Chapter 2 - 05 - Understand Social Engineering Attacks_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Flow Understand Information Understand Social Engineering Security Attacks Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Wireless Networkspecific Attacks 3 Understand Applicationlevel and OS-level Attacks Understand IoT, OT, and Cloud Attacks Understand Cryptographic Attacks Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited. Understand Social Engineering Attacks Attackers implement various social engineering techniques to gather sensitive information from people or organizations that might help them to commit fraud or participate in other criminal activities. This section discusses various social engineering techniques used by attackers and includes examples for a better understanding. Module 02 Page 287 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 What is Social Engineering? - A 4TS ‘. QO Social engineering is the art of convincing people to reveal confidential information | ' | ' m E """" * 0O Social engineers depend on the fact that people are unaware of the valuable information to which they have access and are careless about protecting it What is Social Engineering? Before performing a social engineering attack, the attacker gathers target organization from various sources such as: information about the = The organization’s official websites, where employees’ IDs, names, and email addresses are shared = Advertisements of the target organization cast through media reveal information such as products and offers. = Blogs, forums, and other online spaces where employees share basic personal and organizational information. After gathering information, an attacker executes social engineering attacks using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and other methods. Social engineering is the art of manipulating people to divulge sensitive information to use it to perform some malicious action. Despite security policies, attackers can compromise an organization’s sensitive information by using social engineering, which targets the weakness of people. Most often, employees are not even aware of a security lapse on their part and inadvertently reveal the organization’s critical information. For instance, unwittingly answering strangers’ questions or replying to spam email. To succeed, attackers take a special interest so proficient that the victims might not even ways to access information. They also ensure the people on its perimeter, such as security Module 02 Page 288 in developing social engineering skills and can be notice the fraud. Attackers always look for new that they know the organization’s perimeter and guards, receptionists, and help-desk workers, to Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 exploit human oversight. People have conditioned themselves to not be overly suspicious, and they associate specific behaviors and appearances with known entities. For instance, a man in a uniform carrying a pile of packages for delivery will be perceived as a delivery person. With the help of social engineering tricks, attackers succeed in obtaining confidential information, authorization, and access details from people by deceiving and manipulating human vulnerability. Module 02 Page 289 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Common Targets of Social Engineering Receptionists and Help-Desk Personnel Technical Support Executives System Administrators Users and Clients Vendors of the Target Organization :. Senior Executives Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Common Targets of Social Engineering A social engineer uses the vulnerability of human nature as their most effective tool. Usually, people believe and trust others and derive fulfillment from helping the needy. Discussed below are the most common targets of social engineering in an organization: Receptionists and Help-Desk Personnel: Social engineers generally target service-desk or help-desk personnel by tricking them into divulging confidential information about the organization. To extract information, such as a phone number or password, the attacker first wins the trust of the individual with the information. On winning their trust, the attacker manipulates them to get valuable information. Receptionists and help-desk staff may readily share information if they feel they are doing so to help a customer. Technical Support Executives: Another target of social engineers is technical support executives. The social engineers may take the approach of contacting technical support executives to obtain sensitive information by pretending to be senior management, customers, vendors, or other figures. System Administrators: A system administrator in an organization is responsible for maintaining the systems. Thus, they may have critical information such as the type and version of OS and admin passwords, that could be helpful for an attacker in planning an attack. Users and Clients: Attackers could approach users and clients of the target organization, pretending to be a tech support person to extract sensitive information. Vendors of the Target Organization: Attackers may also target the vendors organization to gain critical information that could help in executing attacks. Module 02 Page 290 of the Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Senior Executives: Attackers could also approach senior executives from various departments such as Finance, HR, and CxOs to obtain critical information about the organization. Module 02 Page 291 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Behaviors Vulnerable to Attacks Authority n Intimidation @ Consensus or Social Proof Q// Scarcity n Urgency Familiarity or Liking /5\ Trust. Greed Copyright © by EC-{ cil Al Rights Reserved. Reproduction is Strictly Prohibited Behaviors Vulnerable to Attacks Authority Authority implies the right to exercise power in an organization. Attackers take advantage of this by presenting themselves as a person of authority, such as a technician or an executive, in a target organization to steal important data. For example, an attacker can call a user on the phone and can claim to be working as a network administrator in the target organization. The attacker then informs the victim about a security incident in the network and asks them to provide their account credentials to protect their data against theft. After obtaining the victim’s credentials, the attacker steals sensitive information from the victim’s account. Intimidation Intimidation refers to an attempt to intimidate a victim into taking several actions by using bullying tactics. It is usually performed by impersonating some other person and manipulating users into disclosing sensitive information. For example, an attacker might call the executive’s receptionist with this request: “Mr. Tibiyani is about to give a big presentation to the customers, but he is unable to open his files; it seems they are corrupt. He told me to call you and ask you to send the files to me immediately so that he can start his talk.” Consensus or Social Proof Consensus or social proof refers to the fact that people are usually willing to like things or do things that other people like or do. Module 02 Page 292 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers take advantage of this by doing things like creating websites and posting fake testimonials from users about the benefits of certain products such as anti-malware (rogueware). Therefore, if users search the Internet to download the rogueware, they encounter these websites and believe the forged testimonials. Further, download the malicious product, attackers may install a trojan along with it. = if users Scarcity Scarcity implies the state of being scarce. In the context of social engineering, scarcity often implies creating a feeling of urgency in a decision-making process. Due to this urgency, attackers can control the information provided to victims and manipulate the decision-making process. For example, when Apple releases a new iPhone product that sells out and goes out of stock, attackers can take advantage of this situation by sending a phishing email to the target users, encouraging them to click on a link provided in the email to buy the product. If the users click on this link, they get redirected to some malicious website controlled by the attacker. As a result, the user might end up revealing their account details or downloading some malicious programs such as trojans. = Urgency Urgency implies encouraging people to take immediate action. Attackers advantage of this by tricking victims into performing unintended tasks. can take For example, ransomware often uses the urgency principle, which makes the victim take urgent action under a time-limit. The victims see the countdown timer running on their infected systems and know that failure to make the required decision within the given time can result in the loss of important data. Similarly, attackers can send phishing at a low price and that to buy it, the tricked, and they click on the link redirected to a malicious website downloading a virus file. * emails indicating that a certain product is available user should click on the “Buy Now” link. The user is to take immediate action. As a result, they are and end up revealing their account details or Familiarity or Liking Familiarity or liking implies that people are more likely to be persuaded to do something when they are asked by someone whom they like. This indicates that people are more likely to buy products if they are advertised by an admired celebrity. For example, people are more likely to allow someone to look over their shoulder if they like that person or they are familiar with them. If people do not like the person, they immediately recognize the shoulder surfing attack and prevent it. Similarly, people often allow someone to tailgate them if they like that person or are familiar with them. In some cases, social engineers use a charming smile and sweet-talk to deceive the other person into liking them. Module 02 Page 293 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Trust Attackers often attempt to build a trusting relationship with victims. For example, an attacker can call a victim and introduce themself as a security expert. Then, they may claim that they were working with XYZ company, and they noticed some unusual errors sent from the victim’s system. The attacker builds trust by using the company name and their experience in the security field. After establishing trust, the attacker guides the victim to follow a series of steps to “view and disable the system errors.” They later send an email containing a malicious file and persuade the victim to click on and download it. Through this process, the attacker successfully installs malware on the victim’s system, infecting it and allowing the attacker to steal important information. * Greed Some people are possessive by nature and seek to acquire vast amounts of wealth through illegal activities. Social engineers lure their targets to divulge information by promising something for nothing (appealing to their greed). For example, an attacker may pretend to be a competitor and lure the employees of the target into revealing critical information by offering a considerable reward. Module 02 Page 294 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Impersonation o O The attacker pretends to be someone legitimate or an authorized person Q Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc. to reveal sensitive information Impersonation Examples Posing as a Legitimate End User Posing as an Important User The attacker gives this identity and asks for the sensitive information The attacker poses as a VIP of a target company, valuable customer, etc. “Hi! This is John from the Finance Department. | have forgotten my password. Can | get it?” “Hi! This is Kevin, CFO Secretary. I'm working on an urgent project and lost my system’s password. Can you help me out?” Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited Impersonation Impersonation is a common human-based social engineering technique where an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use a phone or another communication medium to mislead their target and trick them into revealing information. The attacker might impersonate a courier or delivery person, janitor, businessman, client, technician, or they may pretend to be a visitor. Using this technique, the attacker gathers sensitive information by scanning terminals for passwords, searching for important documents on employees’ desks, rummaging through bins, and through other tactics. The attacker may even try to overhear confidential conversations and “shoulder surf” to obtain sensitive information. Types of impersonation used in social engineering: = Posing as a legitimate end-user = Posing as an important user = Posing as a technical support agent = Posing as an internal employee, client, or vendor = Posing as a repairman = Abusing the over-helpfulness of the help desk ® Posing as someone with third-party authorization ® Posing as a tech support agent through vishing ® Posing as a trusted authority Module 02 Page 295 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Some impersonation tricks that an attacker performs to gather sensitive information about the target organization exploit the human nature of trust, fear, and moral obligation. Posing as a Legitimate End User An attacker might impersonate an employee and then resort to deviant methods to gain access to privileged data. They may provide a false identity to obtain sensitive information. Another example is when a “friend” of an employee asks them to retrieve information that a bedridden employee supposedly needs. There is a well-recognized rule in social interaction that a favor begets a favor, even if the original “favor” is offered without a request from the recipient. This is known as reciprocation. Corporate environments deal with reciprocation daily. Social engineers try to take advantage of this social trait via impersonation. Example: “Hi! This is John from the finance department. | have forgotten my password. Can | get it?” Posing as an Important User Another behavioral factor that aids a social engineer is people’s habit of not questioning authority. People often go out of their way for those whom they perceive to have authority. An attacker posing as an important individual — such as a vice president or director — can often manipulate an unprepared employee. Attackers who take impersonation to a higher level by assuming the identity of an important employee add an element of intimidation. The reciprocation factor also plays a role in this scenario where lower-level employees might go out of their way to help a higher-authority. For example, it is less likely that a help-desk employee will turn down a request from a vice president who is hard-pressed for time and needs some vital information for a meeting. In case an employee refuses to divulge information, social engineers may use authority to intimidate employees and may even threaten to report the employee’s misconduct to their supervisors. This technique assumes greater significance when the attacker considers it a challenge to get away with impersonating an authority figure. Example: “Hil This is Kevin, the CFQ’s Secretary. I’'m working on an urgent project, and | forgot my system password. Can you help me out?” Posing as a Technical Support Agent Another technique involves an attacker masquerading as a technical support agent, particularly when the victim is not proficient in technical areas. The attacker may pretend to be a hardware vendor, a technician, or a computer supplier. One demonstration at a hacker meeting had the speaker calling Starbucks and asking its employees whether their broadband connection was properly working. The perplexed employee replied that it was the modem that was giving them trouble. The hacker, Module 02 Page 296 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 without giving any credentials, went on to make him read out the credit card number of the last transaction. In a corporate scenario, the attacker may ask employees to reveal their login information, including their password, to fix a nonexistent problem. Example: “Sir, this is Mathew, technical support at X Company. Last night we had a system crash here, and we are checking for lost data. Can you give me your ID and password?” = Posing as an Internal Employee, Client, or Vendor The attacker usually dresses up in business clothes or another suitable uniform. They enter an organization’s building while pretending to be a contractor, client, service personnel, or another authorized person. Then they roam around unnoticed and look for passwords stuck on terminals, extract critical data from wastepaper bins, papers lying on desks, and perform other information gathering. The attacker may also implement other social engineering techniques such as shoulder surfing (observing users typing login credentials or other sensitive information) and eavesdropping (purposely overhearing confidential conversations between employees) to gather sensitive information that might help launch an attack on the organization. * Repairman Computer technicians, electricians, and telephone repairpersons are generally unsuspected people. Attackers might impersonate a technician or repair person and enter the organization. They perform normal activities associated with their assumed duty while looking for hidden passwords, critical information on desks, information in trash bins, and other useful information; they sometimes even plant snooping devices in hidden locations. Module 02 Page 297 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Impersonation (Vishing) O Animpersonation technique in which the attacker tricks individuals to reveal personal and financial information using voice technology such as the telephone system, VolP, etc. Vishing Example Abusing the Over-Helpfulness of Help Desks O The attacker calls a company’s help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information from the help desk “A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker a clear entrance into the corporate network.” Copyright © byy EC-Council AllRights Reserved. Reproduction is Strictly Y Prohibited pyrig | Impersonation (Vishing) Vishing (voice or VolIP phishing) is an impersonation technique in which the attacker uses Voice over IP (VolP) technology to trick individuals into revealing their critical financial and personal information and uses the information for financial gain. The attacker uses caller ID spoofing to forge identification. In many cases, Vishing includes pre-recorded messages and instructions resembling a legitimate financial institution. Through Vishing, the attacker tricks the victim into providing bank account or credit card details for identity verification over the phone. The attacker may send a fake SMS or email message to the victim, asking the victim to call the financial institution for credit card or bank account verification. In some cases, the victim receives a voice call from the attacker. When the victim calls the number listed in the message or receives the attacker’s call, they hear recorded instructions that insist they provide personal and financial information like name, date of birth, social security number, bank account numbers, credit card numbers, or credentials like usernames, passwords. Once the victim provides the information, the recorded message confirms verification of the victim’s account. Discussed below are some tricks attackers use when Vishing to gather sensitive information. * Abusing the Over-Helpfulness of Help Desk Help desks are frequently targeted for social engineering attacks for a reason. The staff members are trained to be helpful, and they often give away sensitive information such as passwords and network information without verifying the authenticity of the caller. The attacker should know employees’ names and have details about the person he is trying to impersonate to be effective. The attacker may call a company’s help desk pretending to be a senior official to try to extract sensitive information out of the help desk. Module 02 Page 298 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Example: A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker entrance into the corporate network. = Third-party Authorization Another popular technique used by an attacker is to represent themself as an agent authorized by some senior authority in an organization to obtain information on their behalf. For instance, when an attacker knows the name of the employee in the target organization authorized to access the required information, they keep a vigil on them so that they can access the required data in the absence of the concerned employee. In this case, the attacker can approach the help desk or other personnel in the company claiming that the employee (authority figure) has requested the information. Even though there might be suspicion attached to the authenticity of the request, people tend to overlook this in favor of being helpful in the workplace. People tend to believe that others are being honest when they reference an important person and provide the required information. This technique is effective, particularly when the authority figure is on vacation traveling, making instant verification impossible. or Example: “Hi, I am John, | spoke with Mr. XYZ last week before he went on vacation and he said that you would be able to provide me with the information in his absence. Could you help me out?” * Tech Support Like the impersonation of a tech support agent above, an attacker can use vishing to pretend to be a technical support staff member of the target organization’s software vendor or contractor to obtain sensitive information. The attacker may pretend to troubleshoot a network problem and ask for the user ID and password of a computer to detect the problem. Believing them to be a troubleshooter, the user would provide the required information. Example: Attacker: “Hi, this is Mike from tech support. Some folks in your office have reported a slowdown in logging. Is this true?” Employee: “Yes, it has seemed slow lately.” Attacker: “Well, we have moved you to a new server, and your service should be much better now. If you want to give me your password, | can check your service. Things will be better from now on.” Module 02 Page 299 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Trusted Authority Figure The most effective method of social engineering is posing as a trusted authority figure. An attacker might pretend to be a fire marshal, superintendent, auditor, director, or other important figure over the phone or in-person to obtain sensitive information from the target. Example: 1. “Hi, | am John Brown. I'm with the external auditor, Arthur Sanderson. We've been requested by the corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash.” “Hi, I'm Sharon, a sales rep out of the New York office. | know this is short notice, but | have a group of prospective clients out in the car, and I've been trying to get them to outsource their security training needs to us for months. They're located just a few miles away, and | think that if | can give them a quick tour of our facilities, it would be enough to push them over the edge and get them to sign up. Oh yeah, they are particularly interested in what security precautions we've adopted. It seems someone hacked into their website a while back, which is one of the reasons they're considering our company.” “Hi, I'm with Aircon Express Services. We received a call that the computer room is getting too warm, so | need to check your HVAC system.” Using professionalsounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow them to access the targeted secured resource. Module 02 Page 300 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Eavesdropping, Shoulder Surfing, and Dumpster Diving @ O Shoulder Surfing Eavesdropping € @ Unauthorized listening of conversations, or reading of messages Interception of audio, video, or written communication © Direct observation techniques such as looking over someone's shoulder to get information such as passwords, O Dumpster Diving @ Looking for treasure in someone else’s trash PINs, account numbers, etc. il All Rights Reserved. Reproduction is Strictly Prohibited. Eavesdropping Eavesdropping refers to an unauthorized person listening to a conversation or reading others’ messages. It includes the interception of any form of communication, including audio, video, or written, using channels such as telephone lines, email, and instant messaging. An attacker can obtain sensitive information such as passwords, business plans, phone numbers, and addresses. Shoulder Surfing Shoulder surfing is the technique of looking over someone’s shoulder as they key information into a device. Attackers use shoulder surfing to find out passwords, personal identification numbers, account numbers, and other information. They sometimes even use binoculars and other optical devices or install small cameras to record the actions performed on the victim’s system to obtain login details and other sensitive information. Dumpster Diving Dumpster diving is the process of retrieving sensitive personal or organizational information by searching through trash bins. Attackers can extract confidential data such as user IDs, passwords, policy numbers, network diagrams, account numbers, bank statements, salary data, source code, sales forecasts, access codes, phone lists, credit card numbers, calendars, and organizational charts on paper or disk. Attackers can then use this information to perform various malicious activities. Sometimes attackers even use pretexts to support their dumpster diving initiatives, such as impersonating a repair person, technician, cleaner, or other legitimate worker. Module 02 Page 301 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Information that attackers can obtain by searching through trash bins includes: * Phone lists: Disclose employees’ names and contact numbers. * Organizational charts: Disclose details about the structure of the company, physical infrastructure, server rooms, restricted areas, and other organizational data. * Email printouts, notes, faxes, and memos: passwords, data. contacts, inside working Reveal personal details of an employee, operations, certain useful instructions, and other * Policy manuals: Reveal information regarding employment, system use, and operations. * Event notes, calendars, or computer use logs: Reveal information regarding the user’s log on and off timings, which helps the attacker to decide on the best time to plan their attack. Module 02 Page 302 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Reverse Social Engineering, Piggybacking, and Tailgating Reverse Social Engineering O The attacker presents him/herself as an authority and the target seeks his or her advice before or after offering the information that the attacker needs Piggybacking O An authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door e.g., “I forgot my ID badge at home. Please help me” Tailgating O The attacker, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door that requires key access Copyright © by | L All Rights Reserved. Reproduction is Strictly Prohibited Reverse Social Engineering Generally, reverse social engineering is difficult to carry out. This is primarily because execution needs and a lot of preparation skills. In reverse social engineering, its a perpetrator assumes the role of a knowledgeable professional so that the organization’s employees ask them for information. The attacker usually manipulates questions to draw out the required information. First, the social engineer will cause an incident, creating a problem, and then present themself as the problem solver through general conversation, encouraging employees to ask questions. For example, an employee may ask how this problem has affected files, servers, or equipment. This provides pertinent information to the social engineer. Many different skills and experiences are required to carry out this tactic successfully. Provided below are some of the techniques involved in reverse social engineering: = Sabotage: Once the attacker gains access, they will corrupt the workstation or make it appear corrupted. Under such circumstances, users seek help as they face problems. = Marketing: To ensure that the user calls the attacker, the attacker must advertise. The attacker can do this either by leaving their business card in the target’s office or by placing their contact number on the error message itself. = Support: Even if the attacker has already acquired the desired information, they may continue to assist the users so that they remain ignorant of the hacker’s identity. A good example of a reverse social engineering virus is the “My Party” worm. This virus does not rely on sensational subject lines but rather makes use of inoffensive and realistic names for its attachments. By using realistic words, the attacker gains the user’s trust, confirms the user’s ignorance, and completes the task of information gathering. Module 02 Page 303 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Piggybacking Piggybacking usually implies entry into a building or security area with the consent of the authorized person. For example, an attacker might request an authorized person to unlock a security door, saying that they have forgotten their ID badge. In the interest of common courtesy, the authorized person will allow the attacker to pass through the door. Tailgating Tailgating implies accessing a building or secured area without the consent of the authorized person. It is the act of following an authorized person through a secure entrance, as a polite user would open and hold the door for those following them. An attacker, wearing a fake badge, might attempt to enter the secured area by closely following an authorized person through a door that requires key access. They then try to enter the restricted area while pretending to be an authorized person. Module 02 Page 304 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Hoax Letters, Instant Chat Messenger, and Spam Email 0:0.0.0.0:0.0.1 NN Q Emails that issue ; to the user about new viruses, Trojans, or worms that may harm the user’s system O PN N PN P \uu e Q —- Irrelevant, unwanted, and unsolicited emails that attempt to collect y & ars, and 1 Gathering \. with a selected user online to get information such as birth dates and maiden names Copyright © by EC-Council All Rights Reserved. Reproduction|s Strictly Prohibited. Hoax | Letters A hoax is a message warning its recipients of a non-existent computer virus threat. It relies on social engineering to spread its reach. Usually, hoaxes do not cause any physical damage or loss of information; but they cause a loss of productivity and use an organization’s valuable network resources. Instant Chat Messenger An attacker chats with selected online users via instant chat messengers and tries to gather their personal information such as date of birth or maiden name. They then use the acquired information to crack users’ accounts. Spam Email Spam is irrelevant, unwanted, and unsolicited emails designed to collect financial information such as social security numbers, and network information. Attackers send spam messages to the target to collect sensitive information, such as bank details. Attackers may also send email attachments with hidden malicious programs such as viruses and trojans. Social engineers try to hide the file extension by giving the attachment a long filename. Module 02 Page 305 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Phishing Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information Phishing emails or pop-ups redirect users to fake webpages that mimic trustworthy sites, which ask them to submit their personal information J. D : - J A sig VA it a e BBBwer ) W@ _;J‘?. TUCL L ‘ 42 X_ R ST Bl | Z S d oot e (i g saie —— HM Revenue / & Customs * AMress IfOnmation - Mease enter your Nama 3nd 333023 33 yOu Nave It 13180 for your Credt cand ) Cue o e [ Doy ¥ Monh ¥ vewr¥ c Subject: Tax Refund Notice ! :::::: ) Hi, After the last annual calculationsof your fiscal activity, we have determined that you are eligible to receive a tax refund of $800. Please Submit the tax refund request and click here by having your tax refund sent 1o your bank account in due time. Please Click "Get Started” 1o have your tax refund sent to your bank account, your tax refund will be sént to your bank account in due time take your time to go through the bank we have on our list. Get Started Note: A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline. Best Regards HM Revenue & Customs | Clicking the link directs youto a [} pagethat looks I similar to a genuine HMRC page e | Eprmsdy Ton Rt Cortermon | hetp//www. hmec.gov.uk Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited. Phishing Phishing is a technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user’s personal or account information. The attacker registers a fake domain name, builds a lookalike website, and then mails the fake website’s link to users. When a user clicks on the email link, it redirects them to the fake webpage, where they are lured into sharing sensitive details such as their address and credit card information. Some of the reasons behind the success of phishing scams include users’ lack of knowledge, being visually deceived, and not paying attention to security indicators. The screenshot below is an example of an illegitimate email that claims to be from a legitimate sender. The email link redirects users to a fake webpage and asks them to submit their personal or financial details. -L) HM Revenue &Customs N » Address Information - Plesse enter your name and 33dress 35 you hawe it ksted for your credt cand Carthonter Name Oate of Beth. Mather Maden Nave cc Subject: Tax Refund Notice | Hi, S GetStarted e cesarerers ns scsarsrsnsrs tstnenes nanen; fraudulent web page that looks Note: A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline, e :.-;:. Best Regards HM Revenue & Customs similar to a genuine HMRC page ) | Monh ¥ Your ¥ TomnsCity After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a taxrefund of $800. Please submit the tax refund request and click here by having your tax refund sent to your bank account in due time. Please Click "Get Started™ to have your tax refund sent to your bank account, your tax refund willbe sent to your bank account in due time take your time to go through the bank we have on our list Clicking the link directs youto a Doy ¥ Astress Postal Cote Frone hmter » Credit Card Information - Please enter your Credt or Detet Card where refunds wil be made Bave Mo Dobat / Cradt Card Number Cigranon Date: Month 1+++ > wu-= ¥ Year ¥ Card Verhcation Numter Sont Cote (1 Shoma On Cord) Slvel InfCrmaton Tan Mefund Confirmation Figure 2.53: Screenshot showing the phishing technique Module 02 Page 306 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Types of Phishing 9 0 00O Spear Phishing A targeted phishing attack aimed at specific individuals within an organization Whaling An attacker targets high profile executives like CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly valuable information Pharming The attacker redirects web traffic to a fraudulent website by installing a malicious program on a personal computer or server © Spimming A variant of spam that exploits Instant Messaging platforms to flood spam across the networks Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited Types of Phishing Spear Phishing Instead of sending out thousands of emails, some attackers opt for “spear phishing” and use specialized social engineering content directed at a specific employee or small group of employees in an organization to steal sensitive data such as financial information and trade secrets. Spear phishing messages seem to come from a trusted source with an official-looking website. The email also appears to be from an individual from the recipient's company, generally someone in a position of authority. In reality, the message is sent by an attacker attempting to obtain critical information about a specific recipient and their organization, such as login credentials, credit card details, bank account numbers, passwords, confidential documents, financial information, and trade secrets. Spear phishing generates a higher response rate compared to a normal phishing attack, as it appears to be from a trusted company source. Whaling A whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information. It is a social engineering trick in which the attacker tricks the victim into revealing critical corporate and personal information (like bank account details, employee details, customer information, and credit card details), generally, through email or website spoofing. Whaling is different from a normal phishing attack; the email or website used for the attack is carefully designed, usually targeting someone in the executive leadership. Module 02 Page 307 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Pharming Pharming is a social engineering technique in which the attacker executes malicious programs on a victim’s computer or server, and when the victim enters any URL or domain name, it automatically redirects the victim’s traffic to an attacker-controlled website. This attack is also known as “Phishing without a Lure.” The attacker steals confidential information like credentials, banking details, and other information related to web-based services. Pharming attack can be performed Modification in two ways: DNS Cache Poisoning and Host File DNS Cache Poisoning: o The attacker performs DNS Cache Poisoning on the targeted DNS server. o The attacker modifies the IP address of the target website “www.targetwebsite.com” to that of a fake website “www.hackerwebsite.com.” o When the victim enters the target website’s URL in the browser's address bar, a request is sent to the DNS server to obtain the IP address of the target website. o The DNS server returns a fake IP address that is already modified by the attacker. o Finally, the victim is redirected to the fake website. Host File Modification: o An attacker sends a malicious code as an email attachment. o When the user clicks on the attachment, the code executes and modifies local host files on the user’s computer. o When the victim enters the target website’s URL in the browsers address bar, the compromised host file automatically redirects the user’s traffic to the fraudulent website controlled by the hacker. Pharming attacks can also be performed using malware like Trojan horses or worms. Spimming SPIM (Spam over Instant Messaging) exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer. Spimmers generally make use of bots (an application that executes automated tasks over the network) to harvest Instant Message IDs and forward spam messages to them. SPIM messages, like email spam, generally include advertisements and malware as an attachment or embedded hyperlink. The user clicks the attachment and is redirected to a malicious website that collects financial and personal information like credentials, bank account, and credit card details. Module 02 Page 308 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Credential Harvesting and Typosquatting O Attackers register domain names with intentionally misspelled versions of well-known websites to send unsuspecting visitors to malicious websites O O Attackers employ TTPs such as phishing campaigns, password dumping tools, and MITM attacks to perform credential stuffing QO Using this technique, attackers not When a victim enters a misspelled URL on the web browser, the web browser automatically loads a malicious website controlled by the attacker, and the victim is lured into entering their sensitive details Typosquatting only steal the victim’s credentials but also sell the victim’s personal and financial information on the dark web Credential Harvesting Attackers perform credential harvesting to steal the login credentials and other critical information of the target users. Attackers employ advanced tactics, techniques, and procedures (TTPs) such as phishing campaigns, password dumping tools, and man-in-the-middle (MITM) attacks to perform credential harvesting. Using these techniques, attackers not only steal the victim’s credentials but also sell the victim’s personal and financial information on the dark web. To perform credential harvesting, an attacker generally creates phishing campaigns that include urgent notifications demanding immediate action. For example, an attacker can send a phishing email to the victim stating, “Your official account has been blocked temporarily. Kindly click on the link below to re-activate,” along with a malicious link below the message. When the victim clicks on the malicious link, it redirects them to a phishing website that resembles a legitimate website, thereby luring the victim into entering their personal and financial details. Typosquatting Typosquatting is a type of cybersquatting in which the attackers target Internet users who make typographical errors while entering a URL onto their web browser. Attackers register domain names with intentionally misspelled versions of well-known websites to send unsuspecting visitors to malicious websites. When a victim enters a misspelled URL on the web browser, the web browser automatically loads a malicious website controlled by the attacker. Subsequently, the victim is lured into entering their sensitive details such as login credentials and credit-card information. Module 02 Page 309 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Generally, the victims visit the malicious websites in one of two different ways: = Unintentionally mistyping a legitimate URL in their web browsers; for example, “gooogle.com” instead of “google.com” = Being tricked as part of a larger phishing attack Attackers may use typosquatting as part of phishing and pharming attacks. In some attackers also hijack sub-domains of a legitimate domain to create trust in the victim. Module 02 Page 310 cases, Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Elicitation A technique of extracting ] em into normal and di: , plan, and may even need to involve coThe attacker can use statements such as “You are the top-notch guy handling the project” and WEDEA TS “I'll bet you are the clever brains behind the success of the company.” The attacker might say to the target user “I'd guess the security of your company is pretty tight. | Bracketing would assume you have ten surveillance cameras in the premises.” Use of False The attacker can use statements such as the following: “/ heard that your company has fifty systems, two Statements servers, and a printer placed in a single room. People say that room is like Fort Knox! Nobody can get in.” The attacker can use statements such as the following: “/ don’t know anything about project Artificial Ignorance development, but I'll bet you know everything about the project development process.” The attacker listens to the target’s feelings and provides positive or negative judgment about their feelings. This creates trust between the attacker and the victim, and the victim starts sharing additional information. The Sounding Board Elicitation Elicitation is a technique of extracting information from the victim by drawing them into normal and disarming conversations. To use this technique, the attacker must possess good social skills to take advantage of professional or social opportunities and communicate with persons having access to sensitive information. To perform elicitation, the attacker needs to initiate a casual conversation with the target user to extract information without making them feel that they are being socially engineered. Further, to use this technique, the attacker needs to create complex cover stories, plan, and may even need to involve co-conspirators. = Use of flattery The attacker can use flattery to sweet-talk the target user into offering sensitive information. For example, the attacker can use statements such as “You are the topnotch guy handling the project,” or “I'll bet you are the clever brains behind the success of the company.” Such statements will facilitate the elicitation process and have been proven to be very effective in many scenarios. = Bracketing The attacker can use bracketing for elicitation to retrieve more precise information about the target organization. The attacker can mention highly or slightly inaccurate information to tempt the user into responding with more specific information. For example, if the attacker wants to know the number of surveillance cameras connected in the company, they might say to the target user, “I'd guess the security of your company premises.” Module 02 Page 311 is pretty tight. | would assume you have ten surveillance cameras in the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Use of false statements The attacker can use false statements while communicating with the target user so that the target example, user will correct the attacker can the statement use statements and such volunteer correct as the following: information. “I heard For that your company has fifty systems, two servers, and a printer placed in a single room. People say that room is like Fort Knox! Nobody can get in.” Artificial ignorance The attacker can use artificial ignorance as an elicitation technique so that the victim will teach and educate the attacker about the relevant information. For example, the attacker can use statements such as the following: “I don’t know anything about project development, but I'll bet you know everything about the project development process.” The sounding board The attacker can use the sounding board technique to take advantage of the behavior of the target user. When a person reveals their feelings to another person, an immediate kinship is formed. As a result, they will be ready to share more information, even with a stranger. To use this technique, the attacker needs to be patient while communicating with the target user, listen to their feelings, and provide positive or negative judgment about their feelings. This creates trust between the attacker and the victim, and the victim starts sharing additional information with the attacker. Module 02 Page 312 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Identity Theft Identity theft is a crime in which an imposter steals your personally N identifiable information such as name, credit card number, social security or driver’s license numbers, etc. to commit fraud or other crimes I. - o ‘ | " O e @ | ———— Attackers can use identity theft to impersonate employees of a target organization and physically access facilities the Social-Engineer Toolkit Toolkit is a product of TrustedSec. menu: Spear-Phishing [2) website Attack Third Party Modules Update the Social-Engineer Update SET configuration Help, Credits, and About Toolkit https://www.trustedsec.com to using th Test https://github.com/trustedsec/p https://www.trustedsec.com PenTe sec/ptf one.trustedsec.com e Social-Engineer Toolkit (SET) stop shop for all of your SE needs. Attack Vectors Vectors] Infectious Media Generator Create a Payload and Listener Mass Mailer Attack Arduino-Based Attack Vector Wireless Access Point Attack Vector QRCode Generator Attack Vector Powershell Attack Vectors Third Party Modules Return back to the main menu. 1. Figure 2.54: Screenshot of SET showing menu and attack options Some social engineering tools are listed below: SpeedPhish Framework (SPF) (https://github.com) Gophish (https://getgophish.com) King Phisher (https://github.com) LUCY (https.//www.lucysecurity.com) MSI Simple Phish (https://microsolved.com) Module 02 Page 318 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.