Social Engineer Effect

The Tricks

• Social Engineering is a means of gathering information for an attack by relying on the weakness of individuals.
• Social Engineering involves psychological approaches as well as physical procedures.
• Social Engineering relies on tricking and deceiving someone to provide secure information.
• Psychological approaches involve impersonation, phishing, spam or hoaxes.
• Impersonation includes a repairperson, IT support, Manager, trusted third party or a colleague.
• Phishing is sending an e-mail or a Web announcement that falsely claims to be from a legitimate enterprise to obtain private information.
• Variations of Phishing Attacks are:
• Pharming automatically redirects the user to a fake site.
• Spear Phishing targets only specific users.
• Whaling targets wealthy individuals.
• Vishing is voice phishing.
• Smishing SMS scam
• The victim is asked to call a specific number and enter their credit card number etc.

Some of the ways to recognize phishing:

1. Never use a hyperlink in an e-mail. Open a browser and type the legitimate address.
2. Logos do not mean that the e-mail is legitimate.
3. The @ symbol in the sender’s address hides the real address.
4. Urgent requests (act immediately or you’ll die!!) are fakes.

E-mail Scam

1. Spam is launched via e-mail.
2. Image Spam uses a graphical image of text to avoid detection by text filtering software.
3. GIF Layering is an image spam divided into multiple images to avoid detection.
4. Word Splitting splits words horizontally.
5. Readable by humans but not by the system and avoids detection.
6. Geometric Variance uses “speckling” and different colors so that no 2 spam e-mails look the same and avoid detection.

Physical Approach?

1. Dumpster Diving – digging through thrash to detect sensitive information.
2. Tailgating – doors that open with cards or numbers do not control how many can enter.
3. ManTrap – Prevent TailGating.

Tailgating techniques

1. “Please hold the door” good etiquette wins over good security practices.
2. On weekends and at night Tailgater enters when someone leaves the building.
3. Employee conspires to allow someone to walk with him (piggybacking
4. Famous Social Engineer attack “Can you hold the door for me please?”
5. Would you like a coffee? (something sweet)
6. Fake it till you make it (act until someone will believe the story and will “bite”
7. Act like a boss. (person with high authority win over )
8. I lost my access card (pretending)

Defense Against Social Engineers

Slow down.?

Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.

Research the facts.

Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.

Don’t let a link be in control of where you land.?

Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in the email will show the actual URL at the bottom, but a good fake can still steer you wrong.

Email hijacking is rampant.?

Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.

Beware of any download.?

If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.

Foreign offers are fake.?

If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.

Delete any request for financial information or passwords.?

If you get asked to reply to a message with personal information, it’s a scam.

Reject requests for help or offers of help.?

Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.

Secure your computing devices.

Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.?Use an anti-phishing tool offered by your web browser or third party to alert you to risks.

Rules!

Separation of Duty

More than one person is required to complete a task to discover fraud or “error” made by an employee

Job Rotation

Rotate jobs within an organization.

Mandatory Vacation

Detect which employees are involved in malicious activity, such as fraud

Principle:

1. sequential separation (two signatures principle)
2. individual separation (Four eye principle)
3. spatial separation (separate action in separate locations)
4. factorial separation (several factors contribute to completion)

Piggybacking – Similar to Tailgating

Honey Trap

An attack in which the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

Quid pro quo:

A quid pro quo attack is one in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be calling back from tech support. Eventually, the hacker will find someone with a legitimate tech issue who they will then pretend to help. Through this, the hacker can have the target type in the commands to launch malware or can collect password information