EHEv1 Module 05 Social Engineering Techniques and Countermeasures

Module 05
Social Engineering Techniques and Countermeasures
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Module Objectives
Creative idea
1 Understanding Social Engineering Concepts
Understanding Various Social Engineering

2
Techniques
3 Understanding Insider Threats
4 Understanding Identity Theft
Understanding Different Social Engineering

5
Countermeasures
Understanding Different Insider Threats and Identity

6 Theft Countermeasures
Module Flow
01 03
Discuss Social Discuss Insider Threats
Engineering Concepts and Identity Theft
and its Phases
04
02 Discuss Social Engineering
Discuss Social Countermeasures
Engineering Techniques

What is Social Engineering?
❑ Social engineering is the art of

convincing people to reveal
confidential information
❑ Social engineers depend on the

fact that people are unaware of
the valuable information to which
they have access and are careless
about protecting it

Common Targets of Social Engineering
1 Receptionists and Help-Desk Personnel
2 Technical Support Executives
3 System Administrators
4 Users and Clients
5 Vendors of the Target Organization
6 Senior Executives

Impact of Social Engineering Attack on an
Organization
1 2 3
Economic losses Damage of Loss of privacy
goodwill
4 5 6
Dangers of Lawsuits and Temporary or
terrorism arbitration permanent
closure
Behaviors Vulnerable to Attacks
Authority Urgency
Intimidation Familiarity or Liking
Consensus or Social Proof Trust
Scarcity Greed

Factors that Make Companies Vulnerable to
Attacks
Insufficient security 1 2 Unregulated access

training to information
3 4
Several organizational Lack of security
units policies

Why is Social Engineering Effective?
❑ Social engineering does not deal with network security issues; instead, it deals with the psychological
manipulation of a human being to extract desired information
0
Security policies are as strong as their weakest link, and
1 human behavior is the most susceptible factor
0
It is difficult to detect social engineering attempts
2
0 There is no method that can be applied to ensure
complete security from social engineering attacks
3
There is no specific software or hardware to defend against
0 a social engineering attack
4
Phases of a Social Engineering Attack
Research the Dumpster diving, websites, employees, tour of

Target Company the company, etc.
Select a Identify frustrated employees of the target

Target company
Develop a Develop a relationship with the selected

Relationship employees
Exploit the Collect sensitive account and financial

Relationship information, as well as current technologies

Module Flow
01 03
and its Phases
04

Types of Social Engineering
Human-based Social Computer-based Mobile-based Social

Engineering Social Engineering Engineering
❑ “Sensitive information is ❑ “Sensitive information is ❑ “Sensitive information is

gathered by interaction ”. gathered with the help of gathered with the help of
❑ Techniques: computers”. mobile apps”.
▪ Impersonation ❑ Techniques: ❑ Techniques:

▪ Vishing
▪ Phishing ▪ Publishing Malicious Apps
▪ Eavesdropping
▪ Shoulder Surfing ▪ Pop-up Window Attacks ▪ Using Fake Security Apps
▪ Dumpster Diving ▪ Spam Mail ▪ Repackaging Legitimate Apps
▪ Reverse Social Engineering
▪ Instant Chat Messenger ▪ SMiShing (SMS Phishing)
▪ Piggybacking
▪ Tailgating ▪ Scareware

Human-based
Social
Engineering
Impersonation ❑ The attacker pretends to be someone legitimate or an authorized person

❑ Attackers may impersonate a legitimate or authorized person either
personally or using a communication medium such as phone, email, etc.
to reveal sensitive information
Posing as a Legitimate End User Posing as an Important User

The attacker gives this identity and asks The attacker poses as a VIP of a target company,
Impersonation for the sensitive information valuable customer, etc.
Examples “Hi! This is John from the Finance “Hi! This is Kevin, CFO Secretary. I’m working on an
Department. I have forgotten my urgent project and lost my system’s password. Can
password. Can I get it?” you help me out?”

Human-based Social Engineering (Cont’d)
Impersonation (Vishing)
❑ An impersonation technique in which the attacker tricks individuals to

reveal personal and financial information using voice technology such as
the telephone system, VoIP, etc.
Vishing Example
Abusing the Over-Helpfulness of Help Desks
❑ The attacker calls a company’s help desk, pretends to be someone in a position of authority or relevance and tries to
extract sensitive information from the help desk
“A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a
big advertising project, his boss might fire him.
The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker a clear entrance
into the corporate network.”
Human-based Social Engineering
(Cont’d)
Eavesdropping Shoulder Surfing Dumpster Diving
• Unauthorized • Direct observation • Looking for

listening of techniques such treasure in
conversations, as looking over someone else’s
or reading of someone's trash
messages shoulder to get
information such
• Interception of as passwords,
audio, video, or PINs, account
written numbers, etc.
communication

Human-based Social Engineering (Cont’d)
Reverse Social Engineering
❑ The attacker presents him/herself as an authority and the target
seeks his or her advice before or after offering the information
that the attacker needs
Piggybacking
❑ An authorized person intentionally or unintentionally allows an
unauthorized person to pass through a secure door e.g., “I forgot
my ID badge at home. Please help me”
Tailgating
❑ The attacker, wearing a fake ID badge, enters a secured area by
closely following an authorized person through a door that
requires key access

Computer-based
Social Engineering
Pop-Up Windows Hoax Letters Chain Letters

Windows that suddenly pop Emails that issue warnings Emails that offer free gifts
up while surfing the to the user about new such as money and software
Internet and ask for user viruses, Trojans, or worms on condition that the user
information to login or that may harm the user’s forwards the mail to a
sign-in system specified number of people

Computer-based Social Engineering (Cont’d)
Instant Chat Messenger

Gathering personal information by chatting with a
selected user online to get information such as birth
dates and maiden names
Spam Email
Irrelevant, unwanted, and unsolicited emails that attempt to
collect financial information, social security numbers, and
network information
Scareware
Malware that tricks computer users into visiting malware
infested websites, or downloading/buying potentially
malicious software

Computer-based Social Engineering: Phishing
Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an
attempt to acquire a user’s personal or account information
Phishing emails or pop-ups redirect users to fake webpages that mimic trustworthy sites, which ask
them to submit their personal information
From: [email protected]
To: [email protected]
CC:
Subject: Tax Refund Notice !
Hi,
After the last annual calculations of your fiscal activity, we have
determined that you are eligible to receive a tax refund of $800. Please
submit the tax refund request and click here by having your tax refund
sent to your bank account in due time.
Please Click "Get Started" to have your tax refund sent to your bank
account, your tax refund will be sent to your bank account in due time
take your time to go through the bank we have on our list Clicking the link directs you to a
Get Started fraudulent web page that looks
Note: A refund can be delayed a variety of reasons, for example similar to a genuine HMRC page
submitting invalid records or applying after deadline.
Best Regards
HM Revenue & Customs
http://www.hmrc.gov.uk
Computer-based Social Engineering: Phishing (Cont’d)
Examples of Phishing Emails
https://its.tntech.edu

Computer-based Social Engineering: Phishing (Cont’d)
Types of Phishing
Spear Phishing
1
A targeted phishing attack aimed at specific individuals within an organization
Whaling
2
An attacker targets high profile executives like CEOs, CFOs, politicians, and celebrities who
have complete access to confidential and highly valuable information
Pharming
3
The attacker redirects web traffic to a fraudulent website by installing a malicious program on
a personal computer or server
Spimming
4
A variant of spam that exploits Instant Messaging platforms to flood spam across the networks

Phishing
Tools
ShellPhish
A phishing tool used to phish user credentials from various social networking BLACKEYE
platforms such as Instagram, Facebook, Twitter, LinkedIn, etc. https://github.com
PhishX
https://github.com
Modlishka
Trape
Evilginx

Mobile-based Social Engineering:
Publishing Malicious Apps
❑ Attackers create malicious apps with attractive features and similar names
to popular apps, and publish them in major app stores
❑ Users download these apps unknowingly and are infected by malware

that sends credentials to attackers
Attacker
publishes malicious
Creates malicious
mobile apps on
mobile application
app store
Attacker Malicious Gaming App Store

Application
App sends user User downloads and

credentials installs the malicious
to the attacker mobile application
User
Repackaging Legitimate Apps
Developer creates Malicious developer

a gaming app and downloads a legitimate game
uploads on app store and repackages it with malware
Mobile App Malicious

Store Developer
Sends user credentials Uploads game

to the malicious to third-party
developer app store
Legitimate
Developer
End user downloads

malicious gaming app
User
Third-Party
App Store

Fake Security Applications
User logs on to their bank
account; a message will appear
telling the user to download an
application to their phone
Infects user
PC with malware
User credentials sent

Attacker to the attacker User
Attacker uploads User downloads

malicious application application from the
on app store attacker’s app store
Attacker’s App Store

Mobile-based Social
Engineering: SMiShing
(SMS Phishing)
SMiShing (SMS phishing) is the act of using SMiShing Example

SMS text messaging system of cellular
phones or other mobile devices to lure users
into instant action, such as downloading Thinks it is a real
INBOX
malware, visiting a malicious webpage, or message from
Sends an SMS XIM BANK XIM bank
calling a fraudulent phone number Emergency!
Please call
08-7999-433
Tracy calls
Attacker 08-7999-433
SMiShing messages are generally crafted
to provoke an instant action from the
A recording asks her to provide her credit or debit card
victim, requiring them to divulge their number. Tracy reveals sensitive information
personal information and account details

Module Flow
01 03
and its Phases
04

Insider Threats/Insider Attacks
❑ An insider is any employee (trusted person or people) who have access to critical assets of an organization
❑ An insider attack involves using privileged access to intentionally violate rules or cause threat to the organization’s
information or information systems in any form
❑ Such attacks are generally performed by a privileged user, disgruntled employee, terminated employee,
accident-prone employee, third party, undertrained staff, etc.
Example of Insider Attack: Disgruntled Employee
Sends the data to competitors

using steganography
Company’s Company
Disgruntled secret Internet Competitors
Employee
Reasons for Insider Attacks
Financial gain Steal confidential Revenge

data
Become future Perform competitor’s Public

competitor bidding announcement

Types of Insider Threats
Malicious Insider
A disgruntled or terminated employee who steals data or destroys the company’s networks intentionally
by introducing malware into the corporate network
Negligent Insider
Insiders who are uneducated on potential security threats or who simply bypass
general security procedures to meet workplace efficiency
Professional Insider
Harmful insiders who use their technical knowledge to identify
weaknesses and vulnerabilities in the company’s network and sell
confidential information to competitors or black-market bidders
Compromised Insider
An insider with access to critical assets of an organization who is
compromised by an outside threat actor
Why are Insider Attacks Effective?
If malicious activity is detected,

the employee may refuse to
Insider attacks are easy to launch
accept responsibility and claim it
was a mistake
Preventing insider attacks is difficult; Employees can easily cover their

an inside attacker can easily succeed tracks
Differentiating harmful actions

Can go undetected for years and
from the employee’s regular work
remediation is very expensive
is very difficult

Identity Theft
Identity theft is a crime in which

an imposter steals your personally
identifiable information such as name,
credit card number, social security or
driver’s license numbers, etc. to commit
fraud or other crimes
Attackers can use identity theft to

impersonate employees of a target
organization and physically access
facilities

Identity Theft (Cont’d)
The attacker steals people’s identity for fraudulent purposes such as:
To open new credit card accounts in the name of the user

without paying the bills
To open a new phone or wireless account in the user’s name
To use the victims’ information to obtain utility services such

as electricity, heating, or cable TV
To open bank accounts with the intention of writing bogus

checks using the victim’s information
To clone an ATM or debit cardCreativity

to makeis electronic withdrawals
the key to success in this ppt future
05 and primary education.
from the victim’s accounts

Types of Identity Theft
Child identity theft 01 06 Medical identity theft
Criminal identity theft 02 07 Tax identity theft
Identity cloning and

Financial identity theft 03 08
Concealment
Driver’s license identity

04 09 Synthetic identity theft
theft
Social security identity

Insurance identity theft 05 10
theft

Module Flow
01 03
and its Phases
04

Social Engineering Countermeasures
Password Policies Physical Security Policies Defense Strategy
✔ Periodic password ✔ Identification of employees ✔ Social engineering

changes by issuing ID cards, uniforms, campaign
etc. ✔ Gap analysis
✔ Avoiding guessable
passwords ✔ Escorting visitors ✔ Remediation strategies
✔ Account blocking after ✔ Restricting access to work

failed attempts areas
✔ Increasing length and ✔ Proper shredding of useless

complexity of passwords documents
✔ Improving secrecy of ✔ Employing security personnel

passwords

Insider Threats Countermeasures
Separation and rotation 01 06 Logging and auditing

of duties
Least privileges 02 05 Employee monitoring
Controlled access 03 04 Periodic risk assessment

Identity Theft Countermeasures
Secure or shred all documents containing your private

information
Ensure your name is not present in marketers’ hit lists
Review your credit card statement regularly and

store it securely, out of reach of others
Never give any personal information over the phone
Keep your mail secure by emptying the mailbox quickly

How to Detect Phishing Emails?
Appears to be from a bank, company, or social networking
1
site, and has a generic greeting
2 Appears to be from a person listed in your email address book
3 Gives a sense of urgency or a veiled threat
4 May contain grammatical/spelling mistakes
5 Includes links to spoofed websites
6 May contain offers that seem to be too good to be true
Includes official-looking logos and other information taken

7
from legitimate websites
8 May contain a malicious attachment

Anti-Phishing
Netcraft
Toolbar PhishTank
❑ The Netcraft anti-phishing community is a giant ❑ PhishTank is a collaborative clearing house for data and
neighborhood watch scheme, empowering the most alert information about phishing on the Internet
and most expert members to defend everyone within the ❑ It provides an open API for developers and researchers to
community against phishing attacks integrate anti-phishing data into their apps
https://www.netcraft.com https://www.phishtank.com

Social Engineering Tools: Social Engineering Toolkit (SET)
The Social-Engineer Toolkit (SET) is an open-source Python-driven tool SpeedPhish Framework (SPF)
aimed at penetration testing around social engineering https://github.com
Gophish
https://getgophish.com
King Phisher
LUCY
https://www.lucysecurity.com
MSI Simple Phish

https://microsolved.com
https://www.trustedsec.com

Audit Organization's Security for Phishing Attacks
using OhPhish
OhPhish is a web-based portal to

test employees’ susceptibility to
social engineering attacks
OhPhish is a phishing simulation

tool that provides the organization
with a platform to launch phishing
simulation campaigns on its
employees
https://ohphish.eccouncil.org

Module Summary
This module discussed social engineering concepts along with various phases of
social engineering attack
It also discussed various human-based, computer-based, and mobile-based social

engineering techniques
The module discussed insider threats, including the various types of insider threats
It also discussed identity theft and the types of identity theft
The module ended with a detailed discussion of countermeasures to employ in

order to defend against social engineering attacks, insider threats, and identity theft
In the next module, we will discuss in detail on various network level attacks and
countermeasures

EHEv1 Module 05 Social Engineering Techniques and Countermeasures

Uploaded by

Copyright:

Available Formats

EHEv1 Module 05 Social Engineering Techniques and Countermeasures

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EHEv1 Module 05 Social Engineering Techniques and Countermeasures

Uploaded by

Copyright:

Available Formats

Module 05

Social Engineering Techniques and Countermeasures

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Understanding Various Social Engineering

3 Understanding Insider Threats

4 Understanding Identity Theft

Understanding Different Social Engineering

Understanding Different Insider Threats and Identity

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

❑ Social engineering is the art of

❑ Social engineers depend on the

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

1 Receptionists and Help-Desk Personnel

2 Technical Support Executives

4 Users and Clients

5 Vendors of the Target Organization

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Intimidation Familiarity or Liking

Consensus or Social Proof Trust

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Insufficient security 1 2 Unregulated access

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Research the Dumpster diving, websites, employees, tour of

Select a Identify frustrated employees of the target

Develop a Develop a relationship with the selected

Exploit the Collect sensitive account and financial

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Human-based Social Computer-based Mobile-based Social

❑ “Sensitive information is ❑ “Sensitive information is ❑ “Sensitive information is

▪ Impersonation ❑ Techniques: ❑ Techniques:

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Impersonation ❑ The attacker pretends to be someone legitimate or an authorized person

Posing as a Legitimate End User Posing as an Important User

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

❑ An impersonation technique in which the attacker tricks individuals to

Eavesdropping Shoulder Surfing Dumpster Diving

• Unauthorized • Direct observation • Looking for

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Pop-Up Windows Hoax Letters Chain Letters

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Instant Chat Messenger

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

❑ Users download these apps unknowingly and are infected by malware

Attacker Malicious Gaming App Store

App sends user User downloads and

Developer creates Malicious developer

Mobile App Malicious

Sends user credentials Uploads game

End user downloads

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

User credentials sent

Attacker uploads User downloads

Attacker’s App Store

SMiShing (SMS phishing) is the act of using SMiShing Example