é NX CEH Certified |] Ethical Hacker LY Cfo lt (tet: Social EngineeringEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering Module Objectives o Understanding Socal Engineering Concepts . Understanding Various Socal Engincering Techniques Understanding inser Threats Understanding impersonation on Socal Networking Sites Understanding identity Theft Understanding Different Socal Engineering Countermeasures Understanding oiferent inser threats and identity Theft Countermeasures Module Objectives This module provides an overview of social engineering. Although it focuses on fallacies and advocates effective countermeasures, the possible methods of extracting information from another human being rely on attackers’ ingenuity. The features of these techniques make them. art, but the psychological nature of some of these techniques makes them a science. The “bottom line” is that there is no ready defense against social engineering; only constant vigilance can circumvent some social engineering techniques used by attackers. This module provides insight into human-based, computer-based, and mobile-based social engineering techniques. It also discusses various insider threats — impersonation on social networking sites, identity theft, as well as possible countermeasures. At the end of this module, you will be able to: * Describe social engineering concepts Perform social engineering using various techniques * Describe insider threats Perform impersonation on social networking sites = Describe identity theft Apply social engineering countermeasures Apply knowledge of insider threats and identity theft countermeasures Module 09 Page 1198 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker aie Module Flow (Q) strmeemscoeen | (Ca) recy 2 sec tagmenmgrectnies | 5 identity Theft 3 insider Threats 6 Countermeasures Social Engineering Concepts There is no single security mechanism that can protect from the social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attackers’ chances of success. Before going ahead with this module, itis first necessary to discuss various social engineering concepts. This section describes social engineering, frequent targets of social engineering, behaviors vulnerable to attack, factors making companies vulnerable to attack, why social engineering is effective, the principles of social engineering, and the phases of a social engineering attack Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Module 09 Page 3199 ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering What is Social Engineering? {© socal engineering I the arto convincing people to reveal confidential Information |@ Common targets of social engineering include helpdesk personnel technical support executives, 5st sdminstraors, ete. | Soca engineers deena on the fet that people are unaware othe able information to which they have access nd ace careless about protecting t Impsctot AttckonanOrgnizton _MehaviaraVunerblet tac scrote = asneny emeaen amet eon a eto coor BI 2 anton 2 uaer 2 vst abitin al €or mann ne ito What is Social Engineering? (Cont’d) CEH Factors that Make Companies ‘Why is Soctal Engineoring ‘Vulnerable to Attacks Tsfective? (© Insufficient security traning “a Securty policies areas strong as thelr weakest ink, Ct ‘and human behavior isthe most susceptible factor |S Unregulated access to information (Gis dca to detect soca engineering attempts |G: Several organizational units |G Theres method that can be applied to ensure “© ack of security polices compete sect fomsoea engreeing sacks 8 Tee's no specie software or hardware to a. defend pint 9 seca engineering ance What is Social Engineering? Before performing a social engineering attack, the attacker gathers information about the target organization from various sources such as: + The organization’s official websites, where employees’ IDs, names, and email addresses are shared ‘Module 09 Page 1200 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering + Advertisements of the target organization cast through media reveal information such as products and offers. Blogs, forums, and other online spaces where employees share basic personal and organizational information. After gathering information, an attacker executes social engineering attacks using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and other methods. Social engineering is the art of manipulating people to divulge sensitive information to use it to perform some malicious action. Despite security policies, attackers can compromise an organization's sensitive information by using social engineering, which targets the weakness of people. Most often, employees are not even aware of a security lapse on their part and inadvertently reveal the organization’s critical information. For instance, unwittingly answering strangers’ questions or replying to spam email. To succeed, attackers take a special interest in developing social engineering skills and can be so proficient that the victims might not even notice the fraud. Attackers always look for new ways to access information. They also ensure that they know the organization's perimeter and the people on its perimeter, such as security guards, receptionists, and help-desk workers, to exploit human oversight. People have conditioned themselves to not be overly suspicious, and they associate specific behaviors and appearances with known entities. For instance, a man in a uniform carrying a pile of packages for delivery will be perceived as a delivery person. With the help of social engineering tricks, attackers succeed in obtaining confidential information, authorization, and access details from people by deceiving and manipulating human vulnerability. Common Targets of Social Engineering A social engineer uses the vulnerability of human nature as their most effective tool. Usually, people believe and trust others and derive fulfillment from helping the needy. Discussed below are the most common targets of social engineering in an organization: Receptionists and Help-Desk Personnel: Social engineers generally target service-desk or help-desk personnel by tricking them into divulging confidential information about the organization. To extract information, such as @ phone number or password, the attacker first wins the trust of the individual with the information. On winning their trust, the attacker manipulates them to get valuable information. Receptionists and help-desk staff may readily share information if they feel they are doing so to help a customer, «Technical Support Executives: Another target of social engineers is technical support ‘executives. The social engineers may take the approach of contacting technical support executives to obtain sensitive information by pretending to be senior management, customers, vendors, or other figures. system Administrators: A system administrator in an organization is responsible for maintaining the systems. Thus, they may have critical information such as the type and ‘Module 09 Page 1201 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering version of OS and admin passwords, that could be helpful for an attacker in planning an attack. Users and Clients: Attackers could approach users and clients of the target organization, pretending to be a tech support person to extract sensitive information Vendors of the Target Organization: Attackers may also target the vendors of the organization to gain critical information that could help in executing attacks. Senior Executives: Attackers could also approach senior executives from various departments such as Finance, HR, and CxOs to obtain critical information about the organization Impact of Social Engineering Attack on an Organization Social engineering does not seem like a serious threat, but it can lead to substantial losses for organizations. The impact of social engineering attack on organizations include: Economic Losses: Competitors may use social engineering techniques to steal sensitive information such as the development plans and marketing strategies of the target company, which can result in an economic loss. Damage to Goodwill: For an organization, goodwill is important for attracting customers. Social engineering attacks may damage that goodwill by leaking sensitive ‘organizational data. Loss of Privacy: Privacy is a major concern, especially for big organizations. If an ‘organization is unable to maintain the privacy of its stakeholders or customers, then. people can lose trust in the company and may discontinue their business association with the organization. Consequently, the organization could face losses. Dangers of Terrorism: Terrorism and anti-social elements pose a threat to an organization’s assets — people and property. Terrorists may use social engineering techniques to make blueprints of their targets to infiltrate their targets. Lawsuits and Arbitration: Lawsuits and arbitration result in negative publicity for an organization and affects the business’s performance. Temporary or Permanent Closure: Social engineering attacks can result in a loss of goodwill. Lawsuits and arbitration may force the temporary or permanent closure of an organization and its business activities. Behaviors Vulnerable to Attacks Authority Authority implies the right to exercise power in an organization. Attackers take advantage of this by presenting themselves as a person of authority, such as a technician or an executive, in a target organization to steal important data For example, an attacker can call a user on the phone and can claim to be working as a network administrator in the target organization. The attacker then informs the victim about a security incident in the network and asks them to provide their account ‘Module Page 1202 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering credentials to protect their data against theft. After obtaining the victim's credentials, the attacker steals sensitive information from the victim's account = Intimidation Intimidation refers to an attempt to intimidate a victim into taking several actions by using bullying tactics. It is usually performed by impersonating some other person and manipulating users into disclosing sensitive information. For example, an attacker might call the executive's receptionist with this request: “Mr. Tibiyani is about to give a big presentation to the customers, but he is unable to open his files; it seems they are corrupt. He told me to call you and ask you to send the files to me immediately so that he can start his talk.” © Consensus or Social Proof Consensus or social proof refers to the fact that people are usually willing to like things or do things that other people like or do. Attackers take advantage of this by doing things like creating websites and posting fake testimonials from users about the benefits of certain products such as anti-malware (rogueware). Therefore, if users search the Internet to download the rogueware, they encounter these websites and believe the forged testimonials. Further, if users download the malicious product, attackers may install a trojan along with it. = Scarcity Scarcity implies the state of being scarce. In the context of social engineering, scarcity often implies creating feeling of urgency in a decision-making process. Due to this urgency, attackers can control the information provided to victims and manipulate the decision-making process. For example, when Apple releases a new iPhone product that sells out and goes out of stock, attackers can take advantage of this situation by sending a phishing email to the target users, encouraging them to click on a link provided in the email to buy the product. If the users click on this link, they get redirected to some malicious website controlled by the attacker. As a result, the user might end up revealing their account details or downloading some malicious programs such as trojans. + Urgency Urgency implies encouraging people to take immediate action. Attackers can take advantage of this by tricking victims into performing unintended tasks. For example, ransomware often uses the urgency principle, which makes the victim take urgent action under a time-limit. The victims see the countdown timer running on their infected systems and know that failure to make the required decision within the given time can result in the loss of important data. Similarly, attackers can send phishing emails indicating that a certain product is available at a low price and that to buy it, the user should click on the “Buy Now” link. The user is ‘Module 09 Page 1203 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering tricked, and they click on the link to take immediate action. As a result, they are redirected to a malicious website and end up revealing their account details or downloading a virus file. Familiarity or Liking Familiarity or liking implies that people are more likely to be persuaded to do something. when they are asked by someone whom they like. This indicates that people are more likely to buy products if they are advertised by an admired celebrity. For example, people are more likely to allow someone to look over their shoulder if they like that person or they are familiar with them. If people do not like the person, they immediately recognize the shoulder surfing attack and prevent it. Similarly, people often allow someone to tailgate them if they like that person or are familiar with them. In some cases, social engineers use a charming smile and sweet-talk to deceive the other person into liking them, Trust Attackers often attempt to build a trusting relationship with victims. For example, an attacker can call a victim and introduce themself as a security expert. Then, they may claim that they were working with XYZ company, and they noticed some unusual errors sent from the victim's system. The attacker builds trust by using the company name and their experience in the security field. After establishing trust, the attacker guides the victim to follow a series of steps to “view and disable the system errors.” They later send an email containing a malicious file and persuade the victim to click on and download it. Through this process, the attacker successfully installs malware on the victim's system, infecting it and allowing the attacker to steal important information. Greed Some people are possessive by nature and seek to acquire vast amounts of wealth through illegal activities. Social engineers lure their targets to divulge information by promising something for nothing (appealing to their greed). For example, an attacker may pretend to be a competitor and lure the employees of the target into revealing critical information by offering a considerable reward. Factors that Make Companies Vulnerable to Attacks Many factors make companies vulnerable to social engineering attacks; some of them are as follows: Insufficient Security Training Employees can be ignorant about the social engineering tricks used by attackers to lure ‘them into divulging sensitive data about the organization. Therefore, the minimum responsibility of any organization is to educate their employees about social engineering techniques and the threats associated with them to prevent social engineering attacks. ‘Module 09 Page 1206 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering Unregulated Access to Information For any company, one of its main assets is its database. Providing unlimited access or allowing everyone access to such sensitive data might cause trouble. Therefore, companies must ensure proper training for and surveillance of key personnel accessing sensitive data. Several Organizational Units ‘Some organizations have their units at different geographic locations, making it difficult to manage the system. Further, this sort of setup makes it easier for an attacker to access the organization's sensitive information. Lack of Security Policies Security policy is the foundation of security infrastructure. It is @ high-level document describing the security controls implemented in a company. An organization should take extreme measures related to every possible security threat or vulnerability. Implementation of certain security measures such as password change policy, information sharing policy, access privileges, unique user identification, and centralized security, prove to be beneficial. Why is Social Engineering Effective? Like other techniques, social engineering does not deal with network security issues; instead, it deals with the psychological manipulation of a human being to extract desired information. The following are reasons why social engineering continues to be effecti Despite various security policies, preventing so human beings are most susceptible to variation, engineering is a challenge because It is challenging to detect social engineering attempts. Social engineering is the art and science of manipulating people into divulging information. No method guarantees complete security from social engineering attacks. No specific hardware or software is available to safeguard against social engineering attacks. This approach is relatively cheap (or free) and easy to implement. ‘Module 09 Page 1205 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Social Engineering Phases of a Social Engineering Attack a © uenpiercvng mebie, employee, tourof the compa cy lect aTarget © katy rn pce th tages) Gigs reer eeneeate © Develop a reatonship with he selected employees nents TT ne nett Phases of a Social Engineering Attack Attackers take the following steps to execute a successful social engineering attack: Research the Target Company Before attacking the target organization’s network, an attacker gathers enough information to infiltrate the system. Social engineering is one technique that helps in extracting information. Initially, the attacker researches basic information about the target organization, such as the nature of the business, its location, number of ‘employees, and other facts. While researching, the attacker indulges in activities such as dumpster diving, browsing the company’s website, and finding employee details. + Select a Target After finishing their research, the attacker selects a target for extracting sensitive information about the organization. Usually, attackers try to reach out to disgruntled ‘employees because they are easier to manipulate. * Develop a Relationship Once the target is set, the attacker builds a relationship with that employee to accomplish their task. Exploit the Relationship The attacker exploits the relationship and extracts sensitive information about the ‘organization’s accounts, finance information, technologies in use, and upcoming plans. ‘Module 09 Page 1206 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiated