SlideShare ist ein Scribd-Unternehmen logo

Social engineering

Als PPTX, PDF herunterladen
A
Abdelhamid Limami

Learn how hackers can use Social Engineering techniques to ruin your life !

Internet
1 von 18
SOCIAL ENGINEERING PATCH BUGS != PATCH HUMANS Abdelhamid Limami IT Security Consultant @ ITDefence
OVERVIEW • WHAT’S SOCIAL ENGINEERING ? • WHY YOU SHOULD BE CONCERNED ? • IMPACT OF SOCIAL ENGINEERING • INFORMATION GATHERING • SOCIAL ENGINEERING ATTACKS • DEMO • HOW TO PREVENT IT
WHAT IS SOCIAL ENGINEERING ? • IN THE CONTEXT OF INFORMATION SECURITY, REFERS TO PSYCHOLOGICAL MANIPULATION OF PEOPLE INTO PERFORMING ACTIONS OR DIVULGING CONFIDENTIAL INFORMATION. A TYPE OF CONFIDENCE TRICK FOR THE PURPOSE OF INFORMATION GATHERING, FRAUD, OR SYSTEM ACCESS, IT DIFFERS FROM A TRADITIONAL "CON" IN THAT IT IS OFTEN ONE OF MANY STEPS IN A MORE COMPLEX FRAUD SCHEME. • SOCIAL ENGINEERING IS THE EXPLOITATION OF HUMAN BEHAVIOR AND TRUST SIMPLY…HACKING THE MIND
WHY YOU SHOULD BE CONCERNED ? • CURRENTLY, MARKET HAS A WIDE RANGE OF SYSTEMS, PRODUCTS AND SERVICES FOCUSED ON COMPUTER SECURITY SERVICES: ANTIVIRUS, ANTISPYWARE, FIREWALLS, IPS, WAF, SIEM SYSTEM, ETC. • BUT WHAT ABOUT HUMAN ? : • PEOPLE ARE VULNERABLE • PEOPLE IS NORMALLY “THE WEAK LINK IN THE CHAIN”. • WITH MANY COMPANIES INVESTING HEAVILY INTO SECURITY TECHNOLOGIES IT IS OFTEN EASIER FOR AN ATTACKER TO EXPLOIT PEOPLE, RATHER THAN TO HACK INTO COMPUTER NETWORKS AND SYSTEMS  THIS MAKES YOU A TARGET • “BECAUSE THERE'S NO PATCH FOR HUMAN STUPIDITY”
IMPACT OF SOCIAL ENGINEERING • FINANCIAL LOSS • DATA LEAK • REPUTATION IMAGE (COMPANY AND/OR PERSON) • MANAGEMENT TIME • LOSS OF PUBLIC TRUST • LOSS OF NEW OR EXISTING CUSTOMERS • LOSS OF COMPANY MORALE • INCREASED AUDIT COSTS
INFORMATION GATHERING  COMPANY WEBSITE • COMPANY BACKGROUND • EXECUTIVE NAMES AND BIOGRAPHIES • EMAIL ENUMERATION • COMPANY ADDRESSES & PHONE NUMBERS • OPEN JOB REQUISITIONS  JOB POSTING WEBSITES • RESUME CONTAIN MOST INFORMATION NEEDED FOR THE ATTACK.  SOCIAL NETWORKS • FACEBOOK/ MYSPACE, MAY ALSO PROVIDE PERSONAL INFORMATION THAT LEAD INTO PROBABLE PASSWORDS OR ANSWERS TO SECURITY QUESTIONS. • LINKEDIN.COM IS A POPULAR PROFESSIONAL SOCIAL NETWORKING SITE • USEFUL FOR OBTAINING A LIST OF CURRENT EMPLOYEES • USEFUL IN IDENTIFYING WHICH EMPLOYEES LIKELY KNOW EACH OTHER • USEFUL IN IDENTIFYING ORGANIZATIONAL HIERARCHY
SOCIAL ENGINEERING ATTACKS
SE ATTACKS - PHISHING • BY FAR THE MOST COMMON MEAN OF SOCIAL ENGINEERING ATTACKS. IT IS RELATIVELY EASY TO SEND A FORGED EMAIL TO A LARGE NUMBER OF RECIPIENTS AND AN ATTACKER DOESN’T HAVE TO COME INTO DIRECT CONTACT WITH THEIR TARGETS. • EXAMPLE :
SE ATTACKS - VISHING • IT IS EASY FOR AN ATTACKER TO PRETEND THEY ARE CALLING OR SENDING TEXT MESSAGES FROM AN OFFICIAL SOURCE. THERE ARE SMARTPHONE APPLICATIONS THAT ALLOW AN ATTACKER TO ENTER ANY CALLER ID WHICH IN TURN APPEARS ON THE DISPLAY OF THE RECIPIENT’S DEVICE. • EXAMPLE : SPOOFCARD • ADVANTAGES : • MORE TIME CONSUMING THAN EMAIL. • REAL-TIME COMMUNICATION WITH THE TARGET • DISADVANTAGES: • ATTACKER WHO MUST REACT QUICKLY TO DIFFERENT ANSWERS OF THE TARGET. • SOCIAL ENGINEERS CAN EMPLOY INTERACTIVE VOICE RESPONSE SYSTEMS AND SEND EMAILS ASKING YOU TO CALL THE LISTED NUMBER. IN DOING SO ATTACKERS CAN PRETEND TO BE YOUR BANK AND ASK YOU TO ENTER YOUR PERSONAL AND BANK ACCOUNT DETAILS FOR “VERIFICATION PURPOSES”.
SE ATTACKS – USB STICKS • ATTACKERS CAREFULLY PLANT CHEAP USB STICKS WHERE TARGETED USERS CAN FIND THEM E.G., KITCHEN, REST ROOMS, MEETING ROOMS, PARKING, BATHROOM, ENTRANCE DOOR, FRONT DESK ETC. • THESE USB STICKS ARE LOADED WITH MALICIOUS SOFTWARE (E.G., VIRUS, KEYLOGGERS, TROJANS, RANSOMWARE) • DLL INJECTION INTO THE BROWSER IS ONE WAY TO DATA EXFILTRATION. • ONCE THE BAIT IS TAKEN THE ATTACKER CAN GAIN CONTROL OF YOUR COMPUTER, INFECT IT OR ENCRYPT IT AND HOLD YOUR DATA HOSTAGE FOR RANSOM AND OF COURSE IN CASE THE COMPUTER IS CONNECTED ON NETWORK TO DO THE SAME WITH OTHER COMPUTERS AND ALSO SERVERS (RANSOMWARE / CRYPTOLOCKER) • ATTACKERS CAN USE HACKING HARDWARE STUFFS SUCH AS USB KEYLOGGERS / RUBBER DUCKY.
SE ATTACKS - FREEBIES • THIS ALSO USES GREED AND CURIOSITY AS THE DRIVER AND IS OFTEN FOUND ON PEER-TO- PEER (P2P) SITES AND WEBSITES OFFERING ILLEGAL CONTENT E.G., MOVIES, MUSIC, SOFTWARE. THE ATTACKER OFFERS SOMETHING THE USER WANTS AND INCLUDES MALICIOUS CODE INTO THE OFFER AND THEN WAITS FOR THE USERS TO DOWNLOAD AND RUN THIS CODE. • EXAMPLE : • TARGET PROFITING FROM THE COMPANY HIGH INTERNET TO DOWNLOAD LATEST MOVIES • ATTACKER INJECT WINDOW POP-UP MALICIOUS CODE INTO A FILE AND UPLOAD IT TO P2P WEBSITE • TARGET DOWNLOADED THE FILE AND GOT INFECTED • WINDOWS POP-UP SHOW AND ASK USER FOR CREDENTIALS • CREDENTIALS SENT TO THE ATTACKER
SE ATTACKS – PHYSICAL IMPERSONATION • IMPERSONATORS ARE CRAFTY AND CREATIVE AND CAN CLAIM THEY’RE COMING TO DO MAINTENANCE, CHECK ALARMS OR SMOKE DETECTORS, DOCUMENT FIRE HAZARDS, THEY CAN CARRY A BOX PRETENDING THEY ARE DELIVERING SOMETHING (RATHER THAN STEALING), DELIVERING FOOD. • A COMMON TRICK IS TO MAKE YOU BELIEVE THEY HAVE A MEETING WITH SOMEONE WORKING FOR THE SAME COMPANY AND AS THEY ARE LATE HAVE CALLED AHEAD TO LET THEM KNOW THEY HAVE ARRIVED TO FOOL YOU INTO THINKING THERE IS NO NEED TO CHECK THE IDENTIFY OF THIS PERSON. THE POSSIBILITIES ARE ONLY LIMITED TO THE ATTACKER’S CREATIVITY. • E.G: • PEOPLE ARE LESS SURPRISED THEY DO NOT KNOW WHO YOU ARE • ANNOUNCING YOU HAVE ARRIVED EARLY ALLOWS YOU TO WATCH PROCESSES FOR BADGE IN, FORGOTTEN BADGES, AND PINS • MAY ALLOW YOU ACCESS TO OTHER AREAS OF THE BUILDING IF YOU REQUEST BATHROOM OR BREAK ROOM
DUMPSTER GIVING / TRASH • PEOPLE HAVE A TENDENCY TO THROW THINGS INTO THEIR OFFICE TRASH BIN RATHER THAN THE SECURED BINS WHERE THEY WILL BE SHREDDED. • INFORMATION FOUND CAN INCLUDE::  IT ACCOUNT INFORMATION • USERNAMES , PASSWORDS  PERSONALLY IDENTIFIABLE INFORMATION (PII) • NAMES ,ID CARD, ACCOUNT NUMBERS  SENSITIVE COMPANY INFORMATION • INTELLECTUAL PROPERTY, EARNINGS STATEMENTS, INTERNAL COMPANY EMAILS , CUSTOMER INFORMATION
DEMO / REAL EXAMPLES LET ME TELL YOU A STORY
DEMO : VISHING ATTACK • WATCH
DEMO 2 : VISHING & BROWSER/JAVA EXPLOIT • WATCH
HOW TO PREVENT SE ATTACKS ? • YOU CAN ONLY PREVENT ATTACKS AGAINST YOU! • NEVER GIVE OUT ANY CONFIDENTIAL INFORMATION. • ALWAYS MAKE VERIFICATION OF THE SENDER OR THE CALLER BEFORE GIVING OUT ANY SENSITIVE INFORMATION. • IF SOMEONE SPOOF YOU SAYING THEY'RE YOUR BANK OR SUPPORT TEAM YOU BETTER CALL BACK. • SOME POOR SYSTEMS CAN BE BYPASSED WITH THE INFO FOUND ON A PACKAGE DELIVERY RECEIPT • USE DIFFERENT PASSWORDS & MAKE USE OF 2-STEP AUTHENTICATION • DON'T PUT PUBLIC INFO ON SECURITY QUESTIONS • IF SOMEONE PRETENDED TO BE YOU JUST PRAY (THAT’S NOT ON YOU) • THIS WILL JUST MINIMIZE THE DAMAGE AND KEEP YOU IN PEACE BUT TRULY THERE’S NO OBVIOUS PATCH FOR SE EVEN HACKERS GOT PWND!
THANK YOU !

Empfohlen

Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
Pankaj Dubey
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
Social engineering
Social engineeringSocial engineering
Social engineering
Vishal Kumar
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Social engineering
Social engineering Social engineering
Social engineering
Vîñàý Pãtêl
 

Empfohlen

Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
Pankaj Dubey
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
Social engineering
Social engineeringSocial engineering
Social engineering
Vishal Kumar
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Social engineering
Social engineering Social engineering
Social engineering
Vîñàý Pãtêl
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
Pratum
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
James Krusic
 
Hacking
HackingHacking
Hacking
Sitwat Rao
 
Hacking
HackingHacking
Hacking
pranav patade
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation
sweetpeace1
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
cyber security
cyber security cyber security
cyber security
NiharikaVoleti
 
Social engineering
Social engineeringSocial engineering
Social engineering
Vishal Kumar
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
Suryansh Srivastava
 
Social engineering
Social engineeringSocial engineering
Social engineering
Maulik Kotak
 
Cyber security
Cyber securityCyber security
Cyber security
Sapna Patil
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
Mohammad Shakirul islam
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
Cyber Security Infotech
 
CYBER SECURITY
CYBER SECURITY CYBER SECURITY
CYBER SECURITY
Ashish prashar
 
Hacking
HackingHacking
Hacking
j naga sai
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
Tzar Umang
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Richard Common
 

Weitere ähnliche Inhalte

Was ist angesagt?

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 

Was ist angesagt? (20)

Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
cyber security
cyber security cyber security
cyber security
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
CYBER SECURITY
CYBER SECURITY CYBER SECURITY
CYBER SECURITY
 
Hacking
HackingHacking
Hacking
 

Andere mochten auch

Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
Praetorian
 

Andere mochten auch (7)

Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
 

Ähnlich wie Social engineering

Ähnlich wie Social engineering (20)

Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Hacking
HackingHacking
Hacking
 
Dangers of Computer devices
Dangers of Computer devices Dangers of Computer devices
Dangers of Computer devices
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
All about Hacking
All about HackingAll about Hacking
All about Hacking
 
Security issues in e commerce
Security issues in e commerceSecurity issues in e commerce
Security issues in e commerce
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
 
Security Issues in E-Commerce.pptx
Security Issues in E-Commerce.pptxSecurity Issues in E-Commerce.pptx
Security Issues in E-Commerce.pptx
 
cybersecurity notes important points.pptx
cybersecurity notes important points.pptxcybersecurity notes important points.pptx
cybersecurity notes important points.pptx
 
Online safety, security, ethics & etiquette
Online safety, security, ethics & etiquetteOnline safety, security, ethics & etiquette
Online safety, security, ethics & etiquette
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Cyber Crime and Prevention Tips
Cyber Crime and Prevention TipsCyber Crime and Prevention Tips
Cyber Crime and Prevention Tips
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social Engineering
 
NIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptxNIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptx
 
ethical hacking in motion MODULE - II.ppt
ethical hacking in motion MODULE - II.pptethical hacking in motion MODULE - II.ppt
ethical hacking in motion MODULE - II.ppt
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf
 
2018 5-8 IT Security - What You Need to Know
2018 5-8 IT Security - What You Need to Know2018 5-8 IT Security - What You Need to Know
2018 5-8 IT Security - What You Need to Know
 

Kürzlich hochgeladen

( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
nirzagarg
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
SUHANI PANDEY
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
ruhi
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 

Kürzlich hochgeladen (20)

( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 

Social engineering

  • 1. SOCIAL ENGINEERING PATCH BUGS != PATCH HUMANS Abdelhamid Limami IT Security Consultant @ ITDefence
  • 2. OVERVIEW • WHAT’S SOCIAL ENGINEERING ? • WHY YOU SHOULD BE CONCERNED ? • IMPACT OF SOCIAL ENGINEERING • INFORMATION GATHERING • SOCIAL ENGINEERING ATTACKS • DEMO • HOW TO PREVENT IT
  • 3. WHAT IS SOCIAL ENGINEERING ? • IN THE CONTEXT OF INFORMATION SECURITY, REFERS TO PSYCHOLOGICAL MANIPULATION OF PEOPLE INTO PERFORMING ACTIONS OR DIVULGING CONFIDENTIAL INFORMATION. A TYPE OF CONFIDENCE TRICK FOR THE PURPOSE OF INFORMATION GATHERING, FRAUD, OR SYSTEM ACCESS, IT DIFFERS FROM A TRADITIONAL "CON" IN THAT IT IS OFTEN ONE OF MANY STEPS IN A MORE COMPLEX FRAUD SCHEME. • SOCIAL ENGINEERING IS THE EXPLOITATION OF HUMAN BEHAVIOR AND TRUST SIMPLY…HACKING THE MIND
  • 4. WHY YOU SHOULD BE CONCERNED ? • CURRENTLY, MARKET HAS A WIDE RANGE OF SYSTEMS, PRODUCTS AND SERVICES FOCUSED ON COMPUTER SECURITY SERVICES: ANTIVIRUS, ANTISPYWARE, FIREWALLS, IPS, WAF, SIEM SYSTEM, ETC. • BUT WHAT ABOUT HUMAN ? : • PEOPLE ARE VULNERABLE • PEOPLE IS NORMALLY “THE WEAK LINK IN THE CHAIN”. • WITH MANY COMPANIES INVESTING HEAVILY INTO SECURITY TECHNOLOGIES IT IS OFTEN EASIER FOR AN ATTACKER TO EXPLOIT PEOPLE, RATHER THAN TO HACK INTO COMPUTER NETWORKS AND SYSTEMS  THIS MAKES YOU A TARGET • “BECAUSE THERE'S NO PATCH FOR HUMAN STUPIDITY”
  • 5. IMPACT OF SOCIAL ENGINEERING • FINANCIAL LOSS • DATA LEAK • REPUTATION IMAGE (COMPANY AND/OR PERSON) • MANAGEMENT TIME • LOSS OF PUBLIC TRUST • LOSS OF NEW OR EXISTING CUSTOMERS • LOSS OF COMPANY MORALE • INCREASED AUDIT COSTS
  • 6. INFORMATION GATHERING  COMPANY WEBSITE • COMPANY BACKGROUND • EXECUTIVE NAMES AND BIOGRAPHIES • EMAIL ENUMERATION • COMPANY ADDRESSES & PHONE NUMBERS • OPEN JOB REQUISITIONS  JOB POSTING WEBSITES • RESUME CONTAIN MOST INFORMATION NEEDED FOR THE ATTACK.  SOCIAL NETWORKS • FACEBOOK/ MYSPACE, MAY ALSO PROVIDE PERSONAL INFORMATION THAT LEAD INTO PROBABLE PASSWORDS OR ANSWERS TO SECURITY QUESTIONS. • LINKEDIN.COM IS A POPULAR PROFESSIONAL SOCIAL NETWORKING SITE • USEFUL FOR OBTAINING A LIST OF CURRENT EMPLOYEES • USEFUL IN IDENTIFYING WHICH EMPLOYEES LIKELY KNOW EACH OTHER • USEFUL IN IDENTIFYING ORGANIZATIONAL HIERARCHY
  • 8. SE ATTACKS - PHISHING • BY FAR THE MOST COMMON MEAN OF SOCIAL ENGINEERING ATTACKS. IT IS RELATIVELY EASY TO SEND A FORGED EMAIL TO A LARGE NUMBER OF RECIPIENTS AND AN ATTACKER DOESN’T HAVE TO COME INTO DIRECT CONTACT WITH THEIR TARGETS. • EXAMPLE :
  • 9. SE ATTACKS - VISHING • IT IS EASY FOR AN ATTACKER TO PRETEND THEY ARE CALLING OR SENDING TEXT MESSAGES FROM AN OFFICIAL SOURCE. THERE ARE SMARTPHONE APPLICATIONS THAT ALLOW AN ATTACKER TO ENTER ANY CALLER ID WHICH IN TURN APPEARS ON THE DISPLAY OF THE RECIPIENT’S DEVICE. • EXAMPLE : SPOOFCARD • ADVANTAGES : • MORE TIME CONSUMING THAN EMAIL. • REAL-TIME COMMUNICATION WITH THE TARGET • DISADVANTAGES: • ATTACKER WHO MUST REACT QUICKLY TO DIFFERENT ANSWERS OF THE TARGET. • SOCIAL ENGINEERS CAN EMPLOY INTERACTIVE VOICE RESPONSE SYSTEMS AND SEND EMAILS ASKING YOU TO CALL THE LISTED NUMBER. IN DOING SO ATTACKERS CAN PRETEND TO BE YOUR BANK AND ASK YOU TO ENTER YOUR PERSONAL AND BANK ACCOUNT DETAILS FOR “VERIFICATION PURPOSES”.
  • 10. SE ATTACKS – USB STICKS • ATTACKERS CAREFULLY PLANT CHEAP USB STICKS WHERE TARGETED USERS CAN FIND THEM E.G., KITCHEN, REST ROOMS, MEETING ROOMS, PARKING, BATHROOM, ENTRANCE DOOR, FRONT DESK ETC. • THESE USB STICKS ARE LOADED WITH MALICIOUS SOFTWARE (E.G., VIRUS, KEYLOGGERS, TROJANS, RANSOMWARE) • DLL INJECTION INTO THE BROWSER IS ONE WAY TO DATA EXFILTRATION. • ONCE THE BAIT IS TAKEN THE ATTACKER CAN GAIN CONTROL OF YOUR COMPUTER, INFECT IT OR ENCRYPT IT AND HOLD YOUR DATA HOSTAGE FOR RANSOM AND OF COURSE IN CASE THE COMPUTER IS CONNECTED ON NETWORK TO DO THE SAME WITH OTHER COMPUTERS AND ALSO SERVERS (RANSOMWARE / CRYPTOLOCKER) • ATTACKERS CAN USE HACKING HARDWARE STUFFS SUCH AS USB KEYLOGGERS / RUBBER DUCKY.
  • 11. SE ATTACKS - FREEBIES • THIS ALSO USES GREED AND CURIOSITY AS THE DRIVER AND IS OFTEN FOUND ON PEER-TO- PEER (P2P) SITES AND WEBSITES OFFERING ILLEGAL CONTENT E.G., MOVIES, MUSIC, SOFTWARE. THE ATTACKER OFFERS SOMETHING THE USER WANTS AND INCLUDES MALICIOUS CODE INTO THE OFFER AND THEN WAITS FOR THE USERS TO DOWNLOAD AND RUN THIS CODE. • EXAMPLE : • TARGET PROFITING FROM THE COMPANY HIGH INTERNET TO DOWNLOAD LATEST MOVIES • ATTACKER INJECT WINDOW POP-UP MALICIOUS CODE INTO A FILE AND UPLOAD IT TO P2P WEBSITE • TARGET DOWNLOADED THE FILE AND GOT INFECTED • WINDOWS POP-UP SHOW AND ASK USER FOR CREDENTIALS • CREDENTIALS SENT TO THE ATTACKER
  • 12. SE ATTACKS – PHYSICAL IMPERSONATION • IMPERSONATORS ARE CRAFTY AND CREATIVE AND CAN CLAIM THEY’RE COMING TO DO MAINTENANCE, CHECK ALARMS OR SMOKE DETECTORS, DOCUMENT FIRE HAZARDS, THEY CAN CARRY A BOX PRETENDING THEY ARE DELIVERING SOMETHING (RATHER THAN STEALING), DELIVERING FOOD. • A COMMON TRICK IS TO MAKE YOU BELIEVE THEY HAVE A MEETING WITH SOMEONE WORKING FOR THE SAME COMPANY AND AS THEY ARE LATE HAVE CALLED AHEAD TO LET THEM KNOW THEY HAVE ARRIVED TO FOOL YOU INTO THINKING THERE IS NO NEED TO CHECK THE IDENTIFY OF THIS PERSON. THE POSSIBILITIES ARE ONLY LIMITED TO THE ATTACKER’S CREATIVITY. • E.G: • PEOPLE ARE LESS SURPRISED THEY DO NOT KNOW WHO YOU ARE • ANNOUNCING YOU HAVE ARRIVED EARLY ALLOWS YOU TO WATCH PROCESSES FOR BADGE IN, FORGOTTEN BADGES, AND PINS • MAY ALLOW YOU ACCESS TO OTHER AREAS OF THE BUILDING IF YOU REQUEST BATHROOM OR BREAK ROOM
  • 13. DUMPSTER GIVING / TRASH • PEOPLE HAVE A TENDENCY TO THROW THINGS INTO THEIR OFFICE TRASH BIN RATHER THAN THE SECURED BINS WHERE THEY WILL BE SHREDDED. • INFORMATION FOUND CAN INCLUDE::  IT ACCOUNT INFORMATION • USERNAMES , PASSWORDS  PERSONALLY IDENTIFIABLE INFORMATION (PII) • NAMES ,ID CARD, ACCOUNT NUMBERS  SENSITIVE COMPANY INFORMATION • INTELLECTUAL PROPERTY, EARNINGS STATEMENTS, INTERNAL COMPANY EMAILS , CUSTOMER INFORMATION
  • 14. DEMO / REAL EXAMPLES LET ME TELL YOU A STORY
  • 15. DEMO : VISHING ATTACK • WATCH
  • 16. DEMO 2 : VISHING & BROWSER/JAVA EXPLOIT • WATCH
  • 17. HOW TO PREVENT SE ATTACKS ? • YOU CAN ONLY PREVENT ATTACKS AGAINST YOU! • NEVER GIVE OUT ANY CONFIDENTIAL INFORMATION. • ALWAYS MAKE VERIFICATION OF THE SENDER OR THE CALLER BEFORE GIVING OUT ANY SENSITIVE INFORMATION. • IF SOMEONE SPOOF YOU SAYING THEY'RE YOUR BANK OR SUPPORT TEAM YOU BETTER CALL BACK. • SOME POOR SYSTEMS CAN BE BYPASSED WITH THE INFO FOUND ON A PACKAGE DELIVERY RECEIPT • USE DIFFERENT PASSWORDS & MAKE USE OF 2-STEP AUTHENTICATION • DON'T PUT PUBLIC INFO ON SECURITY QUESTIONS • IF SOMEONE PRETENDED TO BE YOU JUST PRAY (THAT’S NOT ON YOU) • THIS WILL JUST MINIMIZE THE DAMAGE AND KEEP YOU IN PEACE BUT TRULY THERE’S NO OBVIOUS PATCH FOR SE EVEN HACKERS GOT PWND!