AL
Uploaded byAbdelhamid Limami
PPTX, PDF3,526 views

Social engineering

This document discusses social engineering and its threats. Social engineering refers to manipulating people into performing actions or divulging confidential information. It is a significant threat because existing computer security technologies do not protect against human vulnerabilities. Common social engineering attacks include phishing emails, vishing phone calls, leaving infected USB drives in parking lots, and impersonating maintenance workers. The document demonstrates real examples of vishing attacks and provides tips for preventing social engineering, such as verifying identities of people requesting information. However, it notes that fully preventing social engineering attacks can be difficult due to human factors.

Embed presentation

Downloaded 159 times
SOCIAL ENGINEERING PATCH BUGS != PATCH HUMANS Abdelhamid Limami IT Security Consultant @ ITDefence
OVERVIEW • WHAT’S SOCIAL ENGINEERING ? • WHY YOU SHOULD BE CONCERNED ? • IMPACT OF SOCIAL ENGINEERING • INFORMATION GATHERING • SOCIAL ENGINEERING ATTACKS • DEMO • HOW TO PREVENT IT
WHAT IS SOCIAL ENGINEERING ? • IN THE CONTEXT OF INFORMATION SECURITY, REFERS TO PSYCHOLOGICAL MANIPULATION OF PEOPLE INTO PERFORMING ACTIONS OR DIVULGING CONFIDENTIAL INFORMATION. A TYPE OF CONFIDENCE TRICK FOR THE PURPOSE OF INFORMATION GATHERING, FRAUD, OR SYSTEM ACCESS, IT DIFFERS FROM A TRADITIONAL "CON" IN THAT IT IS OFTEN ONE OF MANY STEPS IN A MORE COMPLEX FRAUD SCHEME. • SOCIAL ENGINEERING IS THE EXPLOITATION OF HUMAN BEHAVIOR AND TRUST SIMPLY…HACKING THE MIND
WHY YOU SHOULD BE CONCERNED ? • CURRENTLY, MARKET HAS A WIDE RANGE OF SYSTEMS, PRODUCTS AND SERVICES FOCUSED ON COMPUTER SECURITY SERVICES: ANTIVIRUS, ANTISPYWARE, FIREWALLS, IPS, WAF, SIEM SYSTEM, ETC. • BUT WHAT ABOUT HUMAN ? : • PEOPLE ARE VULNERABLE • PEOPLE IS NORMALLY “THE WEAK LINK IN THE CHAIN”. • WITH MANY COMPANIES INVESTING HEAVILY INTO SECURITY TECHNOLOGIES IT IS OFTEN EASIER FOR AN ATTACKER TO EXPLOIT PEOPLE, RATHER THAN TO HACK INTO COMPUTER NETWORKS AND SYSTEMS  THIS MAKES YOU A TARGET • “BECAUSE THERE'S NO PATCH FOR HUMAN STUPIDITY”
IMPACT OF SOCIAL ENGINEERING • FINANCIAL LOSS • DATA LEAK • REPUTATION IMAGE (COMPANY AND/OR PERSON) • MANAGEMENT TIME • LOSS OF PUBLIC TRUST • LOSS OF NEW OR EXISTING CUSTOMERS • LOSS OF COMPANY MORALE • INCREASED AUDIT COSTS
INFORMATION GATHERING  COMPANY WEBSITE • COMPANY BACKGROUND • EXECUTIVE NAMES AND BIOGRAPHIES • EMAIL ENUMERATION • COMPANY ADDRESSES & PHONE NUMBERS • OPEN JOB REQUISITIONS  JOB POSTING WEBSITES • RESUME CONTAIN MOST INFORMATION NEEDED FOR THE ATTACK.  SOCIAL NETWORKS • FACEBOOK/ MYSPACE, MAY ALSO PROVIDE PERSONAL INFORMATION THAT LEAD INTO PROBABLE PASSWORDS OR ANSWERS TO SECURITY QUESTIONS. • LINKEDIN.COM IS A POPULAR PROFESSIONAL SOCIAL NETWORKING SITE • USEFUL FOR OBTAINING A LIST OF CURRENT EMPLOYEES • USEFUL IN IDENTIFYING WHICH EMPLOYEES LIKELY KNOW EACH OTHER • USEFUL IN IDENTIFYING ORGANIZATIONAL HIERARCHY
SOCIAL ENGINEERING ATTACKS
SE ATTACKS - PHISHING • BY FAR THE MOST COMMON MEAN OF SOCIAL ENGINEERING ATTACKS. IT IS RELATIVELY EASY TO SEND A FORGED EMAIL TO A LARGE NUMBER OF RECIPIENTS AND AN ATTACKER DOESN’T HAVE TO COME INTO DIRECT CONTACT WITH THEIR TARGETS. • EXAMPLE :
SE ATTACKS - VISHING • IT IS EASY FOR AN ATTACKER TO PRETEND THEY ARE CALLING OR SENDING TEXT MESSAGES FROM AN OFFICIAL SOURCE. THERE ARE SMARTPHONE APPLICATIONS THAT ALLOW AN ATTACKER TO ENTER ANY CALLER ID WHICH IN TURN APPEARS ON THE DISPLAY OF THE RECIPIENT’S DEVICE. • EXAMPLE : SPOOFCARD • ADVANTAGES : • MORE TIME CONSUMING THAN EMAIL. • REAL-TIME COMMUNICATION WITH THE TARGET • DISADVANTAGES: • ATTACKER WHO MUST REACT QUICKLY TO DIFFERENT ANSWERS OF THE TARGET. • SOCIAL ENGINEERS CAN EMPLOY INTERACTIVE VOICE RESPONSE SYSTEMS AND SEND EMAILS ASKING YOU TO CALL THE LISTED NUMBER. IN DOING SO ATTACKERS CAN PRETEND TO BE YOUR BANK AND ASK YOU TO ENTER YOUR PERSONAL AND BANK ACCOUNT DETAILS FOR “VERIFICATION PURPOSES”.
SE ATTACKS – USB STICKS • ATTACKERS CAREFULLY PLANT CHEAP USB STICKS WHERE TARGETED USERS CAN FIND THEM E.G., KITCHEN, REST ROOMS, MEETING ROOMS, PARKING, BATHROOM, ENTRANCE DOOR, FRONT DESK ETC. • THESE USB STICKS ARE LOADED WITH MALICIOUS SOFTWARE (E.G., VIRUS, KEYLOGGERS, TROJANS, RANSOMWARE) • DLL INJECTION INTO THE BROWSER IS ONE WAY TO DATA EXFILTRATION. • ONCE THE BAIT IS TAKEN THE ATTACKER CAN GAIN CONTROL OF YOUR COMPUTER, INFECT IT OR ENCRYPT IT AND HOLD YOUR DATA HOSTAGE FOR RANSOM AND OF COURSE IN CASE THE COMPUTER IS CONNECTED ON NETWORK TO DO THE SAME WITH OTHER COMPUTERS AND ALSO SERVERS (RANSOMWARE / CRYPTOLOCKER) • ATTACKERS CAN USE HACKING HARDWARE STUFFS SUCH AS USB KEYLOGGERS / RUBBER DUCKY.
SE ATTACKS - FREEBIES • THIS ALSO USES GREED AND CURIOSITY AS THE DRIVER AND IS OFTEN FOUND ON PEER-TO- PEER (P2P) SITES AND WEBSITES OFFERING ILLEGAL CONTENT E.G., MOVIES, MUSIC, SOFTWARE. THE ATTACKER OFFERS SOMETHING THE USER WANTS AND INCLUDES MALICIOUS CODE INTO THE OFFER AND THEN WAITS FOR THE USERS TO DOWNLOAD AND RUN THIS CODE. • EXAMPLE : • TARGET PROFITING FROM THE COMPANY HIGH INTERNET TO DOWNLOAD LATEST MOVIES • ATTACKER INJECT WINDOW POP-UP MALICIOUS CODE INTO A FILE AND UPLOAD IT TO P2P WEBSITE • TARGET DOWNLOADED THE FILE AND GOT INFECTED • WINDOWS POP-UP SHOW AND ASK USER FOR CREDENTIALS • CREDENTIALS SENT TO THE ATTACKER
SE ATTACKS – PHYSICAL IMPERSONATION • IMPERSONATORS ARE CRAFTY AND CREATIVE AND CAN CLAIM THEY’RE COMING TO DO MAINTENANCE, CHECK ALARMS OR SMOKE DETECTORS, DOCUMENT FIRE HAZARDS, THEY CAN CARRY A BOX PRETENDING THEY ARE DELIVERING SOMETHING (RATHER THAN STEALING), DELIVERING FOOD. • A COMMON TRICK IS TO MAKE YOU BELIEVE THEY HAVE A MEETING WITH SOMEONE WORKING FOR THE SAME COMPANY AND AS THEY ARE LATE HAVE CALLED AHEAD TO LET THEM KNOW THEY HAVE ARRIVED TO FOOL YOU INTO THINKING THERE IS NO NEED TO CHECK THE IDENTIFY OF THIS PERSON. THE POSSIBILITIES ARE ONLY LIMITED TO THE ATTACKER’S CREATIVITY. • E.G: • PEOPLE ARE LESS SURPRISED THEY DO NOT KNOW WHO YOU ARE • ANNOUNCING YOU HAVE ARRIVED EARLY ALLOWS YOU TO WATCH PROCESSES FOR BADGE IN, FORGOTTEN BADGES, AND PINS • MAY ALLOW YOU ACCESS TO OTHER AREAS OF THE BUILDING IF YOU REQUEST BATHROOM OR BREAK ROOM
DUMPSTER GIVING / TRASH • PEOPLE HAVE A TENDENCY TO THROW THINGS INTO THEIR OFFICE TRASH BIN RATHER THAN THE SECURED BINS WHERE THEY WILL BE SHREDDED. • INFORMATION FOUND CAN INCLUDE::  IT ACCOUNT INFORMATION • USERNAMES , PASSWORDS  PERSONALLY IDENTIFIABLE INFORMATION (PII) • NAMES ,ID CARD, ACCOUNT NUMBERS  SENSITIVE COMPANY INFORMATION • INTELLECTUAL PROPERTY, EARNINGS STATEMENTS, INTERNAL COMPANY EMAILS , CUSTOMER INFORMATION
DEMO / REAL EXAMPLES LET ME TELL YOU A STORY
DEMO : VISHING ATTACK • WATCH
DEMO 2 : VISHING & BROWSER/JAVA EXPLOIT • WATCH
HOW TO PREVENT SE ATTACKS ? • YOU CAN ONLY PREVENT ATTACKS AGAINST YOU! • NEVER GIVE OUT ANY CONFIDENTIAL INFORMATION. • ALWAYS MAKE VERIFICATION OF THE SENDER OR THE CALLER BEFORE GIVING OUT ANY SENSITIVE INFORMATION. • IF SOMEONE SPOOF YOU SAYING THEY'RE YOUR BANK OR SUPPORT TEAM YOU BETTER CALL BACK. • SOME POOR SYSTEMS CAN BE BYPASSED WITH THE INFO FOUND ON A PACKAGE DELIVERY RECEIPT • USE DIFFERENT PASSWORDS & MAKE USE OF 2-STEP AUTHENTICATION • DON'T PUT PUBLIC INFO ON SECURITY QUESTIONS • IF SOMEONE PRETENDED TO BE YOU JUST PRAY (THAT’S NOT ON YOU) • THIS WILL JUST MINIMIZE THE DAMAGE AND KEEP YOU IN PEACE BUT TRULY THERE’S NO OBVIOUS PATCH FOR SE EVEN HACKERS GOT PWND!
THANK YOU !

More Related Content

PPTX
Social engineering presentation
bypooja_doshi
 
PPSX
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PDF
Social engineering
byankushmohanty
 
PPTX
Social engineering hacking attack
byPankaj Dubey
 
PDF
What is Social Engineering? An illustrated presentation.
byPratum
 
PDF
Social engineering attacks
byRamiro Cid
 
Social engineering presentation
bypooja_doshi
 
Social Engineering - Are You Protecting Your Data Enough?
byJamRivera1
 
Social Engineering,social engeineering techniques,social engineering protecti...
byABHAY PATHAK
 
Social engineering
byAlexander Zhuravlev
 
Social engineering
byankushmohanty
 
Social engineering hacking attack
byPankaj Dubey
 
What is Social Engineering? An illustrated presentation.
byPratum
 
Social engineering attacks
byRamiro Cid
 

What's hot

PDF
Social engineering
byRobert Hood
 
PDF
Social Engineering Basics
byLuke Rusten
 
PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PPTX
Social Engineering
byCyber Agency
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Social engineering
byMaulik Kotak
 
PPT
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 
PPTX
Social Engineering
byManish Chauhan
 
PDF
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
byControlScan, Inc.
 
PPTX
Social Engineering new.pptx
bySanthosh Prabhu
 
PPTX
Social engineering: A Human Hacking Framework
byJahangirnagar University
 
PPTX
Hyphenet Security Awareness Training
byJen Ruhman
 
PPTX
Phishing Attack Awareness and Prevention
bysonalikharade3
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PPT
Phishing
byanjalika sinha
 
PPTX
Social Engineering - Human aspects of industrial and economic espionage
byMarin Ivezic
 
PPTX
Introduction to Social engineering | Techniques of Social engineering
byPrem Lamsal
 
PPTX
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 
Social engineering
byRobert Hood
 
Social Engineering Basics
byLuke Rusten
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Social engineering
byVîñàý Pãtêl
 
Social Engineering
byCyber Agency
 
Social engineering
byVishal Kumar
 
Social engineering
byVishal Kumar
 
Social engineering
byMaulik Kotak
 
Social Engineering | #ARMSec2015
byHovhannes Aghajanyan
 
Social Engineering
byManish Chauhan
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
byControlScan, Inc.
 
Social Engineering new.pptx
bySanthosh Prabhu
 
Social engineering: A Human Hacking Framework
byJahangirnagar University
 
Hyphenet Security Awareness Training
byJen Ruhman
 
Phishing Attack Awareness and Prevention
bysonalikharade3
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Phishing
byanjalika sinha
 
Social Engineering - Human aspects of industrial and economic espionage
byMarin Ivezic
 
Introduction to Social engineering | Techniques of Social engineering
byPrem Lamsal
 
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 

Similar to Social engineering

PPTX
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
PPTX
Data security concepts chapter 2
byNickkisha Farrell
 
PPT
DNR-Security-Awareness-Training expert.ppt
bypdffree25
 
PPTX
Basic practices for information & computer security
byPrajktaGN
 
PPT
Ia 124 1621324160 ia_124_lecture_02
byITNet
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PDF
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
PDF
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
PDF
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
PDF
Social Engineering, or hacking people
byTudor Damian
 
PDF
Insiders Guide to Social Engineering - End-Users are the Weakest Link
byRichard Common
 
PPTX
Social Engineering and Identity Theft.pptx
byRoshni814224
 
PDF
Social Engineering.pdf
byMeshalALshammari12
 
PPTX
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
byPace IT at Edmonds Community College
 
PDF
What is social engineering.pdf
byuzair
 
DOCX
scoety law ethics part 2.docxabhdjdjdjrjrjr
byMeetkadhiwala
 
PPTX
SIT Summer School (Cyber Security)
byApurv Singh Gautam
 
PPTX
Psychological aspect of social engineering
byYuvaraj Naresh
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
PPTX
Computer hacking
byArjun Tomar
 
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
Data security concepts chapter 2
byNickkisha Farrell
 
DNR-Security-Awareness-Training expert.ppt
bypdffree25
 
Basic practices for information & computer security
byPrajktaGN
 
Ia 124 1621324160 ia_124_lecture_02
byITNet
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
Social Engineering, or hacking people
byTudor Damian
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
byRichard Common
 
Social Engineering and Identity Theft.pptx
byRoshni814224
 
Social Engineering.pdf
byMeshalALshammari12
 
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
byPace IT at Edmonds Community College
 
What is social engineering.pdf
byuzair
 
scoety law ethics part 2.docxabhdjdjdjrjrjr
byMeetkadhiwala
 
SIT Summer School (Cyber Security)
byApurv Singh Gautam
 
Psychological aspect of social engineering
byYuvaraj Naresh
 
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
Computer hacking
byArjun Tomar
 

Recently uploaded

PDF
Modernize everything Microsoft session.pdf
byjeyfox1
 
PDF
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
PDF
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
PDF
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
PDF
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
PDF
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
DOCX
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
PDF
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
PPTX
Victoria University Transcripts
byvgki5qphpa
 
PDF
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
PDF
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
PDF
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
Modernize everything Microsoft session.pdf
byjeyfox1
 
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
Victoria University Transcripts
byvgki5qphpa
 
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 

Social engineering

  • 1.
    SOCIAL ENGINEERING PATCH BUGS!= PATCH HUMANS Abdelhamid Limami IT Security Consultant @ ITDefence
  • 2.
    OVERVIEW • WHAT’S SOCIALENGINEERING ? • WHY YOU SHOULD BE CONCERNED ? • IMPACT OF SOCIAL ENGINEERING • INFORMATION GATHERING • SOCIAL ENGINEERING ATTACKS • DEMO • HOW TO PREVENT IT
  • 3.
    WHAT IS SOCIALENGINEERING ? • IN THE CONTEXT OF INFORMATION SECURITY, REFERS TO PSYCHOLOGICAL MANIPULATION OF PEOPLE INTO PERFORMING ACTIONS OR DIVULGING CONFIDENTIAL INFORMATION. A TYPE OF CONFIDENCE TRICK FOR THE PURPOSE OF INFORMATION GATHERING, FRAUD, OR SYSTEM ACCESS, IT DIFFERS FROM A TRADITIONAL "CON" IN THAT IT IS OFTEN ONE OF MANY STEPS IN A MORE COMPLEX FRAUD SCHEME. • SOCIAL ENGINEERING IS THE EXPLOITATION OF HUMAN BEHAVIOR AND TRUST SIMPLY…HACKING THE MIND
  • 4.
    WHY YOU SHOULDBE CONCERNED ? • CURRENTLY, MARKET HAS A WIDE RANGE OF SYSTEMS, PRODUCTS AND SERVICES FOCUSED ON COMPUTER SECURITY SERVICES: ANTIVIRUS, ANTISPYWARE, FIREWALLS, IPS, WAF, SIEM SYSTEM, ETC. • BUT WHAT ABOUT HUMAN ? : • PEOPLE ARE VULNERABLE • PEOPLE IS NORMALLY “THE WEAK LINK IN THE CHAIN”. • WITH MANY COMPANIES INVESTING HEAVILY INTO SECURITY TECHNOLOGIES IT IS OFTEN EASIER FOR AN ATTACKER TO EXPLOIT PEOPLE, RATHER THAN TO HACK INTO COMPUTER NETWORKS AND SYSTEMS  THIS MAKES YOU A TARGET • “BECAUSE THERE'S NO PATCH FOR HUMAN STUPIDITY”
  • 5.
    IMPACT OF SOCIALENGINEERING • FINANCIAL LOSS • DATA LEAK • REPUTATION IMAGE (COMPANY AND/OR PERSON) • MANAGEMENT TIME • LOSS OF PUBLIC TRUST • LOSS OF NEW OR EXISTING CUSTOMERS • LOSS OF COMPANY MORALE • INCREASED AUDIT COSTS
  • 6.
    INFORMATION GATHERING  COMPANYWEBSITE • COMPANY BACKGROUND • EXECUTIVE NAMES AND BIOGRAPHIES • EMAIL ENUMERATION • COMPANY ADDRESSES & PHONE NUMBERS • OPEN JOB REQUISITIONS  JOB POSTING WEBSITES • RESUME CONTAIN MOST INFORMATION NEEDED FOR THE ATTACK.  SOCIAL NETWORKS • FACEBOOK/ MYSPACE, MAY ALSO PROVIDE PERSONAL INFORMATION THAT LEAD INTO PROBABLE PASSWORDS OR ANSWERS TO SECURITY QUESTIONS. • LINKEDIN.COM IS A POPULAR PROFESSIONAL SOCIAL NETWORKING SITE • USEFUL FOR OBTAINING A LIST OF CURRENT EMPLOYEES • USEFUL IN IDENTIFYING WHICH EMPLOYEES LIKELY KNOW EACH OTHER • USEFUL IN IDENTIFYING ORGANIZATIONAL HIERARCHY
  • 7.
  • 8.
    SE ATTACKS -PHISHING • BY FAR THE MOST COMMON MEAN OF SOCIAL ENGINEERING ATTACKS. IT IS RELATIVELY EASY TO SEND A FORGED EMAIL TO A LARGE NUMBER OF RECIPIENTS AND AN ATTACKER DOESN’T HAVE TO COME INTO DIRECT CONTACT WITH THEIR TARGETS. • EXAMPLE :
  • 9.
    SE ATTACKS -VISHING • IT IS EASY FOR AN ATTACKER TO PRETEND THEY ARE CALLING OR SENDING TEXT MESSAGES FROM AN OFFICIAL SOURCE. THERE ARE SMARTPHONE APPLICATIONS THAT ALLOW AN ATTACKER TO ENTER ANY CALLER ID WHICH IN TURN APPEARS ON THE DISPLAY OF THE RECIPIENT’S DEVICE. • EXAMPLE : SPOOFCARD • ADVANTAGES : • MORE TIME CONSUMING THAN EMAIL. • REAL-TIME COMMUNICATION WITH THE TARGET • DISADVANTAGES: • ATTACKER WHO MUST REACT QUICKLY TO DIFFERENT ANSWERS OF THE TARGET. • SOCIAL ENGINEERS CAN EMPLOY INTERACTIVE VOICE RESPONSE SYSTEMS AND SEND EMAILS ASKING YOU TO CALL THE LISTED NUMBER. IN DOING SO ATTACKERS CAN PRETEND TO BE YOUR BANK AND ASK YOU TO ENTER YOUR PERSONAL AND BANK ACCOUNT DETAILS FOR “VERIFICATION PURPOSES”.
  • 10.
    SE ATTACKS –USB STICKS • ATTACKERS CAREFULLY PLANT CHEAP USB STICKS WHERE TARGETED USERS CAN FIND THEM E.G., KITCHEN, REST ROOMS, MEETING ROOMS, PARKING, BATHROOM, ENTRANCE DOOR, FRONT DESK ETC. • THESE USB STICKS ARE LOADED WITH MALICIOUS SOFTWARE (E.G., VIRUS, KEYLOGGERS, TROJANS, RANSOMWARE) • DLL INJECTION INTO THE BROWSER IS ONE WAY TO DATA EXFILTRATION. • ONCE THE BAIT IS TAKEN THE ATTACKER CAN GAIN CONTROL OF YOUR COMPUTER, INFECT IT OR ENCRYPT IT AND HOLD YOUR DATA HOSTAGE FOR RANSOM AND OF COURSE IN CASE THE COMPUTER IS CONNECTED ON NETWORK TO DO THE SAME WITH OTHER COMPUTERS AND ALSO SERVERS (RANSOMWARE / CRYPTOLOCKER) • ATTACKERS CAN USE HACKING HARDWARE STUFFS SUCH AS USB KEYLOGGERS / RUBBER DUCKY.
  • 11.
    SE ATTACKS -FREEBIES • THIS ALSO USES GREED AND CURIOSITY AS THE DRIVER AND IS OFTEN FOUND ON PEER-TO- PEER (P2P) SITES AND WEBSITES OFFERING ILLEGAL CONTENT E.G., MOVIES, MUSIC, SOFTWARE. THE ATTACKER OFFERS SOMETHING THE USER WANTS AND INCLUDES MALICIOUS CODE INTO THE OFFER AND THEN WAITS FOR THE USERS TO DOWNLOAD AND RUN THIS CODE. • EXAMPLE : • TARGET PROFITING FROM THE COMPANY HIGH INTERNET TO DOWNLOAD LATEST MOVIES • ATTACKER INJECT WINDOW POP-UP MALICIOUS CODE INTO A FILE AND UPLOAD IT TO P2P WEBSITE • TARGET DOWNLOADED THE FILE AND GOT INFECTED • WINDOWS POP-UP SHOW AND ASK USER FOR CREDENTIALS • CREDENTIALS SENT TO THE ATTACKER
  • 12.
    SE ATTACKS –PHYSICAL IMPERSONATION • IMPERSONATORS ARE CRAFTY AND CREATIVE AND CAN CLAIM THEY’RE COMING TO DO MAINTENANCE, CHECK ALARMS OR SMOKE DETECTORS, DOCUMENT FIRE HAZARDS, THEY CAN CARRY A BOX PRETENDING THEY ARE DELIVERING SOMETHING (RATHER THAN STEALING), DELIVERING FOOD. • A COMMON TRICK IS TO MAKE YOU BELIEVE THEY HAVE A MEETING WITH SOMEONE WORKING FOR THE SAME COMPANY AND AS THEY ARE LATE HAVE CALLED AHEAD TO LET THEM KNOW THEY HAVE ARRIVED TO FOOL YOU INTO THINKING THERE IS NO NEED TO CHECK THE IDENTIFY OF THIS PERSON. THE POSSIBILITIES ARE ONLY LIMITED TO THE ATTACKER’S CREATIVITY. • E.G: • PEOPLE ARE LESS SURPRISED THEY DO NOT KNOW WHO YOU ARE • ANNOUNCING YOU HAVE ARRIVED EARLY ALLOWS YOU TO WATCH PROCESSES FOR BADGE IN, FORGOTTEN BADGES, AND PINS • MAY ALLOW YOU ACCESS TO OTHER AREAS OF THE BUILDING IF YOU REQUEST BATHROOM OR BREAK ROOM
  • 13.
    DUMPSTER GIVING /TRASH • PEOPLE HAVE A TENDENCY TO THROW THINGS INTO THEIR OFFICE TRASH BIN RATHER THAN THE SECURED BINS WHERE THEY WILL BE SHREDDED. • INFORMATION FOUND CAN INCLUDE::  IT ACCOUNT INFORMATION • USERNAMES , PASSWORDS  PERSONALLY IDENTIFIABLE INFORMATION (PII) • NAMES ,ID CARD, ACCOUNT NUMBERS  SENSITIVE COMPANY INFORMATION • INTELLECTUAL PROPERTY, EARNINGS STATEMENTS, INTERNAL COMPANY EMAILS , CUSTOMER INFORMATION
  • 14.
    DEMO / REALEXAMPLES LET ME TELL YOU A STORY
  • 15.
    DEMO : VISHINGATTACK • WATCH
  • 16.
    DEMO 2 :VISHING & BROWSER/JAVA EXPLOIT • WATCH
  • 17.
    HOW TO PREVENTSE ATTACKS ? • YOU CAN ONLY PREVENT ATTACKS AGAINST YOU! • NEVER GIVE OUT ANY CONFIDENTIAL INFORMATION. • ALWAYS MAKE VERIFICATION OF THE SENDER OR THE CALLER BEFORE GIVING OUT ANY SENSITIVE INFORMATION. • IF SOMEONE SPOOF YOU SAYING THEY'RE YOUR BANK OR SUPPORT TEAM YOU BETTER CALL BACK. • SOME POOR SYSTEMS CAN BE BYPASSED WITH THE INFO FOUND ON A PACKAGE DELIVERY RECEIPT • USE DIFFERENT PASSWORDS & MAKE USE OF 2-STEP AUTHENTICATION • DON'T PUT PUBLIC INFO ON SECURITY QUESTIONS • IF SOMEONE PRETENDED TO BE YOU JUST PRAY (THAT’S NOT ON YOU) • THIS WILL JUST MINIMIZE THE DAMAGE AND KEEP YOU IN PEACE BUT TRULY THERE’S NO OBVIOUS PATCH FOR SE EVEN HACKERS GOT PWND!
  • 18.