The document discusses social engineering techniques, emphasizing the psychological factors that differentiate humans from machines and the tactics employed in phishing and exploitation. It covers various methods of reconnaissance, tools used for social engineering, and case studies demonstrating the impact of such attacks on organizations. The document concludes with recommendations for defenses, including security awareness and improved technology measures.

1. Social Engineering
Techniques & Trends
Neelu Tripathy

2. AGENDA
Concept & Status
Quo
Down The Rabbit
Hole: Workflow
Recon
Phishing
Exploitation &
Exfiltration
Physical
PenTesting
Case Studies
Defenses

3. Why So Social! : Some Context
 Differentiates humans from animals
 Humans are not perfect, not robots
 Emotions:
 Authority
 Urgency
 Fear
 Guilt
 Friendliness
 Sex appeal
 Sympathy
 Compassion
 Ideology
 National pride
Time Psychology
Micro
Expre
ssions
Day Context
MonthEnvironment
STATUS QUO: http://docs.apwg.org/reports/apwg_trends_report_h1_2017.pdf

4. Up The Rabbit Hole: Workflow
OSINT/RECON
PHISHING
VISHING
SMISHING
BAIT/EXPLOITATION
EXFILTRATION
LATERAL
MOVEMENT
EXECUTION
WONDERLAND

5. OSINT/RECONNAISSANCE
 Organization as an Entity
 Campaign and Contexts
 Reconnaissance and role of OSINT
 Maintaining Focus
 Tools:
 Maltego, Spiderfoot Integrates with Tor
 Google Dorking and GHDB -https://www.exploit-db.com/google-hacking-database/
 Censys, Data & File : Foca, Sublist3r, theHarvester, SimplyEmail
 Search Engines, Shodan
 Social Networks
Picking Fireflies
from a Hay Stack

7. PHISHING VISHING
“Is the attempt to acquire sensitive information such as usernames,
passwords, and credit card details (and sometimes, indirectly,
money), often for malicious reasons, by masquerading as a
trustworthy entity in an electronic communication.” Wiki
• Pretexting
• Spear Phishing
• Vishing (Manual, IVR)
• Smishing
• “We're confirming you've signed up for our dating service.
You will be charged $2/day unless you cancel your order”
www.smishinglink.com”

8. Tools
• Automation
• Services
• Search Engines
• Big Data
Maltego, Spiderfoot Integrates with Tor
Google Dorking and GHDB -https://www.exploit-db.com/google-
hacking-database/
Censys, Data & File : Foca, Sublist3r, theHarvester, SimplyEmail,
Datasploit
Phishing Frameworks: Phishing Frenzy , Kingphisher, Gophish

9. Post WorkOut
Exploitation
A way or means of compromising a
vulnerability in a system
Local & Remote
Relationship with Social Engineering
URL Based Phishing
In Situ/Client Side Attacks
Exfiltration
Data
Command & Control
Role of Network & Technology Controls
Anti-Phishing Controls
Monitoring Metrics, Alerts

10. Breaching Boundaries
Two Eyes are worth a dozen Cameras

11. Breaching Boundaries
Reconnaissance
 Locations, HQ, DC & DR Sites, Branches,
nearby Landmarks
 Explore People Culture
 Human - User controls
 Network Controls, Removable Devices,
USB
 Social Engineering a company and an
individual
Where can you look?
Physical, Network,
Wireless
Talk to the team?- Case
of Helpdesk
Corelate & Coordinate

12. CASE Studies
• Snapchat
• 100 million active users
daily
• Trusted People Vs Trusted
Information
• Phishing email: Attacker
masquerading as CEO Evan
Spiegel
• Employee > gives payroll
information of employees
• Takes over employee
identity

13. Case II
• SS&C Technology
• Investment Management
Software and Services
Company
• SS&C was phished- 6
fraudulent transfer requests
• Pre-text: Fund Redemption for
Investors
• Business Loss: $6 million
• Scammers make mistake: to
Hoaran Technologies & its
account a Hang Seng Bank in
Hong Kong
• Transfer was rejected!
• Redirected to ‘Away
Technologies’ via an account
at HSBC , Hong Kong.

14. THE HUMAN VERIFICATION CATCH
Followers Now
Phishing through Instagram
Compromised account
comments with links to
free follower accounts
Harvesting Instagram User
Credentials

15. Defences
 Education- Security Awareness
 Anti phishing & Human Threat Intelligence
 Strengthen Processes to report phishing
 Measure Actual Security Posture: Engage in
Real Pen-tests
 Strengthen Technology
 Email Filtering
 Detection & Incident Response

16. Thank YOU!
Questions?
REFERENCES:
https://zone13.io/post/social_network_backdoor_windows/
https://www.trendmicro.com/
https://www.phishlabs.com/
http://www.antiphishing.org/
http://blogs.phishlabs.com
http://www.verizonenterprise.com/DBIR
https://www.symantec.com/