An article discusses common social engineering techniques used by hackers and provides responses to counter them. It notes that social engineering, such as pretending to be technical support, is effective because people are more likely to trust others. The article then lists several specific social engineering scenarios and invites responses on how to defeat each one. It aims to educate about social engineering threats and strategies to enhance security awareness.

1. Blue Team responses to people who “hack like a girl”
Kate Brew
@securitybrew
AlienVault
Co Founder C1ph3r_Qu33ns
Charisse Castagnoli
Websense
Co Founder C1ph3r_Qu33ns

2. Blue Team responses to people who “hack like a girl”
First: What Does “Hack Like A Girl” Mean?
Social Engineering (SE) is huge attack vector & very effective
SE doesn’t require detailed system knowledge or programming skills
Women are traditionally not viewed as a “threat” – IT more likely to be sympathetic & nice
Making women potentially quite effective at SE
Note: ” “Hack Like A Girl” is not an insult

3. What is Social Engineering
Social engineering is the art of manipulating people so they give up confidential information.
Criminals use social engineering tactics because it is usually easier to exploit your natural
inclination to trust than it is to discover ways to hack your software.
Source: Webroot.

4. Why does Social Engineering work?
Research has shown that most people respond to specific social queues:
Authority
You must to this because I am an authority over you
Boss to subordinate
Teacher to student
Commander to infantry
Obligation
You should help me because I did this for you
Remember when I finished your assignment for you
Responsibility
People trained/conditioned to assist
Customer service, Nursing, Cultural
Cultural Responsibility
Keiretsu, Cartels, Cultural norms
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it

5. RED TEAM - US
• We present a scenario (many of these
are real world scenarios)
• Thanks to the SPICEHEADS who
contributed the scenarios!!
Gamification of Social Engineering Scenarios
BLUE TEAM - AUDIENCE
Respond with ways to defeat this
scenario
1 point for remediation
1 point for defense
extra point for identifying the social
pressure point

6. How we are going to play the game
We present an SE scenario
Audience responds with ways to defeat this SE
Best Answer gets a prize
At the end we award MVP Awards (2 $50 Amazon
Gift Cards)

7. Spearphishing
This is Ralph Simmons, your daughter’s school principal. You need to come pick your child up ASAP, as
there has been an incident with her and another student. To see a copy of the incident report we put on
file, Click Here!
Respectfully,
Mr. Simmons
Fake School Principal

8. Jack their Software (Jacking public information)
Contact a finance software vendor. Get a list of references from them. Contact people on that list
claiming to be part of a support team doing updates on the software via a remote connection.
If they grant you that connection, you have their finance system.

9. But I *really* need that app!
I know I’m not supposed to have it, but if I don’t get that app I’m going to
Miss a deadline
Be reprimanded
Get fired
I promise I’ll delete is as soon as this assignment is done

10. Have your kid stick a flash drive in target
Nobody suspects cute little kids. So you take your kid into a bank or other place with something to steal.
While you are conducting business, you have them stick the flash drive into the target.

11. Impersonating IT
This one works great if you are an evil insider with remotes sites where people don’t know you’re not
from IT. You badge in, then find a likely target. You go over to them and indicate that your network
security monitoring system has indicated their system has malware. You ask them to leave you logged
in and go get a coffee.

12. FedEx / Coffee / Water refill dude/dudette
Even without a badge, these delivery folks are allowed in without a second thought. They can bring in a
device to break into the corporate wireless network.

13. Poor Grandma!
Hello Mr./ Mrs. Suchandsuch.
This is {insert fake name here} calling from XYZ Advanced Care facility. Your mother/father has taken a
spill & needs to go to the hospital. We just need to confirm your insurance & billing info so that we can
facilitate his/her transport & treatment there.

14. Trickery to Steal Laptops
Look on internet for Oil and Gas company directory and get a persons name.
For example: http://www.kanataenergy.com/team.html 
Put on suit and show up at lunch and mumble to reception like you own the place, "I'm just heading
in to my meeting with Randy Hughes"...
Steal laptops from open offices,
Walk out.

15. This one requires programming, but sooo fun!

16. Emails claiming to be voicemail
Damn emails that claim to be a voicemail, even though the company has never never never ever,
gotten their voicemails via email and someone opened it.

17. “Helpful” Evil Co-workers
The human firewall is the most important part of a security equation, because attacks happen
anywhere. Even from that nice guy Bob who helped Mary in Accounting speed up her PC.

18. Scary Phishing
Your transaction for your MasterCard for the total of $3,576.43 has been approved. Please see
attachment for your receipt.
Attachment - invoice.pdf.exe

19. Just mean!
We had a semester long project where we were to secure a machine (linux) and try to hack another
team in the sandbox and couldn't physically touch their machine.
Group leaders received an email from the "teacher" saying over the semester break servers were
going to be switched out and she needed all the team’s passwords. Unfortunately my group leader
fell for it, and it was another team spoofing the instructors email.

20. Password Reuse
Create a web site offering something incredible (new social media site, free software, whatever.)
Require the user to submit a username and password for login. Use that information on larger sites
(Facebook, twitter, gmail, etc) and see if they use the same login credentials across all services, as
so many people do.

21. Microsoft Tech Support phone scam
You all know this one, but check out this response:
I had those guys call me. I have this POS 4G ethernet box I use when I travel, and a VM of
windows 10 running on one of the old junkers we restored and upgraded with spare parts, so I
decided to let them on. The VM was part of test lab, where we were testing lock down policies and
software compatibility.
They had a heck of a time, I was cracking up laughing. I eventually just said, "sorry, but I've been
effing with you, but I'm getting hungry so I'm going to go." Then he proceeded to call back, "sorry,
but we seemed to get disconnected, if you could go back to the lady page and start over..."

22. Thumb drive giveaway!
Post a couple of young women with scantly clad dresses at a conference, offering 4GB USB
thumbdrives (quite alot back then!). People were jacking up those USB thumbdrives in their enterprise
computers, without knowing that it had a crafted app that was sending every file they opened onto
outside; worse it also permitted remote access, so even the IT administrators computers were
compromised (the CTO laptop was one them).
The young women placed outside of the enterprise strategy worked because the majority of workers
were men and they didn't even notice the strangeness of strangers offering them thumbdrives for no
reason.

23. Demark closet
Hi I’m from the phone or cable company and need access to your demark closet.
receptionists usually let them in
What makes it totally believable is for that utility company worker to scowl and act like they would
rather be anywhere but your office.
And, if the receptionist calls the IT staff, tell them that you are HERE because another customer
over THERE has issues with their T-1 line, and they believe there may be cross-talk between one
of your T-1 lines an this other customer's lines. If you know that you now use fiber only, they can
still claim that this is a T-1 that was supposed to be de-commissioned but they failed to do it
properly, and that is why you have had ongoing problems on your phone bill...

24. Anti-Virus – Over-trusting
I used to work for a well-known anti-virus company. I did the business technical support for all
customers around the globe.
To remove viruses we had to remotely log into the computers at the company. The I.T people would
quite often log you in and then tell you they were going on lunch, or going home and ask you to
shut down when you are finished.
Never thought about it at the time but it was basically a wide open door to the company’s data. It’s
not like we were just logged on, we were logged on with the IT persons credentials and authorised
to auto log on after reboot!!!

25. Spear-phishing Execs
During pen test at trading company, client was tighter Kim Kardashian's latex Catwoman outfit.
Hammering the routers, DNS, firewalls, and all other tech yields nothing of value.
The social engineering group (SEG) digs in. They easily find the name of the CFO. They find her
facebook, LinkedIn, and twitter pages. The see what her likes and dislikes are, and more
importantly, the causes she supports. They dig more and come up with a list containing a
substantial number of the employees
They craft a web site. They craft a nice email in the CFO's name asking for them, if they want, to
click on this link to donate money to one of her pet causes. They send it to all the employees. Two
of them click the link, one a low-level employee and the other one of the people who deals with
trades.
The link silently installs a keylogger. All data - password, accounts, etc.- from the trader is now
compromised.

26. Fake IM from Co-Worker
Send an IM from an account that looks like a coworker’s saying "This link does not work for me.
Could you try it before I call and bother IT?" malicious link here

27. The Server Room
Bring a Pepsi into the server room. Spill it all over. Or, take a huge magnet in your purse and lean
on some of the servers.

28. PopUps complaining of malware
Popups that tell the user their computer is infected and needs to be fixed... simply download this
software to fix it.
Well, looks like that didn't quite work.... and it is a much bigger problem then we originally
thought.... but if you pay us it will work! So pay us now and it will all be fixed!
So many relatives that have fallen for this one... and a few friends. *Le Sigh*

29. Wirefraud Phishing
From:
Date: February 26, 2015 at 11:07:36 AM CST
To:
Subject: Cancelled Wire Money Transfer. Dispute Number 932453
The Wire transfer (ID: J217485011), recently
sent from your online bank account, was aborted by the Electronic Payments
Association.
Canceled transfer
Transfer Case ID 113548
Total Amount 3798.61 USD
Sender contact name@domain.com
Reason for rejection See attached file
The Email contained several links to the virus VBA/TrojanDownloader.Agent.IY trojan, not only in the
attachment, but linked in the sender's address.

30. Obamacare Phishing
The best social engineering is one that uses the government and people's inherent greed and
ignorance of the law. This is what makes financial scams so effective. Use snail mail and a fake PO
Box.
"I'm from the IRS. You didn't claim your $5,000 Obamacare bonus refund. Since you didn't use all
of your free healthcare money for 2014, you have a choice of rolling it over or having it added to
your tax refund. If you don't reply in two weeks, this claim will expire."
Then generate a fake tax form and have them fill out what ever information you need from them.
90% of people will want a check. Have them submit the form using a faked website.
Using Obamacare in the scam is good because people don't know squat about the law. There was
a recent report on the enrollment date being pushed back because people didn't know about the
fine. So ignorance is high on this complicated law.

31. D’Oh LinkedIn
Go to LinkedIn and connect with someone. Offer them a fake, high paying job. Require they fill out
a form before on-site interview. Collect all info, including SSN.

32. Citrix
For a company using Citrix with a web portal at:
https://www.somecompany.com/Citrix/Metaframe/default.aspx
You register dynamic dns domain like com.ntdll.net. Add a host www.somecompany to that domain and clone their citrix web
portal. Have your fake site save the credentials and pass them on to the real citrix portal so they can actually log in. So the
phishing site you set up is:
https://www.somecompany.com.ntdll.net/Citrix/Metaframe/default.aspx
Then craft an email with a link showing the real domain but actually going to your phishing page:
Hello,
As many of you have probably noticed there have been some performance issues with using citrix remotely. We've been working
hard to resolve the issue and are pleased to say we've finally upgraded our Citrix servers. Everything should be running much
smoother now. The new Citrix portal just needs you to log in to help migrate your profile over to the new server. Please log in within
the next 24 hours so we can get everyone migrated over and running on the new system. For your convenience I've included the
link below.
https://www.somecompany.com/Citrix/Metaframe/default.aspx
Thanks,
IT Department
Some Company
Chances are if they do click your link and see the url they won't be too suspicious because at first glance it looks very much like the
real link.

33. Common Denominator: “Expect the Unexpected”