490 likes | 501 Views
Learn about different social engineering techniques, scams, and tools used by hackers. Discover ways to prevent social engineering attacks and safeguard your information.
E N D
CSCD 303Essential Computer SecurityFall2018 Lecture 8 - Social Engineering General Social Engineering Techniques, Scams, Tools Reading: Chapter 6, some links at end
Overview • Social Engineering Revisited • How is Social Engineering Accomplished • Different methods of Social Engineering • Prevention of Social Engineering • Scams • Different ones • How to guard against them
Kevin Mitnick Famous Social Engineer Hacker • Went to prison for hacking • Became ethical hacker "People are generally helpful, especially to someone who is nice, knowledgeable or insistent."
Kevin Mitnick - Art of Deception Kevin's First Book http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X • "People inherently want to be helpful and therefore are easily duped" • "They assume a level of trust in order to avoid conflict" • "It's all about gaining access to information that people think is innocuous when it isn't" • Social engineering cannot be blocked by technology alone (Do you agree with that statement?)
Other Books on Social Engineering Kevin Mitnick’s newest book Art of Invisibility https://www.amazon.com/Art-Invisibility-Worlds-Teaches-Brother-ebook/dp/B01GZY28CW Christopher Hadnagy Social Engineering, the Art of Human Hacking https://www.amazon.com/ Website: https://www.social-engineer.com/ He has a newsletter, free on Social Engineering
Target And Attack • Basic goals of social engineering are same as hacking in general: • To gain unauthorized access to systems or information in order to commit • Fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt system or network • Targets include telephone companies and answering services, big-name corporations and financial institutions, military / government agencies, and hospitals
An Example • One morning few years back, group of strangers walked into large shipping firm and walked out with access to firm’s entire corporate network • How did they do it? • By obtaining small amounts of access, • Bit by bit, from a number of different employees • First, they researched company for two days before attempting to set foot on premises
And so on… • Series of Steps • They learned key employees’ names by calling HR • Next, they pretended to lose their key to front door, and a man let them in • Then they "lost" their identity badges when entering third floor secured area, smiled, and friendly employee opened door for them
And so on… • They knew CFO was out of town, so were able to enter his office and obtain financial data off his unlocked computer • They dug through corporate trash, finding all kinds of useful documents • They asked janitor for garbage pail in which to place their contents and carried all of this data out of building • They studied CFO's voice, so they were able to phone, pretending to be CFO, in rush, desperately in need of his network password • From there, they used regular technical hacking tools to gain super-user access into system
Social Engineering Techniques Social engineers are known to use non-technical tactics to gather information • Dumpster Diving • Baiting • Pretexting • Diversion Theft 11
Social Engineering Techniques Dumpster Diving What are they looking for? Anything that might be valuable to cyber criminals, could be used for blackmail or sale • Research secrets • Project schedules • Collaborator lists • Financial, legal, and licensing information • Personal employee and system information 12
Dumpster Diving https://www.social-engineer.org/framework/information-gathering/dumpster-diving/ • Many original dumpster divers were individuals who were into phone phreaking • They were interested in information about telephone companies such as AT&T and learning structure and operation of their phone systems • Many people simply throw away billing or banking statements that often reveals confidential information such as account and social security identification numbers
Dumpster Diving Preventing Dumpster Diving • Best way to prevent anyone from seeing your 'private trash' is to shred it • Paper shredders are inexpensive devices, help eliminate or destroy those important documents that have found their way into trashcan • Corporate policy, needs to set guidelines for proper handling and disposing of sensitive documents • Physical security – Lock up the trash area!!! http://social-engineer.org/wiki/archives/DumpsterDiving/CrimeandClues_dumpster_diving.htm
Baiting • Real world Trojan horse • Uses physical media • Relies on greed/curiosity of victim • Attacker leaves malware infected cd or usb drive in a location sure to be found • Attacker puts a legitimate or curious label to gain interest • Ex: "Company Earnings 2009" left at company elevator • Curious employee/Good samaritan • User inserts media and unknowingly installs malware
Social EngineeringExample Two • Monday morning, 6am • Alarm is telling you it's time to start a new work week • On the way to work you're thinking of all you need to accomplished this week • Then, on top of that there's recent merger between your company and a competitor • One of your associates told you, “you better be on your toes because rumors of layoff's are floating around”
Social Engineering • You arrive at office and stop by restroom to make sure you look your best • You begin to head to your cube when you notice, sitting on back of sink, is a CD-ROM • Someone must have left this behind by accident • You pick it up and notice there is a label on it • Label reads "2005 Financials & Layoff's" You get sinking feeling in your stomach and hurry to your desk It looks like your associate has good reasons for concern, and you're about to find out for yourself
And so • The Game Is In Play: People Are Easiest Target • You insert CD-ROM • You find several files on CD, including a spreadsheet which you open • Spreadsheet contains list of employee names, start dates, salaries, and a note field that says "Release" or "Retain" • You search for your name but can’t find it In fact, many of the names don't seem familiar. You think, “Why would they, this is pretty large company, you don't know everyone”Since your name is not listed you feel a bit of relief • It's time to turn this over to your boss Your boss thanks you and you head back to your desk
Bingo - Gotcha • Spreadsheet you opened was not only thing executing on your computer • Moment you open that file you caused a script to execute which installed a few files on your computer • Those files were designed to call home and make a connection to servers over Internet • Once connection was made software on server responded by pushing (or downloading) several software tools to your computer • Tools designed to give hacker complete control of your computer • Now they have a platform, inside your company's network, where they can continue to hack network. And, they can do it from inside without even being there
Pretexting • Act of creating and using an invented situation in order to convince a target to release information or grant access to sensitive materials • This type of attack is usually implemented over the phone and can be used to obtain • Customer information, phone records, banking records and is also used by private investigators
Pretexting continued • Hacker will disguise their identity in order to ask a series of questions intended to get information he/she is wanting from their target • By asking these questions victim will unknowingly provide attacker with information hacker needs to carry out their attack
Pretexting via Phone • A Hacker will call someone up and imitate a person of authority and slowly retrieve information from them • Help Desks are highly vulnerable to this type of attack
Help Desks are Gold Mines • Main purpose is to help Putting them at a disadvantage against an attacker • People employed at help desk usually are being paid next to nothing • Giving them little incentive to do anything but answer questions and move onto next phone call • So how do you protect yourself?
Protecting Against These Attacks • Attacks can take two different approaches • Physical and Psychological • Physical aspect Workplace, over phone, dumpster diving, and on-line • Psychological aspect Persuasion, impersonation, ingratiation, conformity, and friendliness
How To Defend Against the Physical • Check and Verify all personnel entering establishment • More important files should be locked up • Shred all important papers before disposing • Erase all magnetic media (hard drives, disks) • All machines on network should be well protected by passwords • Lock and store dumpsters in secure areas
Security Policies and Training!!! • Corporations make mistake of only protecting themselves from physical aspect leaving them helpless to psychological attacks hackers commonly use • Policy alleviates responsibility of worker to make judgment call on hacker’s request • Policy should address aspects of access control and password changes and protection • Locks, ID’s, and shredders are important, should be required for all employees
Security Policies and Training!!! • Training – Not Just Once !!! • All employees should attend an annual refresher course including Social Engineering • Also send email reminders • How to spot an attacker, • Methods in preventing them from falling victim
What to do Personally • DO NOT DISCLOSE ANY PERSONAL INFORMATION UNLESS PERSON AND/OR SITE IS TRUSTED • Don’t fall prey to get rich quick schemes • Update your security software regularly • Have a strong password and change it regularly • Try not to have same one for all your passwords • Shred your important papers before throwing them out
Social Engineering Clips Live Action: http://www.youtube.com/watch?v=8TJ4XOvY7II&feature=related
Lottery Sweepstakes Scams • These may come through mail notification, or you could possibly receive an e-mail advising that you’ve won a lottery sweepstakes • If you don’t participate in any type of lottery • You need to question why you would receive any type of notification This scam will try variety of ways to get your money They tend to charge an application or processing fee • The following is a recent example ….
Lottery Sweepstakes Scams This looks official; however, it asks the receiver to send them $5, along with a claim form to obtain their winnings
Lottery Sweepstakes Scams • Another example of a sweepstakes scam advising you’ve won $215,000 and they’ve sent a portion of your winnings to help pay taxes • Check amount was for $4875 and they want you to wire $3795 back to them.
Online Auction Scams • The following are some of the more common online auction scams to be aware of: • Overpayment Fraud targets seller • A seller advertises a high-value item—like a car or a computer—on Internet • A scammer contacts seller to purchase item, then sends seller counterfeit check or money order for an amount greater than price of the item • Purchaser asks seller to deposit payment, deduct actual sale price, and then return difference to purchaser
Online Auction Scams Wire transfer schemes start with fraudulent and misleading ads for sale of high-value items posted on well-known online auction sites. When buyers take bait, they are directed to wire money to crooks using a money transfer company. Once money changes hands, buyer never hears from them again Second-chance schemes Involve scammers who offer losing bidders of legitimate auctions opportunity to buy item(s) they wanted at reduced prices They usually require that victims send payment through money transfer companies, but then don’t follow through on delivery ** Source-FBI and IC3 online data- http://www.fbi.gov/page2/june09/auctionfraud_063009.html
Nigerian Scams • Typed in Nigerian Scams Alive and Well 39,000,000 (2018) hits on google Scammer may contact you by email, letter, text message or social networking message They will offer you a large sum of money to help them transfer their personal fortune out of their country Scammers may ask for your bank account details to 'help them transfer the money' and use this information to later steal your funds • Current Website with example https://www.scamwatch.gov.au/types-of-scams/unexpected-money/nigerian-scams
Romance Scams • Online Romance Scams https://www.huffingtonpost.com/entry/romance-scams-online-fbi-facebook_us_59414c67e4b0d318548666f9 • Steals from lonely, vulnerable people • US, romance scams count for highest financial losses of Internet crimes according to FBI • Losses exceeded $230,000, underestimate • Example:Woman scammed by Nigerian man who noted she was Christian on Facebook. She ended up sending him money for various purposes, man she never met, totaled $2 million
Romance Scams • Online Romance Scams • Statistics say – 82% are women • Global victims – Germany, USA, Australia, China, New Zeland • Fake profiles- Online dating site, social media sites • What to do? One site shows fake profiles of scammers Scam Haters United http://scamhatersutd.blogspot.com/ Also 419 Eater, Scam Baiters http://www.419eater.com/ Picture of singer in England All three profiles are fake
Some of the top Craigslist frauds/scams: • Craigslist Car Scams • Craigslist Apartment Rental Scams • Craigslist Ticket Scams • Craigslist Job scams • Craigslist Escrow Service Scams References: http://www.fraudguides.com/craigslist-car-scams.asp http://www.fraudguides.com/craigslist-apartment-rental-scams.asp http://www.fraudguides.com/craigslist-ticket-scams.asp http://www.fraudguides.com/craigslist-escrow-service-scams.asp http://wegolook.com
Craigslist Car Scams • Buying and selling cars on Craigslist can be a huge money-saver for both buyer as well as seller • Due to this, Auto category in Craigslist's For Sale section is very active, especially in urban areas • Fraudulent postings are common nowadays on craigslist • Stolen checks, counterfeit checks and • bounced checks are costing people • their money, cars or both http://bringatrailer.com/wp-content/uploads/2008/11/1967_Glas_GT_1700_Craigslist_1.jpg http://wegolook.com
Craigslist Apartment Rental Scams • Apartment Rental scams on Craigslist are targeted at those people looking for a deal and a new home • Typically, the scam/fraud starts when a fraudster pretending to be owner of the property ,posts a great deal on an apartment and a person responds • They ask you to make a deposit and collect some personal information to be sent via email and then disappear http://wegolook.com
Craigslist Ticket Scams • Craigslist is a great place to sell tickets to sought-after concerts,sports events,shows, concerts, festivals, fairs or even airline tickets • You need to be very careful when purchasing tickets through Craigslist as these tickets could be stolen or counterfeit or they could be priced far beyond the exact value • The tickets may even have been • used at a previous, similar event http://www.p2pnet.net/images/oltik.jpg http://wegolook.com
WeGoLook™ Services for Craigslist Buyer WeGoLook™ helps you buy with confidence. • WeGoLook™ will send a WeGoLooker™ to look at the item for you. • Your WeGoLooker™ will confirm existence and location of the item. • Take a few digital pictures and gathers some basic information about the item (brand, model number, serial number, manufacturer, VIN number, etc.) • With our Preferred WeGoLook™ report, Your WeGoLooker™ can even ask the seller to demonstrate that the item is in basic working order • With Custom WeGoLook™ report, we can guarantee that the item you purchase is delivered to the shipper. http://wegolook.com
Where To Go For Help If you are a victim of an online scam, you can file a formal complaint with Internet Crime Complaint Center (IC3). Their contact information is as follows: Run by the FBIhttp://www.ic3.gov/complaint/default.aspx
Check out Hoax-Slayer • Check out this great website of all the hoaxes on the Internet • Fun hoaxes • Virus Hoaxes • Giveaway Hoaxes • Charity Hoaxes • Bogus Warnings • Email Petitions • Chain Letters and many others ... http://www.hoax-slayer.com/
Summary • Social Engineering can be as or more devastating than a technical cyber attack • No good way to “patch” humans • Best defenses • Training, • Good security policies for handling information • Ongoing incentives for employees to stay vigilent • Scams are everywhere on the Internet • No good way to get rich quick • Be suspicious and do your homework when buying over the Internet • Try not to give personal information unless absolutely necessary
The End Next Time: Malware Next Assignment is on Social Engineering