CEH v5 Module 09 Social Engineering.pdf

8/9/2019 CEH v5 Module 09 Social Engineering.pdf

1/112

Module IXSocial Engineering

Ethical HackingVersion 5


2/112

EC-CouncilCopyright byEC-Council

All Rights reserved. Reproduction is strictly prohibited

Scenario

Source: Department of Treasury ,Washington D.Chttp://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf


3/112



Module Objective

This module will familiarize you with the following:

Social Engineering: An Introduction Types of Social Engineering

Dumpster Diving

Shoulder surfing

Reverse Social Engineering

Behaviors vulnerable to attacks

Countermeasures for Social engineering

Policies and Procedures

Phishing Attacks

Identity Theft Online Scams

Countermeasures for Identity theft


4/112



Module Flow

Social Engineering

Countermeasures

Types ofSocial Engineering

Countermeasures

Behaviors vulnerableto attacks

Identity Theft

Online Scams

Phishing Attacks



5/112



There is No

Patch to Human

Stupidity


6/112



What is Social Engineering?

Social Engineering is the human side of breaking into

a corporate network Companies with authentication processes, firewalls,

virtual private networks, and network monitoring

software are still open to attacks

An employee may unwittingly give away key

information in an email or by answering questions

over the phone with someone they do not know, oreven by talking about a project with coworkers at a

local pub after hours


7/112



What is Social Engineering? (contd)

Tactic or Trick of gaining sensitive information by exploiting basic

human nature such as:

Trust

Fear

Desire to Help

Social engineers attempt to gather information such as:

Sensitive information

Authorization details

Access details


8/112



Human Weakness

People are usually the weakest

link in the security chain

A successful defense depends

on having good policies, and

educating employees to followthem

Social Engineering is the

hardest form of attack todefend against because it

cannot be defended with

hardware or software alone


9/112



Rebecca and Jessica

Hackers use the term Rebecca and Jessica todenote social engineering attacks

Hackers commonly use these terms to socialengineer victims

Rebecca and Jessica mean a person who is aneasy target for social engineering, like the

receptionist of a company

Example:

There was a Rebecca at the bank and I amgoing to call her to extract privileged

information.

I met Ms. Jessica, she was an easy target forsocial engineering.

Do you have any Rebecca in your company?


10/112



Office Workers

Despite having the best firewall, intrusion-detection and antivirus systems, technology

has to offer, you are still hit with securitybreaches

One reason for this may be lack of motivationamong your workers

Hackers can attempt social engineeringattack on office workers to extract sensitivedata such as:

Security policies

Sensitive documents

Office network infrastructure

Passwords


11/112



Types of Social Engineering

Social Engineering can be divided

into two categories: Human-based

Gathering sensitive information byinteraction

Attacks of this category exploits trust, fearand helping nature of humans

Computer-based

Social engineering carried out with the aid of

computers


12/112



Human-based Social Engineering

Posing as a Legitimate End User

Gives identity and asks forsensitive information

Hi! This is John, fromDepartment X. I have forgotten

my password. Can I get it? Posing as an Important User

Posing as a VIP of a targetcompany, valuable customer, etc.

Hi! This is Kevin, CFO Secretary.Im working on an urgent projectand lost system password. Can you

help me out?


13/112




( contd)

Posing as Technical Support

Calls as a technical supportstaff, and requests id &passwords to retrieve data

Sir, this is Mathew, Technical

support, X company. Last nightwe had a system crash here, andwe are checking for the lostdata. Can u give me your ID and

Password?


14/112



Technical Support Example

A man calls a company helpdesk and says hes forgotten hispassword. In a panic, he addsthat if he misses the deadline on

a big advertising project his bossmight fire him. The help deskworker feels sorry for him andquickly resets the passwordunwittingly giving the hackerclear entrance into the corporatenetwork.


15/112



More Social Engineering Examples

"Hi, I'm John Brown. I'm withthe external auditors Arthur

Sanderson. We've been told bycorporate to do a surprise

inspection of your disasterrecovery procedures. Your

department has 10 minutes toshow me how you would recover

from a Website crash."


16/112




"Hi I'm Sharon, a sales rep out of the

New York office. I know this is shortnotice, but I have a group ofperspective clients out in the car thatI've been trying for months to get tooutsource their security trainingneeds to us.

They're located just a few miles away

and I think that if I can give them aquick tour of our facilities, it shouldbe enough to push them over the edgeand get them to sign up.

Oh yeah, they are particularlyinterested in what security

precautions we've adopted. Seemssomeone hacked into their Website awhile back, which is one of thereasons they're considering ourcompany."


17/112




"Hi, I'm with Aircon ExpressServices. We received a call thatthe computer room was getting

too warm and need to checkyour HVAC system." Usingprofessional-sounding termslike HVAC (Heating,

Ventilation, and AirConditioning) may add justenough credibility to an

intruder's masquerade to allowhim or her to gain access to thetargeted secured resource.


18/112




( contd)

Eavesdropping

Unauthorized listening of conversations orreading of messages

Interception of any form such as audio,

video or written


19/112



Human-based Social Engineering:

Shoulder Surfing Looking over your shoulder as you

enter a password

Shoulder surfing is the name given

to the procedure that identity

thieves use to find out passwords,

personal identification number,account numbers and more

Simply, they look over your

shoulder--or even watch from a

distance using binoculars, in order

to get those pieces of information

Passwords

Hacker

Victim


20/112




( contd) Dumpster Diving

Search for sensitive

information at targetcompanys

Trash-bins

Printer Trash bins

user desk for stickynotes etc

Collect

Phone Bills

Contact Information

Financial Information

Operations relatedinformation etc


21/112



Dumpster Diving Example

A man behind the building is loadingthe companys paper recycling binsinto the back of a truck. Inside thebins are lists of employee titles andphone numbers, marketing plans and

the latest company financials

This information is sufficient to launcha social engineering attack on thecompany


22/112



Oracle Snoops Microsofts Trash

Bins

"We weren't spying. We weretrying to expose whatMicrosoft was doing," said afiery Ellison when reporters

asked repeatedly about thedetective agency's attempts at

buying garbage.


23/112




24/112



Case Study

Sourcecourtesy:http://www.washingtonpost.

com/wp-dyn/content/article/2006/09/27/AR2006092701304.html


25/112




( contd)

In person

Survey a target company to collect information on

Current technologies

Contact information, and so on

Third-party Authorization

Refer to an important person in the organization and try to collect

data

Mr. George, our Finance Manager, asked that I pick up the audit

reports. Will you please provide them to me?


26/112




( contd) Tailgating

An unauthorized person, wearing a fake ID badge, enters a securedarea by closely following an authorized person through a door

requiring key access

An authorized person may be unaware of having provided anunauthorized person access to a secured area

Piggybacking

I forgot my ID badge at home. Please help me.

An authorized person provides access to an unauthorized person by

keeping the secured door open


27/112



Reverse Social Engineering

This is when the hacker creates apersona that appears to be in a

position of authority so that employees

will ask him for information, rather

than the other way around

Reverse Social Engineering attack

involves

Sabotage

Marketing

Providing Support


( contd)


28/112



Movies to Watch for Reverse Engineering Examples:

The Italian Job and Catch Me If You Can


29/112



Computer-based Social Engineering

These can be divided

into the following

broad categories:

Mail / IM attachments

Pop-up Windows

Websites /

Sweepstakes

Spam mail


30/112




( contd)

Pop-up Windows

Windows that suddenly pop up, while surfing the Internet and ask for

users information,to login or sign-in

Hoaxes and chain letters

Hoax letters are emails that issue warnings to user on new virus, Trojans or

worms that may harm users system.

Chain letters are emails that offer free gifts such as money, and software

on the condition that if the user forwards the mail to said number of

persons


31/112




( contd) Instant Chat Messenger

Gathering of personal information by chatting with a selected onlineuser to attempt to get information such as birth dates, maiden names

Acquired data is later used for cracking users accounts

Spam email

Email sent to many recipients without prior permission intended for

commercial purposes

Irrelevant, unwanted and unsolicited email to collect financial

information, social security numbers, and network information


32/112




( contd) Phishing

An illegitimate email falsely claiming to be from a legitimate siteattempts to acquire users personal or account information

Lures online users with statements such as

Verify your account

Update your information

Your account will be closed or suspended

Spam filters, anti-phishing tools integrated with web browsers can be

used to protect fromPhishers


33/112



Insider Attack

If a competitor wants to cause damage to your organization, steal

critical secrets, or put you out of business, they just have to find a

job opening, prep someone to pass the interview, have that person

get hired, and they are in

It takes only one disgruntled person to take revenge, and your

company is compromised 60% of attacks occur behind the firewall

An inside attack is easy to launch

Prevention is difficult

The inside attacker can easily succeed

Difficult to catch the perpetrator


34/112



Disgruntled Employee

DisgruntledEmployee

CompanyNetwork

CompanySecrets

Send the Data toCompetitors

UsingSteganography

Competitor

Most cases of insider abuse can betraced to individuals who areintroverted, incapable of dealing

with stress or conflict, andfrustrated with their job, officepolitics, no respect, no promotionsetc.


35/112



Preventing Insider Threat

There is no single solution to prevent an insider threat

Some recommendations: Separation of duties

Rotation of duties

Least privilege

Controlled access

Logging and auditing

Legal Policies

Archive critical data


36/112



Common Targets of Social Engineering

Receptionists and help desk

personnel

Technical support executives

Vendors of target

organization

System administrators andUsers

h k i


37/112



Factors that make Companies

Vulnerable to Attacks

Insufficient security training and awareness

Several organizational units

Lack of appropriate security policies

Easy access of information e.g. e-mail Ids and

phone extension numbers of employees


38/112



Why is Social Engineering Effective?

Security policies are as strong as its weakest link, and

humans are the most susceptible factor

Difficult to detect social engineering attempts

There is no method to ensure the complete security

from social engineering attacks

No specific software or hardware for defending against

a social engineering attack


39/112



An attacker may:

Show inability to give valid callback number

Make informal requests

Claim of authority

Show haste

Unusually compliment or praise

Show discomfort when questioned

Drop the name inadvertently

Threaten of dire consequences if information is not provided

Warning Signs of an Attack


40/112

T l N t ft A ti Phi hi T lb


41/112



Tool : Netcraft Anti-Phishing Toolbar

( contd)

Netcraft Toolbar

Site Report

T l N t ft A ti Phi hi T lb


42/112



Tool : Netcraft Anti-Phishing Toolbar

( contd)

Website Network InformationLocationdetails


43/112



Phases in a Social Engineering Attack

Four phases of a Social Engineering Attack:

Research on target companyDumpster diving, websites, employees, tour company and soon

Select Victim

Identify frustrated employees of target company

Develop relationship

Developing relationship with selected employees

Exploit the relationship to achieve the objectiveCollect sensitive account information

Financial information

Current Technologies


44/112



Behaviors Vulnerable to Attacks

Trust

Human nature of trust is the basis of any social engineering

attack

Ignorance

Ignorance about social engineering and its effects among theworkforce makes the organization an easy target

Fear

Social engineers might threaten severe losses in case of non-compliance with their request


45/112



Behaviors Vulnerable to Attacks ( contd)

Greed

Social engineers lure the targets to divulge

information by promising something for

nothing

Moral duty

Targets are asked for the help, and they

comply out of a sense of moral obligation


46/112



Impact on the Organization

Economic losses

Damage of goodwill

Loss of privacy

Dangers of terrorism

Lawsuits and arbitrations

Temporary or permanent closure


47/112



Training

An efficient training program should consist of all security

policies and methods to increase awareness on social

engineering

Countermeasures


48/112



Countermeasures (contd)

Password policies

Periodic password change

Avoiding guessable passwords

Account blocking after failed attempts

Length and complexity of passwords

Minimum number of characters, use of special characters and numbers etc.

e.g. ar1f23#$g

Secrecy of passwords

Do not reveal if asked, or write on anything to remember them

( d)


49/112



Operational guidelines

Ensure security of sensitive information

and authorized use of resources

Physical security policies

Identification of employees e.g. issuing of

ID cards, uniforms and so on

Escorting the visitors

Access area restrictions

Proper shredding of useless documents

Employing security personnel


C ( d)


50/112




Classification of Information

Categorize the information as top secret, proprietary, for internal use

only, for public use, and so on

Access privileges

Administrator, user and guest accounts with proper authorization

Background check of employees and proper termination process

Insiders with a criminal background and terminated employees are

easy targets for procuring information

Proper incidence response system There should be proper guidelines for reacting in case of a social

engineering attempt

P li i d P d


51/112




Policy is the most critical component to any information

security program

Good policies and procedures are ineffective if they are

not taught, and reinforced by the employees

Employees need to emphasize their importance. After

receiving training, the employee should sign a

statement acknowledging that they understand the

policies

S it P li i Ch kli t


52/112



Security Policies - Checklist

Account setup

Password change policy

Help desk procedures

Access privileges

Violations

Employee identification Privacy policy

Paper documents

Modems Physical access restrictions

Virus control

Wh t H d N t?


53/112



What Happened Next?

Source: Department of Treasury ,Washington D.Chttp://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf

Read the PDFdocument at the belowURL link.

You will be shocked!

S


54/112



Summary

Social Engineering is the human-side of breaking into acorporate network

Social Engineering involves acquiring sensitiveinformation or inappropriate access privileges by anoutsider

Human-based social engineering refers to person-to-person interaction to retrieve the desired information

Computer-based social engineering refers to havingcomputer software that attempts to retrieve the desired

information A successful defense depends on having good policies

and their diligent implementation


55/112




56/112




57/112

Phishing Attacksand

Identity Theft

Hacking News


58/112



Hacking News

What is Phishing?


59/112



What is Phishing?

A form of identity theft in which a scammer

uses an authentic-looking e-mail to trick

recipients into giving out sensitive personal

information, such as, a credit card, bank

account or Social Security number

Phishing attacks use both socialengineering and technical subterfuge to

steal consumers personal identity data,

and financial account credentials

(adapted from fishing for information)

Phishing News


60/112

EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

Phishing News

Source Courtesy: http://news.com.com/Yahoo+adds+phishing+shield/2100-1029_3-6108330.html?tag=nefd.top


61/112



62/112


Phishing Report


63/112


Source: http://anti-phishing.org/

Phishing Report

Phishing Report ( contd)


64/112


Source: http://anti-phishing.org/

Phishing Report ( cont d)

Attacks


65/112


Attacks

Phishing is the most common corporate identity

theft scam today

It usually involves an e-mail message asking

consumers to update their personal information

with a link to a spoofed website

To give their schemes a legitimate look and feel,

fraudsters commonly steal well-known corporate

identities, product names, and logos

It is easy to construct authentic websites for e-

mail scams

Phishing Example (paypal)


66/112





67/112


g p (p yp )

Phishing Example (MSN)


68/112


g p ( )

Phishing Example (MSN) ( contd)


69/112

EC-Council Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

g p ( ) ( )


70/112

Phishing Example (Visa) ( contd)


71/112

EC-Council Copyright byEC-Council


g p

Hidden Frames


72/112



Frames provide a popular method of hiding attack content

They have uniform browser support and an easy coding style

The attacker defines HTML code by using two frames

The first frame contains the legitimate site URL information, while

the second frame, occupying 0% of the browser interface, has a

malicious code running

Hidden Frames Example


73/112



Frame Based Expl oi t Exampl e


74/112

URL Obfuscation


75/112



Using Strings - Uses a credible sounding text string within the URL

Example:http://XX.XX.78.45/ebay/account_update/now.asp

Using @ sign - This kind of syntax is normally used for websites that require someauthentication. The left side of @ sign is ignored and the domain name or IP addresson the right side of the @ sign is treated as the legitimate domain (@ can be replacedwith %40 unicode)

Example:

http://www.citybank.com/[email protected]/usb/process.asp

Status Bar Tricks- The URL is so long that it can not be completely displayed in thestatus bar - Often combined with the @ so that the fraudulent URL is at the end andnot displayed

Example

http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&usersoption=

SecurityUpdate&[email protected]/verified_by_visa.ht

ml

URL Obfuscation ( contd)


76/112



Similar Name Tricks- These kinds of tricksuse a credible sounding, but fraudulent, domainname

Examples:

http://www.ebay-support.com/verify http://www.citybank-secure.com/login

http://www.suntrustbank.com

http://www.amex-corp.com

http://www.fedex-security.com

URL Encoding Techniques


77/112



URLs are Encoded to disguise its true value using hex, dword, oroctal encoding

Sometimes @ is used in the disguise Sometimes @ sign is replaced with %40

Example:

ht t p: / / www. paypal . com@%32%32%30%2E%36%38%2E%32%31%34%2E%32%31%33

which translates into 220.68.214.213

ht t p: / / www. paypal . com%40570754567

which translates into 34.5.6.7


78/112

Karens URL Discombobulator


79/112



It can determine the IP Address(es) associatedwith any valid domain name

It can also form URLs referencing thatcomputer, using several URL-encodingtechniques

Source courtesy http://www.karenware.com/powertools/ptlookup.asp

Screenshot 1


80/112



Screenshot 2


81/112



HTML Image Mapping Techniques


82/112

EC-Council

Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

The URL is actually a part of an image, which uses mapcoordinates to define the click area and the real URL,

with the fake URL from the tag is also displayed

Example:

CEH Demo

Fake Browser Address Bars


83/112

EC-Council


This is a fake addressbar

Fake Toolbars


84/112

EC-Council


This is a fake toolbar

Fake Status Bar


85/112

EC-Council


Fake status bar withpad lock button

DNS Cache Poisoning Attack


86/112

EC-Council


This type of attack is based on a simpleconvention of IP address to host resolution

Here is how it works:

Every system has a host file in its systemsdirectory. In the case of Windows, this file

resides at the following location:C: \ WI NDOWS\ syst em32\ dr i ver s\ et c

This file can be used to hard code domain name

translations

Example of a Normal Host File underDNS Poisoning Attack:


87/112

EC-Council

Copyright byEC-Council


# Copyr i ght ( c) 1993- 1999 Mi cr osof t Corp.## Thi s i s a sampl e HOSTS f i l e used by Mi cr osof t TCP/ I P f or Wi ndows.## Thi s f i l e cont ai ns t he mappi ngs of I P addr esses t o host names. Each# ent r y shoul d be kept on an i ndi vi dual l i ne. The I P addr ess shoul d# be pl aced i n t he f i r st col umn f ol l owed by t he cor r espondi ng host name.# The I P addr ess and the host name shoul d be separat ed by at l east one# space.## Addi t i onal l y, comment s ( such as t hese) may be i nser t ed on i ndi vi dual

# l i nes or f ol l owi ng t he machi ne name denot ed by a ' #' symbol .## For exampl e:## 102. 54. 94. 97 rhi no. acme. com # sour ce ser ver# 38. 25. 63. 10 x. acme. com # x cl i ent host

127. 0. 0. 1 l ocal hostXX. XX. XX. XX Ci t i bank. com In the above example XX.XX.XX.XX depicts the IP address of the Hackers

server, which is hosting a fake log in screen for the legitimate domain of

www.citibank.com

http://www.scandoo.com


88/112

EC-Council



Scandoo scans all search results to protect the user from visitingwebsites that spread malicious viruses or spyware, and the viewingof offensive content

Identity Theft


89/112

EC-Council



What is Identity Theft?


90/112

EC-Council



Identity theft occurs when someone steals your name,and other personal information for fraudulent purposes

Identity Theft


91/112

EC-Council




92/112

EC-Council



How do you steal

Identity?

How to Steal Identity?


93/112

EC-Council



Original identity Steven Charles

Address: San Diego CA 92130

STEP 1


94/112

EC-Council



Get hold of Stevens telephone bill, water bill, or electricity billusing dumpster diving, stolen email, or onsite stealing

STEP 2


95/112

EC-Council



Go to the Driving License Authority

Tell them you lost your drivers license

They will ask you for proof of identitylike a water bill, and electricity bill

Show them the stolen bills

Tell them you have moved from the

original address

The department employee will ask you

to complete 2 forms 1 for

replacement of the drivers license and

the 2nd for a change in address

You will need a photo for the drivers

license

STEP 3


96/112

EC-Council



Your replacement drivers license will be issuedto your new home address

Now you are ready to have some serious fun

Comparison


97/112

EC-Council



Original

Identity Theft

Same name: Steven Charles


98/112

Fake Steven has a New Credit Card


99/112

EC-Council



The fake Steven visits Wal-Mart and purchases a 42plasma TV and state-of-the-art Bose speakers

The fake Steven buys a Vertu Gold Phone worth USD

20K

Fake Steven Buys Car


100/112

EC-Council



The fake Steven walksinto a store and appliesfor a car loan; minuteslater he is driving a new

Audi

Present your drivers

license as a form of ID

the loan officer does thecredit check, and it comes

out clean since theoriginal Steven has aclean credit history

Real Steven Gets Huge Credit CardStatement USD 40k


101/112

EC-Council



Ahhh!!! Somebodystole my identity!!

What ElseOh My God!


102/112

EC-Council



Fake Steven can apply for a new passport

Fake Steven can apply for a new bank account

Fake Steven can shut down your utility services

FAKE STEVEN CAN MAKE THE LIFE OFREAL STEVEN HELL

Scary eh?


103/112

EC-Council



One bit of personalinformation is all someone

needs to steal your identity

Identity Theft - Serious Problem


104/112

EC-Council



Identity theft is a seriousproblem

The number of violationshas continued to increase

Securing personal

information in theworkplace and at home,and looking over creditcard reports are just a few

of the ways to minimizethe risk of identity theft


105/112

Nigerian Scam


106/112

EC-Council



The scam started with a bulk email orbulk faxing of a number of identicalletters to businessmen, professionals,

and other people who tend to havegreater-than-average wealth

The Nigerian scammers tried to maketheir potential victims think that they

were going to scam the NigerianGovernment, the Central Bank ofNigeria, and so on when, in fact, they

were going to scam the recipients of theletters. The plan was to charge them toget in on the scam, or the portion of thescam for which they were willing to payto make it work

Nigerian Scam Letters


107/112

EC-Council




108/112

EC-Council



Countermeasures


109/112

EC-Council



Be suspicious of any email with urgent requests for personal

financial information

Do not use the links in an email to get to any web page, if yoususpect the message might not be authentic

Call the company on the telephone, or log onto the website directly

by typing in the Web address into your browser

Avoid filling out forms in an email that asks for personal financial

information

Always ensure that you are using a secure website when submitting

credit card or other sensitive information via a web browser


110/112

EC-Council




111/112

EC-Council




112/112

EC-Council



Documents

CEH v5 Module 09 Social Engineering.pdf