Ethical Hacking and Countermeasures Version 6 Mod le XI Mod u le XI Social Engineering Scenario EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.treasury.gov/ News EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.technewsworld.com/ Module Objective This module will familiarize you with: • Social Engineering • Types of Social Engineering • Behaviors vulnerable to attacks • Social Engineering Threats and Defenses • Countermeasures for Social engineering • Policies and Procedures • Impersonating Orkut, Faceboo k , and MySpace • Identity Theft • Countermeasures for Identity theft EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Social Engineering Social Engineering Threats and Defenses Impersonating Orkut, Facebook, and MySpace Types of Social Countermeasures for Types of Social Engineering Countermeasures for Social engineering Identity Theft Behaviors vulnerable t tt k Policies and Procedures Countermeasures for Id tit th ft EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited t o a tt ac k s Policies and Procedures Id en tit y th e ft There is No Patch to Human Stu p idit y EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited py What is Social Engineering Social Engineering is the human side of breaking into a corporate network Companies with authentication processes, firewalls, virtual p i ate net o ks and net o k monito ing soft a e a e still p r i v ate net w o r ks , and net w o r k monito r ing soft w a r e a r e still open to attacks An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited coworkers at a local pub after hours What is Social Engineering (cont ’ d) (cont d) Social engineering is the tactic or trick of ii ii if i b lii h • Trust ga i n i ng sens i t i ve i n f ormat i on b y exp l o i t i ng t h e basic human nature such as: • Trust •Fear • Desire to Help Social engineers attempt to gather information such as: • Sensitive information • Authorization details • Access details EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access details Human Weakness People are usually the weakest link in the security chain A successful defense depends on having good policies and educating employees to follow policies and educating employees to follow them Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited “Rebecca” and “Jessica” Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks attacks Hackers commonly use these terms to social engineer victims Rebecca and Jessica mean a person who is an easy target for social engineering such as the receptionist of a company engineering , such as the receptionist of a company Exam p le: • “There was a Rebecca at the bank and I am going to call her to extract the privileged information.” •“I met Ms. Jessica , she was an eas y tar g et for social p EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ,yg engineering.” • “Do you have any Rebecca in your company?” [...]... Phishers EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering (cont d) (cont’d) E mail E-mail phishing hyperlink Web page phishing hyperlink EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering (cont d) (cont’d) Online E-mail Attacks and Costs EC-Council... gifts such as money, and software on the condition that if the user forwards the mail to said number of persons EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering (cont d) (cont’d) Online Pop-Up Attacks and Costs EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering... • Providing Support EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Movies to Watch for Reverse Engineering Examples: The Italian Job and Catch Me If You Can EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering It can be divided: Mail / IM attachments Pop up Pop-up Windows Websites... attachments Pop up Pop-up Windows Websites / Sweepstakes Spam mail EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer-Based Social Engineering (cont d) (cont’d) Pop-up Windows • Windows that suddenly pops up, while surfing the Internet and asks for users’ information to login or sign-in Hoaxes and chain letters • Hoax letters are emails that issue warnings... divided into two categories: •H Human-based: b d • Gathers sensitive information by interaction • Attacks of this category exploits trust, fear, and helping nature of humans • Computer Based: Computer-Based: • Social engineering is carried out with the aid of computers EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Human-Based Social Engineering Posing P... Prohibited Human-Based Social Engineering ( cont’d) cont d) Posing as Technical Support • Calls as a technical support sta , a d Ca s tec ca suppo t staff, and requests id & passwords to retrieve data • ‘Sir, this is Mathew, Technical support, X company Last night we had a system crash here, and we are checking for the lost here data Can u give me your ID and Password?’ EC-Council Copyright © by EC-Council... room was getting too warm and need to check your HVAC system." Using professional-sounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Human-Based Social Engineering:... Victim EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Human-Based Social Engineering: Dumpster Diving Search for sensitive information at target company’s: • Trash-bins • Printer Trash bins • user desk for sticky notes etc Collect: • • • • Phone Bills Contact Information Financial Information Operations related Information etc EC-Council Copyright © by EC-Council... information such as birth dates and maiden names • Acquired data is later used for cracking the user’s accounts Spam email • Email sent to many recipients without prior permission intended for commercial purposes • Irrelevant, unwanted, and unsolicited email to collect financial information, social security numbers, and network information , y , EC-Council Copyright © by EC-Council All Rights Reserved... EC-Council All Rights Reserved Reproduction is Strictly Prohibited Human-Based Social Engineering ( cont’d) cont d) In person Third-party hi d Authorization EC-Council • Survey a target company to collect information on • C Current technologies tt h l i • Contact information, and so on • Refer to an important person in the g y organization and try to collect data • “Mr George, our Finance Manager, asked that . Ethical Hacking and Countermeasures Version 6 Mod le XI Mod u le XI Social Engineering Scenario EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction. Threats and Defenses • Countermeasures for Social engineering • Policies and Procedures • Impersonating Orkut, Faceboo k , and MySpace • Identity Theft • Countermeasures for Identity theft EC-Council Copyright. system crash here and we are checking for the lost crash here , and we are checking for the lost data. Can u give me your ID and Password?’ EC-Council Copyright © by EC-Council All Rights