Chapter 2 - 05 - Understand Social Engineering Attacks - 05_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Types of Phishing 9 0 00O Spear Phishing A targeted phishing attack aimed at specific individuals within an organization Whaling An attacker targets high profile executives like CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly valuable information Pharming The attacker redirects web traffic to a fraudulent website by installing a malicious program on a personal computer or server © Spimming A variant of spam that exploits Instant Messaging platforms to flood spam across the networks Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited Types of Phishing Spear Phishing Instead of sending out thousands of emails, some attackers opt for “spear phishing” and use specialized social engineering content directed at a specific employee or small group of employees in an organization to steal sensitive data such as financial information and trade secrets. Spear phishing messages seem to come from a trusted source with an official-looking website. The email also appears to be from an individual from the recipient's company, generally someone in a position of authority. In reality, the message is sent by an attacker attempting to obtain critical information about a specific recipient and their organization, such as login credentials, credit card details, bank account numbers, passwords, confidential documents, financial information, and trade secrets. Spear phishing generates a higher response rate compared to a normal phishing attack, as it appears to be from a trusted company source. Whaling A whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information. It is a social engineering trick in which the attacker tricks the victim into revealing critical corporate and personal information (like bank account details, employee details, customer information, and credit card details), generally, through email or website spoofing. Whaling is different from a normal phishing attack; the email or website used for the attack is carefully designed, usually targeting someone in the executive leadership. Module 02 Page 307 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Pharming Pharming is a social engineering technique in which the attacker executes malicious programs on a victim’s computer or server, and when the victim enters any URL or domain name, it automatically redirects the victim’s traffic to an attacker-controlled website. This attack is also known as “Phishing without a Lure.” The attacker steals confidential information like credentials, banking details, and other information related to web-based services. Pharming attack can be performed Modification in two ways: DNS Cache Poisoning and Host File DNS Cache Poisoning: o The attacker performs DNS Cache Poisoning on the targeted DNS server. o The attacker modifies the IP address of the target website “www.targetwebsite.com” to that of a fake website “www.hackerwebsite.com.” o When the victim enters the target website’s URL in the browser's address bar, a request is sent to the DNS server to obtain the IP address of the target website. o The DNS server returns a fake IP address that is already modified by the attacker. o Finally, the victim is redirected to the fake website. Host File Modification: o An attacker sends a malicious code as an email attachment. o When the user clicks on the attachment, the code executes and modifies local host files on the user’s computer. o When the victim enters the target website’s URL in the browsers address bar, the compromised host file automatically redirects the user’s traffic to the fraudulent website controlled by the hacker. Pharming attacks can also be performed using malware like Trojan horses or worms. Spimming SPIM (Spam over Instant Messaging) exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer. Spimmers generally make use of bots (an application that executes automated tasks over the network) to harvest Instant Message IDs and forward spam messages to them. SPIM messages, like email spam, generally include advertisements and malware as an attachment or embedded hyperlink. The user clicks the attachment and is redirected to a malicious website that collects financial and personal information like credentials, bank account, and credit card details. Module 02 Page 308 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Credential Harvesting and Typosquatting O Attackers register domain names with intentionally misspelled versions of well-known websites to send unsuspecting visitors to malicious websites O O Attackers employ TTPs such as phishing campaigns, password dumping tools, and MITM attacks to perform credential stuffing QO Using this technique, attackers not When a victim enters a misspelled URL on the web browser, the web browser automatically loads a malicious website controlled by the attacker, and the victim is lured into entering their sensitive details Typosquatting only steal the victim’s credentials but also sell the victim’s personal and financial information on the dark web Credential Harvesting Attackers perform credential harvesting to steal the login credentials and other critical information of the target users. Attackers employ advanced tactics, techniques, and procedures (TTPs) such as phishing campaigns, password dumping tools, and man-in-the-middle (MITM) attacks to perform credential harvesting. Using these techniques, attackers not only steal the victim’s credentials but also sell the victim’s personal and financial information on the dark web. To perform credential harvesting, an attacker generally creates phishing campaigns that include urgent notifications demanding immediate action. For example, an attacker can send a phishing email to the victim stating, “Your official account has been blocked temporarily. Kindly click on the link below to re-activate,” along with a malicious link below the message. When the victim clicks on the malicious link, it redirects them to a phishing website that resembles a legitimate website, thereby luring the victim into entering their personal and financial details. Typosquatting Typosquatting is a type of cybersquatting in which the attackers target Internet users who make typographical errors while entering a URL onto their web browser. Attackers register domain names with intentionally misspelled versions of well-known websites to send unsuspecting visitors to malicious websites. When a victim enters a misspelled URL on the web browser, the web browser automatically loads a malicious website controlled by the attacker. Subsequently, the victim is lured into entering their sensitive details such as login credentials and credit-card information. Module 02 Page 309 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Generally, the victims visit the malicious websites in one of two different ways: = Unintentionally mistyping a legitimate URL in their web browsers; for example, “gooogle.com” instead of “google.com” = Being tricked as part of a larger phishing attack Attackers may use typosquatting as part of phishing and pharming attacks. In some attackers also hijack sub-domains of a legitimate domain to create trust in the victim. Module 02 Page 310 cases, Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Elicitation A technique of extracting ] em into normal and di: , plan, and may even need to involve coThe attacker can use statements such as “You are the top-notch guy handling the project” and WEDEA TS “I'll bet you are the clever brains behind the success of the company.” The attacker might say to the target user “I'd guess the security of your company is pretty tight. | Bracketing would assume you have ten surveillance cameras in the premises.” Use of False The attacker can use statements such as the following: “/ heard that your company has fifty systems, two Statements servers, and a printer placed in a single room. People say that room is like Fort Knox! Nobody can get in.” The attacker can use statements such as the following: “/ don’t know anything about project Artificial Ignorance development, but I'll bet you know everything about the project development process.” The attacker listens to the target’s feelings and provides positive or negative judgment about their feelings. This creates trust between the attacker and the victim, and the victim starts sharing additional information. The Sounding Board Elicitation Elicitation is a technique of extracting information from the victim by drawing them into normal and disarming conversations. To use this technique, the attacker must possess good social skills to take advantage of professional or social opportunities and communicate with persons having access to sensitive information. To perform elicitation, the attacker needs to initiate a casual conversation with the target user to extract information without making them feel that they are being socially engineered. Further, to use this technique, the attacker needs to create complex cover stories, plan, and may even need to involve co-conspirators. = Use of flattery The attacker can use flattery to sweet-talk the target user into offering sensitive information. For example, the attacker can use statements such as “You are the topnotch guy handling the project,” or “I'll bet you are the clever brains behind the success of the company.” Such statements will facilitate the elicitation process and have been proven to be very effective in many scenarios. = Bracketing The attacker can use bracketing for elicitation to retrieve more precise information about the target organization. The attacker can mention highly or slightly inaccurate information to tempt the user into responding with more specific information. For example, if the attacker wants to know the number of surveillance cameras connected in the company, they might say to the target user, “I'd guess the security of your company premises.” Module 02 Page 311 is pretty tight. | would assume you have ten surveillance cameras in the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Use of false statements The attacker can use false statements while communicating with the target user so that the target example, user will correct the attacker can the statement use statements and such volunteer correct as the following: information. “I heard For that your company has fifty systems, two servers, and a printer placed in a single room. People say that room is like Fort Knox! Nobody can get in.” Artificial ignorance The attacker can use artificial ignorance as an elicitation technique so that the victim will teach and educate the attacker about the relevant information. For example, the attacker can use statements such as the following: “I don’t know anything about project development, but I'll bet you know everything about the project development process.” The sounding board The attacker can use the sounding board technique to take advantage of the behavior of the target user. When a person reveals their feelings to another person, an immediate kinship is formed. As a result, they will be ready to share more information, even with a stranger. To use this technique, the attacker needs to be patient while communicating with the target user, listen to their feelings, and provide positive or negative judgment about their feelings. This creates trust between the attacker and the victim, and the victim starts sharing additional information with the attacker. Module 02 Page 312 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.