Repairman

Computer technicians, electricians, and telephone repairpersons are generally
unsuspected people. Attackers might impersonate a technician or repair person and
enter the organization. They perform normal activities associated with their assumed
duty while looking for hidden passwords, critical information on desks, information in
trash bins, and other useful information; they sometimes even plant snooping devices in
hidden locations.

Module 02 Page 297

Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.