Chapter 2 - 05 - Understand Social Engineering Attacks PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
Summary
This document discusses various social engineering attacks, such as authority, intimidation, consensus, scarcity, urgency, and familiarity, used to gain sensitive information from victims. The document explains how attackers leverage psychological principles to manipulate individuals into performing unintended tasks.
Full Transcript
Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Behaviors Vulnerable to Attacks Authority n Intimidation @ Consensus or Social Proof Q// Scarcity n Urgency Familiarity or Liking /5\ Trust. Greed Copyright © by EC-{ cil Al Rights Reserved. Reproduction is Strictly Prohibit...
Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Behaviors Vulnerable to Attacks Authority n Intimidation @ Consensus or Social Proof Q// Scarcity n Urgency Familiarity or Liking /5\ Trust. Greed Copyright © by EC-{ cil Al Rights Reserved. Reproduction is Strictly Prohibited Behaviors Vulnerable to Attacks Authority Authority implies the right to exercise power in an organization. Attackers take advantage of this by presenting themselves as a person of authority, such as a technician or an executive, in a target organization to steal important data. For example, an attacker can call a user on the phone and can claim to be working as a network administrator in the target organization. The attacker then informs the victim about a security incident in the network and asks them to provide their account credentials to protect their data against theft. After obtaining the victim’s credentials, the attacker steals sensitive information from the victim’s account. Intimidation Intimidation refers to an attempt to intimidate a victim into taking several actions by using bullying tactics. It is usually performed by impersonating some other person and manipulating users into disclosing sensitive information. For example, an attacker might call the executive’s receptionist with this request: “Mr. Tibiyani is about to give a big presentation to the customers, but he is unable to open his files; it seems they are corrupt. He told me to call you and ask you to send the files to me immediately so that he can start his talk.” Consensus or Social Proof Consensus or social proof refers to the fact that people are usually willing to like things or do things that other people like or do. Module 02 Page 292 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers take advantage of this by doing things like creating websites and posting fake testimonials from users about the benefits of certain products such as anti-malware (rogueware). Therefore, if users search the Internet to download the rogueware, they encounter these websites and believe the forged testimonials. Further, download the malicious product, attackers may install a trojan along with it. = if users Scarcity Scarcity implies the state of being scarce. In the context of social engineering, scarcity often implies creating a feeling of urgency in a decision-making process. Due to this urgency, attackers can control the information provided to victims and manipulate the decision-making process. For example, when Apple releases a new iPhone product that sells out and goes out of stock, attackers can take advantage of this situation by sending a phishing email to the target users, encouraging them to click on a link provided in the email to buy the product. If the users click on this link, they get redirected to some malicious website controlled by the attacker. As a result, the user might end up revealing their account details or downloading some malicious programs such as trojans. = Urgency Urgency implies encouraging people to take immediate action. Attackers advantage of this by tricking victims into performing unintended tasks. can take For example, ransomware often uses the urgency principle, which makes the victim take urgent action under a time-limit. The victims see the countdown timer running on their infected systems and know that failure to make the required decision within the given time can result in the loss of important data. Similarly, attackers can send phishing at a low price and that to buy it, the tricked, and they click on the link redirected to a malicious website downloading a virus file. * emails indicating that a certain product is available user should click on the “Buy Now” link. The user is to take immediate action. As a result, they are and end up revealing their account details or Familiarity or Liking Familiarity or liking implies that people are more likely to be persuaded to do something when they are asked by someone whom they like. This indicates that people are more likely to buy products if they are advertised by an admired celebrity. For example, people are more likely to allow someone to look over their shoulder if they like that person or they are familiar with them. If people do not like the person, they immediately recognize the shoulder surfing attack and prevent it. Similarly, people often allow someone to tailgate them if they like that person or are familiar with them. In some cases, social engineers use a charming smile and sweet-talk to deceive the other person into liking them. Module 02 Page 293 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Trust Attackers often attempt to build a trusting relationship with victims. For example, an attacker can call a victim and introduce themself as a security expert. Then, they may claim that they were working with XYZ company, and they noticed some unusual errors sent from the victim’s system. The attacker builds trust by using the company name and their experience in the security field. After establishing trust, the attacker guides the victim to follow a series of steps to “view and disable the system errors.” They later send an email containing a malicious file and persuade the victim to click on and download it. Through this process, the attacker successfully installs malware on the victim’s system, infecting it and allowing the attacker to steal important information. * Greed Some people are possessive by nature and seek to acquire vast amounts of wealth through illegal activities. Social engineers lure their targets to divulge information by promising something for nothing (appealing to their greed). For example, an attacker may pretend to be a competitor and lure the employees of the target into revealing critical information by offering a considerable reward. Module 02 Page 294 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Impersonation o O The attacker pretends to be someone legitimate or an authorized person Q Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc. to reveal sensitive information Impersonation Examples Posing as a Legitimate End User Posing as an Important User The attacker gives this identity and asks for the sensitive information The attacker poses as a VIP of a target company, valuable customer, etc. “Hi! This is John from the Finance Department. | have forgotten my password. Can | get it?” “Hi! This is Kevin, CFO Secretary. I'm working on an urgent project and lost my system’s password. Can you help me out?” Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited Impersonation Impersonation is a common human-based social engineering technique where an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use a phone or another communication medium to mislead their target and trick them into revealing information. The attacker might impersonate a courier or delivery person, janitor, businessman, client, technician, or they may pretend to be a visitor. Using this technique, the attacker gathers sensitive information by scanning terminals for passwords, searching for important documents on employees’ desks, rummaging through bins, and through other tactics. The attacker may even try to overhear confidential conversations and “shoulder surf” to obtain sensitive information. Types of impersonation used in social engineering: = Posing as a legitimate end-user = Posing as an important user = Posing as a technical support agent = Posing as an internal employee, client, or vendor = Posing as a repairman = Abusing the over-helpfulness of the help desk ® Posing as someone with third-party authorization ® Posing as a tech support agent through vishing ® Posing as a trusted authority Module 02 Page 295 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Some impersonation tricks that an attacker performs to gather sensitive information about the target organization exploit the human nature of trust, fear, and moral obligation. Posing as a Legitimate End User An attacker might impersonate an employee and then resort to deviant methods to gain access to privileged data. They may provide a false identity to obtain sensitive information. Another example is when a “friend” of an employee asks them to retrieve information that a bedridden employee supposedly needs. There is a well-recognized rule in social interaction that a favor begets a favor, even if the original “favor” is offered without a request from the recipient. This is known as reciprocation. Corporate environments deal with reciprocation daily. Social engineers try to take advantage of this social trait via impersonation. Example: “Hi! This is John from the finance department. | have forgotten my password. Can | get it?” Posing as an Important User Another behavioral factor that aids a social engineer is people’s habit of not questioning authority. People often go out of their way for those whom they perceive to have authority. An attacker posing as an important individual — such as a vice president or director — can often manipulate an unprepared employee. Attackers who take impersonation to a higher level by assuming the identity of an important employee add an element of intimidation. The reciprocation factor also plays a role in this scenario where lower-level employees might go out of their way to help a higher-authority. For example, it is less likely that a help-desk employee will turn down a request from a vice president who is hard-pressed for time and needs some vital information for a meeting. In case an employee refuses to divulge information, social engineers may use authority to intimidate employees and may even threaten to report the employee’s misconduct to their supervisors. This technique assumes greater significance when the attacker considers it a challenge to get away with impersonating an authority figure. Example: “Hil This is Kevin, the CFQ’s Secretary. I’'m working on an urgent project, and | forgot my system password. Can you help me out?” Posing as a Technical Support Agent Another technique involves an attacker masquerading as a technical support agent, particularly when the victim is not proficient in technical areas. The attacker may pretend to be a hardware vendor, a technician, or a computer supplier. One demonstration at a hacker meeting had the speaker calling Starbucks and asking its employees whether their broadband connection was properly working. The perplexed employee replied that it was the modem that was giving them trouble. The hacker, Module 02 Page 296 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 without giving any credentials, went on to make him read out the credit card number of the last transaction. In a corporate scenario, the attacker may ask employees to reveal their login information, including their password, to fix a nonexistent problem. Example: “Sir, this is Mathew, technical support at X Company. Last night we had a system crash here, and we are checking for lost data. Can you give me your ID and password?” = Posing as an Internal Employee, Client, or Vendor The attacker usually dresses up in business clothes or another suitable uniform. They enter an organization’s building while pretending to be a contractor, client, service personnel, or another authorized person. Then they roam around unnoticed and look for passwords stuck on terminals, extract critical data from wastepaper bins, papers lying on desks, and perform other information gathering. The attacker may also implement other social engineering techniques such as shoulder surfing (observing users typing login credentials or other sensitive information) and eavesdropping (purposely overhearing confidential conversations between employees) to gather sensitive information that might help launch an attack on the organization. * Repairman Computer technicians, electricians, and telephone repairpersons are generally unsuspected people. Attackers might impersonate a technician or repair person and enter the organization. They perform normal activities associated with their assumed duty while looking for hidden passwords, critical information on desks, information in trash bins, and other useful information; they sometimes even plant snooping devices in hidden locations. Module 02 Page 297 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.