This document discusses social engineering and its threats. Social engineering refers to manipulating people into performing actions or divulging confidential information. It is a significant threat because existing computer security technologies do not protect against human vulnerabilities. Common social engineering attacks include phishing emails, vishing phone calls, leaving infected USB drives in parking lots, and impersonating maintenance workers. The document demonstrates real examples of vishing attacks and provides tips for preventing social engineering, such as verifying identities of people requesting information. However, it notes that fully preventing social engineering attacks can be difficult due to human factors.

1. SOCIAL ENGINEERING
PATCH BUGS != PATCH HUMANS
Abdelhamid Limami
IT Security Consultant @ ITDefence

2. OVERVIEW
• WHAT’S SOCIAL ENGINEERING ?
• WHY YOU SHOULD BE CONCERNED ?
• IMPACT OF SOCIAL ENGINEERING
• INFORMATION GATHERING
• SOCIAL ENGINEERING ATTACKS
• DEMO
• HOW TO PREVENT IT

3. WHAT IS SOCIAL ENGINEERING ?
• IN THE CONTEXT OF INFORMATION SECURITY, REFERS TO PSYCHOLOGICAL
MANIPULATION OF PEOPLE INTO PERFORMING ACTIONS OR DIVULGING
CONFIDENTIAL INFORMATION. A TYPE OF CONFIDENCE TRICK FOR THE PURPOSE
OF INFORMATION GATHERING, FRAUD, OR SYSTEM ACCESS, IT DIFFERS FROM A
TRADITIONAL "CON" IN THAT IT IS OFTEN ONE OF MANY STEPS IN A MORE
COMPLEX FRAUD SCHEME.
• SOCIAL ENGINEERING IS THE EXPLOITATION OF HUMAN BEHAVIOR AND TRUST
SIMPLY…HACKING THE MIND

4. WHY YOU SHOULD BE CONCERNED ?
• CURRENTLY, MARKET HAS A WIDE RANGE OF SYSTEMS, PRODUCTS AND SERVICES
FOCUSED ON COMPUTER SECURITY SERVICES: ANTIVIRUS, ANTISPYWARE,
FIREWALLS, IPS, WAF, SIEM SYSTEM, ETC.
• BUT WHAT ABOUT HUMAN ? :
• PEOPLE ARE VULNERABLE
• PEOPLE IS NORMALLY “THE WEAK LINK IN THE CHAIN”.
• WITH MANY COMPANIES INVESTING HEAVILY INTO SECURITY TECHNOLOGIES IT
IS OFTEN EASIER FOR AN ATTACKER TO EXPLOIT PEOPLE, RATHER THAN TO
HACK INTO COMPUTER NETWORKS AND SYSTEMS  THIS MAKES YOU A TARGET
• “BECAUSE THERE'S NO PATCH FOR HUMAN STUPIDITY”

5. IMPACT OF SOCIAL ENGINEERING
• FINANCIAL LOSS
• DATA LEAK
• REPUTATION IMAGE (COMPANY AND/OR PERSON)
• MANAGEMENT TIME
• LOSS OF PUBLIC TRUST
• LOSS OF NEW OR EXISTING CUSTOMERS
• LOSS OF COMPANY MORALE
• INCREASED AUDIT COSTS

6. INFORMATION GATHERING
 COMPANY WEBSITE
• COMPANY BACKGROUND
• EXECUTIVE NAMES AND BIOGRAPHIES
• EMAIL ENUMERATION
• COMPANY ADDRESSES & PHONE NUMBERS
• OPEN JOB REQUISITIONS
 JOB POSTING WEBSITES
• RESUME CONTAIN MOST INFORMATION NEEDED FOR THE ATTACK.
 SOCIAL NETWORKS
• FACEBOOK/ MYSPACE, MAY ALSO PROVIDE PERSONAL INFORMATION THAT LEAD INTO PROBABLE PASSWORDS OR ANSWERS
TO SECURITY QUESTIONS.
• LINKEDIN.COM IS A POPULAR PROFESSIONAL SOCIAL NETWORKING SITE
• USEFUL FOR OBTAINING A LIST OF CURRENT EMPLOYEES
• USEFUL IN IDENTIFYING WHICH EMPLOYEES LIKELY KNOW EACH OTHER
• USEFUL IN IDENTIFYING ORGANIZATIONAL HIERARCHY

7. SOCIAL ENGINEERING ATTACKS

8. SE ATTACKS - PHISHING
• BY FAR THE MOST COMMON MEAN OF SOCIAL ENGINEERING ATTACKS. IT IS
RELATIVELY EASY TO SEND A FORGED EMAIL TO A LARGE NUMBER OF RECIPIENTS
AND AN ATTACKER DOESN’T HAVE TO COME INTO DIRECT CONTACT WITH THEIR
TARGETS.
• EXAMPLE :

9. SE ATTACKS - VISHING
• IT IS EASY FOR AN ATTACKER TO PRETEND THEY ARE CALLING OR SENDING TEXT
MESSAGES FROM AN OFFICIAL SOURCE. THERE ARE SMARTPHONE APPLICATIONS THAT
ALLOW AN ATTACKER TO ENTER ANY CALLER ID WHICH IN TURN APPEARS ON THE
DISPLAY OF THE RECIPIENT’S DEVICE.
• EXAMPLE : SPOOFCARD
• ADVANTAGES :
• MORE TIME CONSUMING THAN EMAIL.
• REAL-TIME COMMUNICATION WITH THE TARGET
• DISADVANTAGES:
• ATTACKER WHO MUST REACT QUICKLY TO DIFFERENT ANSWERS OF THE TARGET.
• SOCIAL ENGINEERS CAN EMPLOY INTERACTIVE VOICE RESPONSE SYSTEMS AND SEND
EMAILS ASKING YOU TO CALL THE LISTED NUMBER. IN DOING SO ATTACKERS CAN
PRETEND TO BE YOUR BANK AND ASK YOU TO ENTER YOUR PERSONAL AND BANK
ACCOUNT DETAILS FOR “VERIFICATION PURPOSES”.

10. SE ATTACKS – USB STICKS
• ATTACKERS CAREFULLY PLANT CHEAP USB STICKS WHERE TARGETED USERS CAN FIND
THEM E.G., KITCHEN, REST ROOMS, MEETING ROOMS, PARKING, BATHROOM, ENTRANCE
DOOR, FRONT DESK ETC.
• THESE USB STICKS ARE LOADED WITH MALICIOUS SOFTWARE (E.G., VIRUS,
KEYLOGGERS, TROJANS, RANSOMWARE)
• DLL INJECTION INTO THE BROWSER IS ONE WAY TO DATA EXFILTRATION.
• ONCE THE BAIT IS TAKEN THE ATTACKER CAN GAIN CONTROL OF YOUR COMPUTER, INFECT IT
OR ENCRYPT IT AND HOLD YOUR DATA HOSTAGE FOR RANSOM AND OF COURSE IN CASE THE
COMPUTER IS CONNECTED ON NETWORK TO DO THE SAME WITH OTHER COMPUTERS AND
ALSO SERVERS (RANSOMWARE / CRYPTOLOCKER)
• ATTACKERS CAN USE HACKING HARDWARE STUFFS SUCH AS USB KEYLOGGERS / RUBBER
DUCKY.

11. SE ATTACKS - FREEBIES
• THIS ALSO USES GREED AND CURIOSITY AS THE DRIVER AND IS OFTEN FOUND ON PEER-TO-
PEER (P2P) SITES AND WEBSITES OFFERING ILLEGAL CONTENT E.G., MOVIES, MUSIC,
SOFTWARE. THE ATTACKER OFFERS SOMETHING THE USER WANTS AND INCLUDES MALICIOUS
CODE INTO THE OFFER AND THEN WAITS FOR THE USERS TO DOWNLOAD AND RUN THIS
CODE.
• EXAMPLE :
• TARGET PROFITING FROM THE COMPANY HIGH INTERNET TO DOWNLOAD LATEST MOVIES
• ATTACKER INJECT WINDOW POP-UP MALICIOUS CODE INTO A FILE AND UPLOAD IT TO
P2P WEBSITE
• TARGET DOWNLOADED THE FILE AND GOT INFECTED
• WINDOWS POP-UP SHOW AND ASK USER FOR CREDENTIALS
• CREDENTIALS SENT TO THE ATTACKER

12. SE ATTACKS – PHYSICAL IMPERSONATION
• IMPERSONATORS ARE CRAFTY AND CREATIVE AND CAN CLAIM THEY’RE COMING TO DO MAINTENANCE,
CHECK ALARMS OR SMOKE DETECTORS, DOCUMENT FIRE HAZARDS, THEY CAN CARRY A BOX PRETENDING
THEY ARE DELIVERING SOMETHING (RATHER THAN STEALING), DELIVERING FOOD.
• A COMMON TRICK IS TO MAKE YOU BELIEVE THEY HAVE A MEETING WITH SOMEONE WORKING FOR THE
SAME COMPANY AND AS THEY ARE LATE HAVE CALLED AHEAD TO LET THEM KNOW THEY HAVE ARRIVED
TO FOOL YOU INTO THINKING THERE IS NO NEED TO CHECK THE IDENTIFY OF THIS PERSON. THE
POSSIBILITIES ARE ONLY LIMITED TO THE ATTACKER’S CREATIVITY.
• E.G:
• PEOPLE ARE LESS SURPRISED THEY DO NOT KNOW WHO YOU ARE
• ANNOUNCING YOU HAVE ARRIVED EARLY ALLOWS YOU TO WATCH PROCESSES FOR BADGE IN,
FORGOTTEN BADGES, AND PINS
• MAY ALLOW YOU ACCESS TO OTHER AREAS OF THE BUILDING IF YOU REQUEST BATHROOM OR BREAK
ROOM

13. DUMPSTER GIVING / TRASH
• PEOPLE HAVE A TENDENCY TO THROW THINGS INTO THEIR OFFICE TRASH BIN RATHER THAN
THE SECURED BINS WHERE THEY WILL BE SHREDDED.
• INFORMATION FOUND CAN INCLUDE::
 IT ACCOUNT INFORMATION
• USERNAMES , PASSWORDS
 PERSONALLY IDENTIFIABLE INFORMATION (PII)
• NAMES ,ID CARD, ACCOUNT NUMBERS
 SENSITIVE COMPANY INFORMATION
• INTELLECTUAL PROPERTY, EARNINGS STATEMENTS, INTERNAL COMPANY EMAILS ,
CUSTOMER INFORMATION

14. DEMO / REAL EXAMPLES
LET ME TELL YOU A STORY

15. DEMO : VISHING ATTACK
• WATCH

16. DEMO 2 : VISHING & BROWSER/JAVA EXPLOIT
• WATCH

17. HOW TO PREVENT SE ATTACKS ?
• YOU CAN ONLY PREVENT ATTACKS AGAINST YOU!
• NEVER GIVE OUT ANY CONFIDENTIAL INFORMATION.
• ALWAYS MAKE VERIFICATION OF THE SENDER OR THE CALLER BEFORE GIVING OUT ANY SENSITIVE
INFORMATION.
• IF SOMEONE SPOOF YOU SAYING THEY'RE YOUR BANK OR SUPPORT TEAM YOU BETTER CALL BACK.
• SOME POOR SYSTEMS CAN BE BYPASSED WITH THE INFO FOUND ON A PACKAGE DELIVERY RECEIPT
• USE DIFFERENT PASSWORDS & MAKE USE OF 2-STEP AUTHENTICATION
• DON'T PUT PUBLIC INFO ON SECURITY QUESTIONS
• IF SOMEONE PRETENDED TO BE YOU JUST PRAY (THAT’S NOT ON YOU)
• THIS WILL JUST MINIMIZE THE DAMAGE AND KEEP YOU IN PEACE BUT TRULY THERE’S NO OBVIOUS
PATCH FOR SE EVEN HACKERS GOT PWND!

18. THANK YOU !