Upload
fouad-boutat
View
223
Download
0
Embed Size (px)
Citation preview
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
1/112
Module IXSocial Engineering
Ethical HackingVersion 5
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
2/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Scenario
Source: Department of Treasury ,Washington D.Chttp://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
3/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Social Engineering: An Introduction Types of Social Engineering
Dumpster Diving
Shoulder surfing
Reverse Social Engineering
Behaviors vulnerable to attacks
Countermeasures for Social engineering
Policies and Procedures
Phishing Attacks
Identity Theft Online Scams
Countermeasures for Identity theft
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
4/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Social Engineering
Countermeasures
Types ofSocial Engineering
Countermeasures
Behaviors vulnerableto attacks
Identity Theft
Online Scams
Phishing Attacks
Policies and Procedures
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
5/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
There is No
Patch to Human
Stupidity
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
6/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Social Engineering?
Social Engineering is the human side of breaking into
a corporate network Companies with authentication processes, firewalls,
virtual private networks, and network monitoring
software are still open to attacks
An employee may unwittingly give away key
information in an email or by answering questions
over the phone with someone they do not know, oreven by talking about a project with coworkers at a
local pub after hours
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
7/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Social Engineering? (contd)
Tactic or Trick of gaining sensitive information by exploiting basic
human nature such as:
Trust
Fear
Desire to Help
Social engineers attempt to gather information such as:
Sensitive information
Authorization details
Access details
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
8/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human Weakness
People are usually the weakest
link in the security chain
A successful defense depends
on having good policies, and
educating employees to followthem
Social Engineering is the
hardest form of attack todefend against because it
cannot be defended with
hardware or software alone
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
9/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Rebecca and Jessica
Hackers use the term Rebecca and Jessica todenote social engineering attacks
Hackers commonly use these terms to socialengineer victims
Rebecca and Jessica mean a person who is aneasy target for social engineering, like the
receptionist of a company
Example:
There was a Rebecca at the bank and I amgoing to call her to extract privileged
information.
I met Ms. Jessica, she was an easy target forsocial engineering.
Do you have any Rebecca in your company?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
10/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Office Workers
Despite having the best firewall, intrusion-detection and antivirus systems, technology
has to offer, you are still hit with securitybreaches
One reason for this may be lack of motivationamong your workers
Hackers can attempt social engineeringattack on office workers to extract sensitivedata such as:
Security policies
Sensitive documents
Office network infrastructure
Passwords
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
11/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Social Engineering
Social Engineering can be divided
into two categories: Human-based
Gathering sensitive information byinteraction
Attacks of this category exploits trust, fearand helping nature of humans
Computer-based
Social engineering carried out with the aid of
computers
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
12/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
Posing as a Legitimate End User
Gives identity and asks forsensitive information
Hi! This is John, fromDepartment X. I have forgotten
my password. Can I get it? Posing as an Important User
Posing as a VIP of a targetcompany, valuable customer, etc.
Hi! This is Kevin, CFO Secretary.Im working on an urgent projectand lost system password. Can you
help me out?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
13/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
( contd)
Posing as Technical Support
Calls as a technical supportstaff, and requests id &passwords to retrieve data
Sir, this is Mathew, Technical
support, X company. Last nightwe had a system crash here, andwe are checking for the lostdata. Can u give me your ID and
Password?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
14/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Technical Support Example
A man calls a company helpdesk and says hes forgotten hispassword. In a panic, he addsthat if he misses the deadline on
a big advertising project his bossmight fire him. The help deskworker feels sorry for him andquickly resets the passwordunwittingly giving the hackerclear entrance into the corporatenetwork.
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
15/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
More Social Engineering Examples
"Hi, I'm John Brown. I'm withthe external auditors Arthur
Sanderson. We've been told bycorporate to do a surprise
inspection of your disasterrecovery procedures. Your
department has 10 minutes toshow me how you would recover
from a Website crash."
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
16/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
More Social Engineering Examples
"Hi I'm Sharon, a sales rep out of the
New York office. I know this is shortnotice, but I have a group ofperspective clients out in the car thatI've been trying for months to get tooutsource their security trainingneeds to us.
They're located just a few miles away
and I think that if I can give them aquick tour of our facilities, it shouldbe enough to push them over the edgeand get them to sign up.
Oh yeah, they are particularlyinterested in what security
precautions we've adopted. Seemssomeone hacked into their Website awhile back, which is one of thereasons they're considering ourcompany."
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
17/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
More Social Engineering Examples
"Hi, I'm with Aircon ExpressServices. We received a call thatthe computer room was getting
too warm and need to checkyour HVAC system." Usingprofessional-sounding termslike HVAC (Heating,
Ventilation, and AirConditioning) may add justenough credibility to an
intruder's masquerade to allowhim or her to gain access to thetargeted secured resource.
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
18/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
( contd)
Eavesdropping
Unauthorized listening of conversations orreading of messages
Interception of any form such as audio,
video or written
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
19/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering:
Shoulder Surfing Looking over your shoulder as you
enter a password
Shoulder surfing is the name given
to the procedure that identity
thieves use to find out passwords,
personal identification number,account numbers and more
Simply, they look over your
shoulder--or even watch from a
distance using binoculars, in order
to get those pieces of information
Passwords
Hacker
Victim
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
20/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
( contd) Dumpster Diving
Search for sensitive
information at targetcompanys
Trash-bins
Printer Trash bins
user desk for stickynotes etc
Collect
Phone Bills
Contact Information
Financial Information
Operations relatedinformation etc
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
21/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Dumpster Diving Example
A man behind the building is loadingthe companys paper recycling binsinto the back of a truck. Inside thebins are lists of employee titles andphone numbers, marketing plans and
the latest company financials
This information is sufficient to launcha social engineering attack on thecompany
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
22/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Oracle Snoops Microsofts Trash
Bins
"We weren't spying. We weretrying to expose whatMicrosoft was doing," said afiery Ellison when reporters
asked repeatedly about thedetective agency's attempts at
buying garbage.
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
23/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
24/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Case Study
Sourcecourtesy:http://www.washingtonpost.
com/wp-dyn/content/article/2006/09/27/AR2006092701304.html
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
25/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
( contd)
In person
Survey a target company to collect information on
Current technologies
Contact information, and so on
Third-party Authorization
Refer to an important person in the organization and try to collect
data
Mr. George, our Finance Manager, asked that I pick up the audit
reports. Will you please provide them to me?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
26/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Human-based Social Engineering
( contd) Tailgating
An unauthorized person, wearing a fake ID badge, enters a securedarea by closely following an authorized person through a door
requiring key access
An authorized person may be unaware of having provided anunauthorized person access to a secured area
Piggybacking
I forgot my ID badge at home. Please help me.
An authorized person provides access to an unauthorized person by
keeping the secured door open
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
27/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Reverse Social Engineering
This is when the hacker creates apersona that appears to be in a
position of authority so that employees
will ask him for information, rather
than the other way around
Reverse Social Engineering attack
involves
Sabotage
Marketing
Providing Support
Human-based Social Engineering
( contd)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
28/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Movies to Watch for Reverse Engineering Examples:
The Italian Job and Catch Me If You Can
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
29/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer-based Social Engineering
These can be divided
into the following
broad categories:
Mail / IM attachments
Pop-up Windows
Websites /
Sweepstakes
Spam mail
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
30/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer-based Social Engineering
( contd)
Pop-up Windows
Windows that suddenly pop up, while surfing the Internet and ask for
users information,to login or sign-in
Hoaxes and chain letters
Hoax letters are emails that issue warnings to user on new virus, Trojans or
worms that may harm users system.
Chain letters are emails that offer free gifts such as money, and software
on the condition that if the user forwards the mail to said number of
persons
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
31/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer-based Social Engineering
( contd) Instant Chat Messenger
Gathering of personal information by chatting with a selected onlineuser to attempt to get information such as birth dates, maiden names
Acquired data is later used for cracking users accounts
Spam email
Email sent to many recipients without prior permission intended for
commercial purposes
Irrelevant, unwanted and unsolicited email to collect financial
information, social security numbers, and network information
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
32/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer-based Social Engineering
( contd) Phishing
An illegitimate email falsely claiming to be from a legitimate siteattempts to acquire users personal or account information
Lures online users with statements such as
Verify your account
Update your information
Your account will be closed or suspended
Spam filters, anti-phishing tools integrated with web browsers can be
used to protect fromPhishers
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
33/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Insider Attack
If a competitor wants to cause damage to your organization, steal
critical secrets, or put you out of business, they just have to find a
job opening, prep someone to pass the interview, have that person
get hired, and they are in
It takes only one disgruntled person to take revenge, and your
company is compromised 60% of attacks occur behind the firewall
An inside attack is easy to launch
Prevention is difficult
The inside attacker can easily succeed
Difficult to catch the perpetrator
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
34/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Disgruntled Employee
DisgruntledEmployee
CompanyNetwork
CompanySecrets
Send the Data toCompetitors
UsingSteganography
Competitor
Most cases of insider abuse can betraced to individuals who areintroverted, incapable of dealing
with stress or conflict, andfrustrated with their job, officepolitics, no respect, no promotionsetc.
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
35/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Preventing Insider Threat
There is no single solution to prevent an insider threat
Some recommendations: Separation of duties
Rotation of duties
Least privilege
Controlled access
Logging and auditing
Legal Policies
Archive critical data
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
36/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Common Targets of Social Engineering
Receptionists and help desk
personnel
Technical support executives
Vendors of target
organization
System administrators andUsers
h k i
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
37/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Factors that make Companies
Vulnerable to Attacks
Insufficient security training and awareness
Several organizational units
Lack of appropriate security policies
Easy access of information e.g. e-mail Ids and
phone extension numbers of employees
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
38/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Why is Social Engineering Effective?
Security policies are as strong as its weakest link, and
humans are the most susceptible factor
Difficult to detect social engineering attempts
There is no method to ensure the complete security
from social engineering attacks
No specific software or hardware for defending against
a social engineering attack
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
39/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
An attacker may:
Show inability to give valid callback number
Make informal requests
Claim of authority
Show haste
Unusually compliment or praise
Show discomfort when questioned
Drop the name inadvertently
Threaten of dire consequences if information is not provided
Warning Signs of an Attack
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
40/112
T l N t ft A ti Phi hi T lb
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
41/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool : Netcraft Anti-Phishing Toolbar
( contd)
Netcraft Toolbar
Site Report
T l N t ft A ti Phi hi T lb
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
42/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool : Netcraft Anti-Phishing Toolbar
( contd)
Website Network InformationLocationdetails
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
43/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Phases in a Social Engineering Attack
Four phases of a Social Engineering Attack:
Research on target companyDumpster diving, websites, employees, tour company and soon
Select Victim
Identify frustrated employees of target company
Develop relationship
Developing relationship with selected employees
Exploit the relationship to achieve the objectiveCollect sensitive account information
Financial information
Current Technologies
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
44/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Behaviors Vulnerable to Attacks
Trust
Human nature of trust is the basis of any social engineering
attack
Ignorance
Ignorance about social engineering and its effects among theworkforce makes the organization an easy target
Fear
Social engineers might threaten severe losses in case of non-compliance with their request
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
45/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Behaviors Vulnerable to Attacks ( contd)
Greed
Social engineers lure the targets to divulge
information by promising something for
nothing
Moral duty
Targets are asked for the help, and they
comply out of a sense of moral obligation
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
46/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Impact on the Organization
Economic losses
Damage of goodwill
Loss of privacy
Dangers of terrorism
Lawsuits and arbitrations
Temporary or permanent closure
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
47/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Training
An efficient training program should consist of all security
policies and methods to increase awareness on social
engineering
Countermeasures
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
48/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Countermeasures (contd)
Password policies
Periodic password change
Avoiding guessable passwords
Account blocking after failed attempts
Length and complexity of passwords
Minimum number of characters, use of special characters and numbers etc.
e.g. ar1f23#$g
Secrecy of passwords
Do not reveal if asked, or write on anything to remember them
( d)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
49/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Operational guidelines
Ensure security of sensitive information
and authorized use of resources
Physical security policies
Identification of employees e.g. issuing of
ID cards, uniforms and so on
Escorting the visitors
Access area restrictions
Proper shredding of useless documents
Employing security personnel
Countermeasures (contd)
C ( d)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
50/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Countermeasures (contd)
Classification of Information
Categorize the information as top secret, proprietary, for internal use
only, for public use, and so on
Access privileges
Administrator, user and guest accounts with proper authorization
Background check of employees and proper termination process
Insiders with a criminal background and terminated employees are
easy targets for procuring information
Proper incidence response system There should be proper guidelines for reacting in case of a social
engineering attempt
P li i d P d
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
51/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Policies and Procedures
Policy is the most critical component to any information
security program
Good policies and procedures are ineffective if they are
not taught, and reinforced by the employees
Employees need to emphasize their importance. After
receiving training, the employee should sign a
statement acknowledging that they understand the
policies
S it P li i Ch kli t
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
52/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Security Policies - Checklist
Account setup
Password change policy
Help desk procedures
Access privileges
Violations
Employee identification Privacy policy
Paper documents
Modems Physical access restrictions
Virus control
Wh t H d N t?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
53/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What Happened Next?
Source: Department of Treasury ,Washington D.Chttp://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf
Read the PDFdocument at the belowURL link.
You will be shocked!
S
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
54/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
Social Engineering is the human-side of breaking into acorporate network
Social Engineering involves acquiring sensitiveinformation or inappropriate access privileges by anoutsider
Human-based social engineering refers to person-to-person interaction to retrieve the desired information
Computer-based social engineering refers to havingcomputer software that attempts to retrieve the desired
information A successful defense depends on having good policies
and their diligent implementation
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
55/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
56/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
57/112
Phishing Attacksand
Identity Theft
Hacking News
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
58/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking News
What is Phishing?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
59/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Phishing?
A form of identity theft in which a scammer
uses an authentic-looking e-mail to trick
recipients into giving out sensitive personal
information, such as, a credit card, bank
account or Social Security number
Phishing attacks use both socialengineering and technical subterfuge to
steal consumers personal identity data,
and financial account credentials
(adapted from fishing for information)
Phishing News
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
60/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Phishing News
Source Courtesy: http://news.com.com/Yahoo+adds+phishing+shield/2100-1029_3-6108330.html?tag=nefd.top
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
61/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
62/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Phishing Report
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
63/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Source: http://anti-phishing.org/
Phishing Report
Phishing Report ( contd)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
64/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Source: http://anti-phishing.org/
Phishing Report ( cont d)
Attacks
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
65/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Attacks
Phishing is the most common corporate identity
theft scam today
It usually involves an e-mail message asking
consumers to update their personal information
with a link to a spoofed website
To give their schemes a legitimate look and feel,
fraudsters commonly steal well-known corporate
identities, product names, and logos
It is easy to construct authentic websites for e-
mail scams
Phishing Example (paypal)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
66/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Phishing Example (paypal)
Phishing Example (paypal)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
67/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g p (p yp )
Phishing Example (MSN)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
68/112
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g p ( )
Phishing Example (MSN) ( contd)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
69/112
EC-Council Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g p ( ) ( )
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
70/112
Phishing Example (Visa) ( contd)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
71/112
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
g p
Hidden Frames
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
72/112
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Frames provide a popular method of hiding attack content
They have uniform browser support and an easy coding style
The attacker defines HTML code by using two frames
The first frame contains the legitimate site URL information, while
the second frame, occupying 0% of the browser interface, has a
malicious code running
Hidden Frames Example
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
73/112
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Frame Based Expl oi t Exampl e
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
74/112
URL Obfuscation
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
75/112
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Using Strings - Uses a credible sounding text string within the URL
Example:http://XX.XX.78.45/ebay/account_update/now.asp
Using @ sign - This kind of syntax is normally used for websites that require someauthentication. The left side of @ sign is ignored and the domain name or IP addresson the right side of the @ sign is treated as the legitimate domain (@ can be replacedwith %40 unicode)
Example:
http://www.citybank.com/[email protected]/usb/process.asp
Status Bar Tricks- The URL is so long that it can not be completely displayed in thestatus bar - Often combined with the @ so that the fraudulent URL is at the end andnot displayed
Example
http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&usersoption=
SecurityUpdate&[email protected]/verified_by_visa.ht
ml
URL Obfuscation ( contd)
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
76/112
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Similar Name Tricks- These kinds of tricksuse a credible sounding, but fraudulent, domainname
Examples:
http://www.ebay-support.com/verify http://www.citybank-secure.com/login
http://www.suntrustbank.com
http://www.amex-corp.com
http://www.fedex-security.com
URL Encoding Techniques
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
77/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
URLs are Encoded to disguise its true value using hex, dword, oroctal encoding
Sometimes @ is used in the disguise Sometimes @ sign is replaced with %40
Example:
ht t p: / / www. paypal . com@%32%32%30%2E%36%38%2E%32%31%34%2E%32%31%33
which translates into 220.68.214.213
ht t p: / / www. paypal . com%40570754567
which translates into 34.5.6.7
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
78/112
Karens URL Discombobulator
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
79/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It can determine the IP Address(es) associatedwith any valid domain name
It can also form URLs referencing thatcomputer, using several URL-encodingtechniques
Source courtesy http://www.karenware.com/powertools/ptlookup.asp
Screenshot 1
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
80/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshot 2
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
81/112
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
HTML Image Mapping Techniques
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
82/112
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
The URL is actually a part of an image, which uses mapcoordinates to define the click area and the real URL,
with the fake URL from the tag is also displayed
Example:
CEH Demo
Fake Browser Address Bars
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
83/112
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
This is a fake addressbar
Fake Toolbars
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
84/112
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
This is a fake toolbar
Fake Status Bar
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
85/112
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Fake status bar withpad lock button
DNS Cache Poisoning Attack
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
86/112
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
This type of attack is based on a simpleconvention of IP address to host resolution
Here is how it works:
Every system has a host file in its systemsdirectory. In the case of Windows, this file
resides at the following location:C: \ WI NDOWS\ syst em32\ dr i ver s\ et c
This file can be used to hard code domain name
translations
Example of a Normal Host File underDNS Poisoning Attack:
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
87/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
# Copyr i ght ( c) 1993- 1999 Mi cr osof t Corp.## Thi s i s a sampl e HOSTS f i l e used by Mi cr osof t TCP/ I P f or Wi ndows.## Thi s f i l e cont ai ns t he mappi ngs of I P addr esses t o host names. Each# ent r y shoul d be kept on an i ndi vi dual l i ne. The I P addr ess shoul d# be pl aced i n t he f i r st col umn f ol l owed by t he cor r espondi ng host name.# The I P addr ess and the host name shoul d be separat ed by at l east one# space.## Addi t i onal l y, comment s ( such as t hese) may be i nser t ed on i ndi vi dual
# l i nes or f ol l owi ng t he machi ne name denot ed by a ' #' symbol .## For exampl e:## 102. 54. 94. 97 rhi no. acme. com # sour ce ser ver# 38. 25. 63. 10 x. acme. com # x cl i ent host
127. 0. 0. 1 l ocal hostXX. XX. XX. XX Ci t i bank. com In the above example XX.XX.XX.XX depicts the IP address of the Hackers
server, which is hosting a fake log in screen for the legitimate domain of
www.citibank.com
http://www.scandoo.com
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
88/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Scandoo scans all search results to protect the user from visitingwebsites that spread malicious viruses or spyware, and the viewingof offensive content
Identity Theft
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
89/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Identity Theft?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
90/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Identity theft occurs when someone steals your name,and other personal information for fraudulent purposes
Identity Theft
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
91/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
92/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
How do you steal
Identity?
How to Steal Identity?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
93/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Original identity Steven Charles
Address: San Diego CA 92130
STEP 1
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
94/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Get hold of Stevens telephone bill, water bill, or electricity billusing dumpster diving, stolen email, or onsite stealing
STEP 2
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
95/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Go to the Driving License Authority
Tell them you lost your drivers license
They will ask you for proof of identitylike a water bill, and electricity bill
Show them the stolen bills
Tell them you have moved from the
original address
The department employee will ask you
to complete 2 forms 1 for
replacement of the drivers license and
the 2nd for a change in address
You will need a photo for the drivers
license
STEP 3
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
96/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Your replacement drivers license will be issuedto your new home address
Now you are ready to have some serious fun
Comparison
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
97/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Original
Identity Theft
Same name: Steven Charles
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
98/112
Fake Steven has a New Credit Card
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
99/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The fake Steven visits Wal-Mart and purchases a 42plasma TV and state-of-the-art Bose speakers
The fake Steven buys a Vertu Gold Phone worth USD
20K
Fake Steven Buys Car
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
100/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The fake Steven walksinto a store and appliesfor a car loan; minuteslater he is driving a new
Audi
Present your drivers
license as a form of ID
the loan officer does thecredit check, and it comes
out clean since theoriginal Steven has aclean credit history
Real Steven Gets Huge Credit CardStatement USD 40k
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
101/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Ahhh!!! Somebodystole my identity!!
What ElseOh My God!
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
102/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Fake Steven can apply for a new passport
Fake Steven can apply for a new bank account
Fake Steven can shut down your utility services
FAKE STEVEN CAN MAKE THE LIFE OFREAL STEVEN HELL
Scary eh?
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
103/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
One bit of personalinformation is all someone
needs to steal your identity
Identity Theft - Serious Problem
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
104/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Identity theft is a seriousproblem
The number of violationshas continued to increase
Securing personal
information in theworkplace and at home,and looking over creditcard reports are just a few
of the ways to minimizethe risk of identity theft
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
105/112
Nigerian Scam
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
106/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The scam started with a bulk email orbulk faxing of a number of identicalletters to businessmen, professionals,
and other people who tend to havegreater-than-average wealth
The Nigerian scammers tried to maketheir potential victims think that they
were going to scam the NigerianGovernment, the Central Bank ofNigeria, and so on when, in fact, they
were going to scam the recipients of theletters. The plan was to charge them toget in on the scam, or the portion of thescam for which they were willing to payto make it work
Nigerian Scam Letters
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
107/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
108/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Countermeasures
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
109/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Be suspicious of any email with urgent requests for personal
financial information
Do not use the links in an email to get to any web page, if yoususpect the message might not be authentic
Call the company on the telephone, or log onto the website directly
by typing in the Web address into your browser
Avoid filling out forms in an email that asks for personal financial
information
Always ensure that you are using a secure website when submitting
credit card or other sensitive information via a web browser
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
110/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
111/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
8/9/2019 CEH v5 Module 09 Social Engineering.pdf
112/112
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited