Difference between revisions of "Social Engineering"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(Initial)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==  
 
This documentation contains information of what Social Engineering is, how it is getting used and how to prevent or mitigate some of those attacks.  
Description what this documentation is about.


== Requirements ==
== Requirements ==
 
In order to execute a social engineering attack you need to understand the basis of social engineering described below. There are also tools to understand and execute these attacks on a practical level. There are many pre-defined attacks which show how easy it is to perform such attacks. You can read more about that in [[Social Engineering Toolkit]]
In order to execute a social engineering attack you need to understand the basis of social engineering described below.  


== Description ==
== Description ==
 
Social engineering is a technique that involves using human interaction to gather information or influence a person to act in a certain way. It can involve spying on someone's personal life in order to achieve a specific goal, such as manipulating elections, obtaining information, or stealing money. The goal of social engineering is to guide a person towards a particular outcome, often by manipulating their thoughts or actions.
Social Engineering is the art of collecting information with some kind of human relation. The goal of social engineering is to guide a person into a certain direction preferably in a volitional one. This leads into spying on someone's personal environement to achieve a definite goal e.g manipulation of elections, retrieving information, stealing money, ...


=== Phases ===
=== Phases ===
 
In Social Engineering there are a few necessary steps to complete an attack and gain the information you are after. Kevin Mitnick has divided the process into 4 steps with are mainly: '''Information Gathering''', '''Hook Relationship''', '''Exploitation and Execution''' and '''End without leaving a trace'''.
Explain 4 Phases of Social Engineering


==== Information Gathering ====
==== Information Gathering ====
Information gathering involves collecting as much information as possible about a potential victim in order to identify possible attack vectors. This may include identifying personal details, interests, or vulnerabilities that can be exploited. This information can be gathered through various means, such as social media, public records, or by directly interacting with the victim.


==== Getting in Contact ====
==== Hook Relationship ====
In order to build a "hook relationship" with the victim, the attacker will often try to present themselves as trustworthy in order to gain the victim's confidence and cooperation. This may involve pretending to be someone the victim knows, such as a colleague or friend, or posing as an authority figure in order to gain the victim's trust.


==== Exploit the Attack Vector ====
==== Exploitation and Execution ====
The exploitation and execution phase involves manipulating the victim in order to persuade them to take certain actions or disclose information that the attacker is seeking. This may involve using psychological manipulation or other tactics to influence the victim's behavior. The attacker may use a variety of tactics, such as flattery, fear, or pressure, in order to persuade the victim to comply with their requests.


==== Vanish Traceless ====
==== End without leaving a trace ====
Once the attacker has achieved their goal, they will often try to cover their tracks and end the attack without leaving any evidence behind. This may involve deleting any records of the attack or disguising their involvement in order to avoid detection. In order to avoid being caught, the attacker may also take steps to destroy any evidence of the attack, such as wiping clean any devices or servers that were used in the attack.


== Attacks ==
== Attacks ==
 
This part contains the most common and basic attacks used today. Nearly everyone should have seen such an attack in practice, either by e.g. receiving a pishing email or getting a warning that pishing emails are circulating with an example. If you have not, just check you Spam or Junk folder in you mailbox you will probably find one in there.
Common Attacks


=== Phishing ===
=== Phishing ===
Phishing Attacks are one of the most common attacks. They are pretty simple and based on for example a real E-Mail that is being copied and used to get user data with links redirecting to a wrong website. This website looks than pretty similar to the original and if you do not look close enough you sometimes do not even realize that it is fake. The goal of this attack is in general to steal password from accounts and then try to steal money in any way possible. There are different types of phishing:
* Spear phising: Are attacks on specific people or groups, for this you need to know about the person/company beforehand. Since it is very personal, it is also often very successful in contrast to other Social Engineering approaches.
* Whaling: Similar to spear-phishing, except that high-profile individuals are targeted.
* Vishing:These phishing attacks are carried out over the phone.
* Smishing: The attacks are carried out over text messages.
* Interactive voice-response phishing: Interactive voice response system is used.
* Business email compromise phishing: : It is similar to whaling, the attacker wants access to business mails and then sends legitimate looking business mails to get ”normal” employees to click some link or something.


=== Pretexting ===
=== Pretexting ===
This attack is similar to Phishing but the goal of this attack is to make you believe that you are being contacted by someone close or authoritative. These messages could lead you to send personal information to the attacker. If done right and other conversation were being caputred before and the phone number or E-Mail got spoofed you sometimes would not even realize that it is a fake. 


=== Tailgaiting ===
=== Tailgaiting ===
Tailgaiting is an attack that requires physical access to a secure building. This is achieved by following people through doors or opening you the door by thinking you lost your access card. When done right you get access to a certain level where you could install malware on others PCs. Another ways would be to ask someone for their phone to make a call and then install malware when they are not watching.


=== Ransomeware ===
=== Ransomware ===
[[Ransomware]] is a type of malicious software that encrypts a victim's personal data and demands a ransom from the victim to restore access to the data. These attacks have been increasing in popularity and are becoming more and more difficult to stop. Some well-known examples of [[Ransomware]] include WannaCry and Locky. One of the dangers of ransomware is that even if the victim pays the ransom, there is no guarantee that they will actually get their data back.


=== Dumpster Diving ===
=== Dumpster Diving ===
This technique is as the name already tells used to get information out of the trash of others. A letter with sensitive infomation e.g. bank, creditcard or hard drives can contain a lot of data that can be used against you if not disposed properly. A good tip would be throw away pieces of information in different trash cans for example when on the way to work.


=== Pop-Up Window ===
=== Pop-Up Window ===
Pop-Up Windows are often used to scare non enlightened people to get tricked by a simple window mostly in a browser. This scam either wants you to redeem the jackpot you just won or tell you that you computer is infected and you should call the attacker to infect you with malware. Most of the times these windows are hard to close and are pretty loud to intimiated the victim.


=== Pharming ===
=== Pharming ===
This approach is similar to the goal of Pishing but is done quite differently. The task is to lure the vicitm on to a similar looking website e.g. bank, insurance, ... but it is not done with sending you fake links but rather hacking the DNS Server and redirecting you instantly without you even knowing. If the website is done very well your data is being apprehend and afterwards you are getting redirect onto your real bank account without you ever knowing.
=== Baiting/USB Drop ===
Another bait attack involves the use of dropped USB drives. The attacker will leave a USB drive in a public place, such as a parking lot or lobby, with a label or message that suggests it contains something interesting or valuable. When someone picks up the drive and plugs it into their computer, they may be exposing their system to malware or ransomware.
=== Eavesdropping ===
Eavesdropping is the act of secretly listening to the private conversations of others without their knowledge. It can be done in a variety of ways, such as through the use of hidden microphones, wiretapping, or simply by listening in on a conversation that is happening nearby. Eavesdropping can be a serious invasion of privacy and is often illegal, particularly if it is done for malicious purposes such as to gather personal or sensitive information. In the digital age, eavesdropping can also be done remotely through the use of malware or other cyber threats that allow an attacker to access and monitor the conversations of their victims.
=== Reverse Social Engineering ===
One common technique used in reverse social engineering attacks is for the attacker to pretend to be a good guy or authority figure in order to gain the victim's trust. For example, the attacker might pretend to be a technical support representative and ask the victim for their login credentials in order to "fix" a problem with their computer. Or, the attacker might pose as a law enforcement officer and request that the victim provide sensitive information in order to "assist with an investigation." In these cases, the victim may feel pressure to comply with the request, believing that they are helping to solve a problem or protect against a threat.


=== USB Drop ===
=== Impersonating ===
Impersonating is the act of pretending to be someone else, either in person or online, in order to deceive others. This can be done for a variety of reasons, such as to gain access to sensitive information or resources, to evade detection or consequences, or to commit a crime. In the digital world, impersonation is often done through the use of fake profiles or websites that mimic legitimate ones in order to trick people into divulging personal information or money. In person, impersonation can be more complex and may involve the use of props, costumes, and other means of disguising one's true identity.


== Prevention ==
== Prevention ==
As attacks increase and improve it is very hard to defend against those if you do not know how they work and what they do. To prevent or mitigate such attacks you need 3 important informations.


How to mitgate or prevent social engineering attacks
=== Clarify Attacks ===
The first part help you to understand how and what these attacks are trying to do. If you know what a Pop-Up Window is and you now know that these messages are spam and trying to lure you into a trap you will not fall for it anymore. The best way is know examples of the most common attacks to obtainer awareness againts those social engineering attacks. Since these attacks improve over time you should be up-to-date and you should ask people you trust for help if you do not know how to proceed.


=== Clarify Attacks ===
=== Education and Training ===
To ensure the safety and security of your employees, it is important to provide regular training sessions to keep them informed on best practices and current threats. They should be cautious when receiving phone calls or emails from unknown sources, and verify the identity of the sender before disclosing any confidential information. They should also be wary of suspicious links or attachments, and avoid downloading unknown files. To further protect against potential threats, it is advisable to implement multifactor authentication and regularly update antivirus and antimalware programs. Additionally, it is important to carefully examine the references of any offers or requests for sensitive data.


=== Set Security Standards ===
=== Set Security Standards ===
You should start setting yourself a certain security standard. This goes from checking certain programs or files you do not know to check links before you click them. If you have a new contact in your mailbox you should double check the sender to know for you sure you are not dealing with a scam artist. You should also never share you PC with other or plug-in strange devices you do not know. An increased awareness about pishing emails from providers would be appreciative to check bills if they are not infected with malware.


=== Implement Security Tools ===
=== Implement Security Tools ===
Since detecting malware is getting more difficult everytime you should start using certain tools to help you secure you environment. To protect against more advanced attacks, it is recommended that companies use Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), which can detect and respond to attacks in real-time. In addition to a firewall, companies can also use Virtual Private Networks (VPNs) to secure their internet connection. Anti-phishing tools can help to block and blacklist phishing websites, and companies can also consider using honeypot emails as a way to lure and track attackers. It is also important to implement physical security measures, such as properly securing hardware and following guidelines for physical access to facilities. These tools will help you to detect unwanted programs and helps you safeing your data externally.
* Anti Virus Software: [https://www.malwarebytes.com/ Malwarebytes]
* Browser Anti-Ad/Spam Plugin: [https://ublockorigin.com/ uBlock Origin]
* Check E-Mail periodically: [https://haveibeenpwned.com/ HaveIBeenPwned]
* Safe File externally: [https://nextcloud.com/ Nextcloud]
* Check Programs: [https://www.virustotal.com/ Virustotal]
* Password Manager: [https://keepassxc.org/ KeepassXC]
== Social Media Intelligence ==
Social media intelligence (SOCMINT) is a process that involves gathering and analyzing data from social media platforms in order to inform business decisions. This type of intelligence can be used to track brand mentions and sentiment, monitor competitors, and identify emerging trends or opportunities for engagement.
By collecting and analyzing social media data, companies can gain valuable insights into the perceptions and behaviors of their customers and target audience. This can inform marketing strategies, customer service efforts, and product development. For example, a company might use social media intelligence to identify common customer pain points and develop solutions to address them, or to identify influencers to partner with in order to promote their brand.
There are a number of tools and platforms available to help companies automate the process of gathering and analyzing social media data. These tools often include features such as keyword tracking, sentiment analysis, and competitor analysis.
Overall, social media intelligence can be an important part of a company's market research and customer insights efforts, helping them to better understand and connect with their audience on social media. It can also be a useful way for companies to stay up-to-date on industry developments and emerging trends, and to identify opportunities for growth and innovation.


== References ==
== References ==

Revision as of 15:32, 8 January 2023

Summary

This documentation contains information of what Social Engineering is, how it is getting used and how to prevent or mitigate some of those attacks.

Requirements

In order to execute a social engineering attack you need to understand the basis of social engineering described below. There are also tools to understand and execute these attacks on a practical level. There are many pre-defined attacks which show how easy it is to perform such attacks. You can read more about that in Social Engineering Toolkit

Description

Social engineering is a technique that involves using human interaction to gather information or influence a person to act in a certain way. It can involve spying on someone's personal life in order to achieve a specific goal, such as manipulating elections, obtaining information, or stealing money. The goal of social engineering is to guide a person towards a particular outcome, often by manipulating their thoughts or actions.

Phases

In Social Engineering there are a few necessary steps to complete an attack and gain the information you are after. Kevin Mitnick has divided the process into 4 steps with are mainly: Information Gathering, Hook Relationship, Exploitation and Execution and End without leaving a trace.

Information Gathering

Information gathering involves collecting as much information as possible about a potential victim in order to identify possible attack vectors. This may include identifying personal details, interests, or vulnerabilities that can be exploited. This information can be gathered through various means, such as social media, public records, or by directly interacting with the victim.

Hook Relationship

In order to build a "hook relationship" with the victim, the attacker will often try to present themselves as trustworthy in order to gain the victim's confidence and cooperation. This may involve pretending to be someone the victim knows, such as a colleague or friend, or posing as an authority figure in order to gain the victim's trust.

Exploitation and Execution

The exploitation and execution phase involves manipulating the victim in order to persuade them to take certain actions or disclose information that the attacker is seeking. This may involve using psychological manipulation or other tactics to influence the victim's behavior. The attacker may use a variety of tactics, such as flattery, fear, or pressure, in order to persuade the victim to comply with their requests.

End without leaving a trace

Once the attacker has achieved their goal, they will often try to cover their tracks and end the attack without leaving any evidence behind. This may involve deleting any records of the attack or disguising their involvement in order to avoid detection. In order to avoid being caught, the attacker may also take steps to destroy any evidence of the attack, such as wiping clean any devices or servers that were used in the attack.

Attacks

This part contains the most common and basic attacks used today. Nearly everyone should have seen such an attack in practice, either by e.g. receiving a pishing email or getting a warning that pishing emails are circulating with an example. If you have not, just check you Spam or Junk folder in you mailbox you will probably find one in there.

Phishing

Phishing Attacks are one of the most common attacks. They are pretty simple and based on for example a real E-Mail that is being copied and used to get user data with links redirecting to a wrong website. This website looks than pretty similar to the original and if you do not look close enough you sometimes do not even realize that it is fake. The goal of this attack is in general to steal password from accounts and then try to steal money in any way possible. There are different types of phishing:

  • Spear phising: Are attacks on specific people or groups, for this you need to know about the person/company beforehand. Since it is very personal, it is also often very successful in contrast to other Social Engineering approaches.
  • Whaling: Similar to spear-phishing, except that high-profile individuals are targeted.
  • Vishing:These phishing attacks are carried out over the phone.
  • Smishing: The attacks are carried out over text messages.
  • Interactive voice-response phishing: Interactive voice response system is used.
  • Business email compromise phishing: : It is similar to whaling, the attacker wants access to business mails and then sends legitimate looking business mails to get ”normal” employees to click some link or something.

Pretexting

This attack is similar to Phishing but the goal of this attack is to make you believe that you are being contacted by someone close or authoritative. These messages could lead you to send personal information to the attacker. If done right and other conversation were being caputred before and the phone number or E-Mail got spoofed you sometimes would not even realize that it is a fake.

Tailgaiting

Tailgaiting is an attack that requires physical access to a secure building. This is achieved by following people through doors or opening you the door by thinking you lost your access card. When done right you get access to a certain level where you could install malware on others PCs. Another ways would be to ask someone for their phone to make a call and then install malware when they are not watching.

Ransomware

Ransomware is a type of malicious software that encrypts a victim's personal data and demands a ransom from the victim to restore access to the data. These attacks have been increasing in popularity and are becoming more and more difficult to stop. Some well-known examples of Ransomware include WannaCry and Locky. One of the dangers of ransomware is that even if the victim pays the ransom, there is no guarantee that they will actually get their data back.

Dumpster Diving

This technique is as the name already tells used to get information out of the trash of others. A letter with sensitive infomation e.g. bank, creditcard or hard drives can contain a lot of data that can be used against you if not disposed properly. A good tip would be throw away pieces of information in different trash cans for example when on the way to work.

Pop-Up Window

Pop-Up Windows are often used to scare non enlightened people to get tricked by a simple window mostly in a browser. This scam either wants you to redeem the jackpot you just won or tell you that you computer is infected and you should call the attacker to infect you with malware. Most of the times these windows are hard to close and are pretty loud to intimiated the victim.

Pharming

This approach is similar to the goal of Pishing but is done quite differently. The task is to lure the vicitm on to a similar looking website e.g. bank, insurance, ... but it is not done with sending you fake links but rather hacking the DNS Server and redirecting you instantly without you even knowing. If the website is done very well your data is being apprehend and afterwards you are getting redirect onto your real bank account without you ever knowing.

Baiting/USB Drop

Another bait attack involves the use of dropped USB drives. The attacker will leave a USB drive in a public place, such as a parking lot or lobby, with a label or message that suggests it contains something interesting or valuable. When someone picks up the drive and plugs it into their computer, they may be exposing their system to malware or ransomware.

Eavesdropping

Eavesdropping is the act of secretly listening to the private conversations of others without their knowledge. It can be done in a variety of ways, such as through the use of hidden microphones, wiretapping, or simply by listening in on a conversation that is happening nearby. Eavesdropping can be a serious invasion of privacy and is often illegal, particularly if it is done for malicious purposes such as to gather personal or sensitive information. In the digital age, eavesdropping can also be done remotely through the use of malware or other cyber threats that allow an attacker to access and monitor the conversations of their victims.

Reverse Social Engineering

One common technique used in reverse social engineering attacks is for the attacker to pretend to be a good guy or authority figure in order to gain the victim's trust. For example, the attacker might pretend to be a technical support representative and ask the victim for their login credentials in order to "fix" a problem with their computer. Or, the attacker might pose as a law enforcement officer and request that the victim provide sensitive information in order to "assist with an investigation." In these cases, the victim may feel pressure to comply with the request, believing that they are helping to solve a problem or protect against a threat.

Impersonating

Impersonating is the act of pretending to be someone else, either in person or online, in order to deceive others. This can be done for a variety of reasons, such as to gain access to sensitive information or resources, to evade detection or consequences, or to commit a crime. In the digital world, impersonation is often done through the use of fake profiles or websites that mimic legitimate ones in order to trick people into divulging personal information or money. In person, impersonation can be more complex and may involve the use of props, costumes, and other means of disguising one's true identity.

Prevention

As attacks increase and improve it is very hard to defend against those if you do not know how they work and what they do. To prevent or mitigate such attacks you need 3 important informations.

Clarify Attacks

The first part help you to understand how and what these attacks are trying to do. If you know what a Pop-Up Window is and you now know that these messages are spam and trying to lure you into a trap you will not fall for it anymore. The best way is know examples of the most common attacks to obtainer awareness againts those social engineering attacks. Since these attacks improve over time you should be up-to-date and you should ask people you trust for help if you do not know how to proceed.

Education and Training

To ensure the safety and security of your employees, it is important to provide regular training sessions to keep them informed on best practices and current threats. They should be cautious when receiving phone calls or emails from unknown sources, and verify the identity of the sender before disclosing any confidential information. They should also be wary of suspicious links or attachments, and avoid downloading unknown files. To further protect against potential threats, it is advisable to implement multifactor authentication and regularly update antivirus and antimalware programs. Additionally, it is important to carefully examine the references of any offers or requests for sensitive data.

Set Security Standards

You should start setting yourself a certain security standard. This goes from checking certain programs or files you do not know to check links before you click them. If you have a new contact in your mailbox you should double check the sender to know for you sure you are not dealing with a scam artist. You should also never share you PC with other or plug-in strange devices you do not know. An increased awareness about pishing emails from providers would be appreciative to check bills if they are not infected with malware.

Implement Security Tools

Since detecting malware is getting more difficult everytime you should start using certain tools to help you secure you environment. To protect against more advanced attacks, it is recommended that companies use Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), which can detect and respond to attacks in real-time. In addition to a firewall, companies can also use Virtual Private Networks (VPNs) to secure their internet connection. Anti-phishing tools can help to block and blacklist phishing websites, and companies can also consider using honeypot emails as a way to lure and track attackers. It is also important to implement physical security measures, such as properly securing hardware and following guidelines for physical access to facilities. These tools will help you to detect unwanted programs and helps you safeing your data externally.

Social Media Intelligence

Social media intelligence (SOCMINT) is a process that involves gathering and analyzing data from social media platforms in order to inform business decisions. This type of intelligence can be used to track brand mentions and sentiment, monitor competitors, and identify emerging trends or opportunities for engagement.

By collecting and analyzing social media data, companies can gain valuable insights into the perceptions and behaviors of their customers and target audience. This can inform marketing strategies, customer service efforts, and product development. For example, a company might use social media intelligence to identify common customer pain points and develop solutions to address them, or to identify influencers to partner with in order to promote their brand.

There are a number of tools and platforms available to help companies automate the process of gathering and analyzing social media data. These tools often include features such as keyword tracking, sentiment analysis, and competitor analysis.

Overall, social media intelligence can be an important part of a company's market research and customer insights efforts, helping them to better understand and connect with their audience on social media. It can also be a useful way for companies to stay up-to-date on industry developments and emerging trends, and to identify opportunities for growth and innovation.

References