Chapter 2 - 05 - Understand Social Engineering Attacks - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Impersonation (Vishing) O Animpersonation technique in which the attacker tricks individuals to reveal personal and financial information using voice technology such as the telephone system, VolP, etc. Vishing Example Abusing the Over-Helpfulness of Help Desks O The attacker calls a company’s help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information from the help desk “A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker a clear entrance into the corporate network.” Copyright © byy EC-Council AllRights Reserved. Reproduction is Strictly Y Prohibited pyrig | Impersonation (Vishing) Vishing (voice or VolIP phishing) is an impersonation technique in which the attacker uses Voice over IP (VolP) technology to trick individuals into revealing their critical financial and personal information and uses the information for financial gain. The attacker uses caller ID spoofing to forge identification. In many cases, Vishing includes pre-recorded messages and instructions resembling a legitimate financial institution. Through Vishing, the attacker tricks the victim into providing bank account or credit card details for identity verification over the phone. The attacker may send a fake SMS or email message to the victim, asking the victim to call the financial institution for credit card or bank account verification. In some cases, the victim receives a voice call from the attacker. When the victim calls the number listed in the message or receives the attacker’s call, they hear recorded instructions that insist they provide personal and financial information like name, date of birth, social security number, bank account numbers, credit card numbers, or credentials like usernames, passwords. Once the victim provides the information, the recorded message confirms verification of the victim’s account. Discussed below are some tricks attackers use when Vishing to gather sensitive information. * Abusing the Over-Helpfulness of Help Desk Help desks are frequently targeted for social engineering attacks for a reason. The staff members are trained to be helpful, and they often give away sensitive information such as passwords and network information without verifying the authenticity of the caller. The attacker should know employees’ names and have details about the person he is trying to impersonate to be effective. The attacker may call a company’s help desk pretending to be a senior official to try to extract sensitive information out of the help desk. Module 02 Page 298 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Example: A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker entrance into the corporate network. = Third-party Authorization Another popular technique used by an attacker is to represent themself as an agent authorized by some senior authority in an organization to obtain information on their behalf. For instance, when an attacker knows the name of the employee in the target organization authorized to access the required information, they keep a vigil on them so that they can access the required data in the absence of the concerned employee. In this case, the attacker can approach the help desk or other personnel in the company claiming that the employee (authority figure) has requested the information. Even though there might be suspicion attached to the authenticity of the request, people tend to overlook this in favor of being helpful in the workplace. People tend to believe that others are being honest when they reference an important person and provide the required information. This technique is effective, particularly when the authority figure is on vacation traveling, making instant verification impossible. or Example: “Hi, I am John, | spoke with Mr. XYZ last week before he went on vacation and he said that you would be able to provide me with the information in his absence. Could you help me out?” * Tech Support Like the impersonation of a tech support agent above, an attacker can use vishing to pretend to be a technical support staff member of the target organization’s software vendor or contractor to obtain sensitive information. The attacker may pretend to troubleshoot a network problem and ask for the user ID and password of a computer to detect the problem. Believing them to be a troubleshooter, the user would provide the required information. Example: Attacker: “Hi, this is Mike from tech support. Some folks in your office have reported a slowdown in logging. Is this true?” Employee: “Yes, it has seemed slow lately.” Attacker: “Well, we have moved you to a new server, and your service should be much better now. If you want to give me your password, | can check your service. Things will be better from now on.” Module 02 Page 299 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Trusted Authority Figure The most effective method of social engineering is posing as a trusted authority figure. An attacker might pretend to be a fire marshal, superintendent, auditor, director, or other important figure over the phone or in-person to obtain sensitive information from the target. Example: 1. “Hi, | am John Brown. I'm with the external auditor, Arthur Sanderson. We've been requested by the corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash.” “Hi, I'm Sharon, a sales rep out of the New York office. | know this is short notice, but | have a group of prospective clients out in the car, and I've been trying to get them to outsource their security training needs to us for months. They're located just a few miles away, and | think that if | can give them a quick tour of our facilities, it would be enough to push them over the edge and get them to sign up. Oh yeah, they are particularly interested in what security precautions we've adopted. It seems someone hacked into their website a while back, which is one of the reasons they're considering our company.” “Hi, I'm with Aircon Express Services. We received a call that the computer room is getting too warm, so | need to check your HVAC system.” Using professionalsounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow them to access the targeted secured resource. Module 02 Page 300 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Eavesdropping, Shoulder Surfing, and Dumpster Diving @ O Shoulder Surfing Eavesdropping € @ Unauthorized listening of conversations, or reading of messages Interception of audio, video, or written communication © Direct observation techniques such as looking over someone's shoulder to get information such as passwords, O Dumpster Diving @ Looking for treasure in someone else’s trash PINs, account numbers, etc. il All Rights Reserved. Reproduction is Strictly Prohibited. Eavesdropping Eavesdropping refers to an unauthorized person listening to a conversation or reading others’ messages. It includes the interception of any form of communication, including audio, video, or written, using channels such as telephone lines, email, and instant messaging. An attacker can obtain sensitive information such as passwords, business plans, phone numbers, and addresses. Shoulder Surfing Shoulder surfing is the technique of looking over someone’s shoulder as they key information into a device. Attackers use shoulder surfing to find out passwords, personal identification numbers, account numbers, and other information. They sometimes even use binoculars and other optical devices or install small cameras to record the actions performed on the victim’s system to obtain login details and other sensitive information. Dumpster Diving Dumpster diving is the process of retrieving sensitive personal or organizational information by searching through trash bins. Attackers can extract confidential data such as user IDs, passwords, policy numbers, network diagrams, account numbers, bank statements, salary data, source code, sales forecasts, access codes, phone lists, credit card numbers, calendars, and organizational charts on paper or disk. Attackers can then use this information to perform various malicious activities. Sometimes attackers even use pretexts to support their dumpster diving initiatives, such as impersonating a repair person, technician, cleaner, or other legitimate worker. Module 02 Page 301 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Information that attackers can obtain by searching through trash bins includes: * Phone lists: Disclose employees’ names and contact numbers. * Organizational charts: Disclose details about the structure of the company, physical infrastructure, server rooms, restricted areas, and other organizational data. * Email printouts, notes, faxes, and memos: passwords, data. contacts, inside working Reveal personal details of an employee, operations, certain useful instructions, and other * Policy manuals: Reveal information regarding employment, system use, and operations. * Event notes, calendars, or computer use logs: Reveal information regarding the user’s log on and off timings, which helps the attacker to decide on the best time to plan their attack. Module 02 Page 302 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.