Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The art of deceiving humans a.k.a social engineering


Published on

The most used attack vector by hackers: Social engineering

Published in: Technology
  • A professional Paper writing services can alleviate your stress in writing a successful paper and take the pressure off you to hand it in on time. Check out, please ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

The art of deceiving humans a.k.a social engineering

  1. 1. The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
  2. 2. #uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
  3. 3. Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
  4. 4. What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
  5. 5. Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
  6. 6. What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
  7. 7. Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
  8. 8. Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
  9. 9. OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
  10. 10. Live Demo - OSINT
  11. 11. Case Study – Phishing Assessment
  12. 12. Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
  13. 13. Phishing page
  14. 14. Phishing mail
  15. 15. Creating a phishing page which logs user credentials – Live Demo
  16. 16. Creating a malicious office document to compromise an end user – Live Demo
  17. 17. Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL