Learn Social Engineering, page 2
Spontaneity
Providing logical conclusions
Successful pretexting HP information leak
Stanley Rifkin
DHS hack
Internal Revenue Service scams Phone calls
Emails Business email compromise
Letters
Ubiquiti networks
Legal concerns of pretexting
Tools to enhance pretexts
Tips
Summary
Social Engineering Tools The tools for social engineering Physical tools Lockpicks
Recording devices
GPS trackers
Software tools Maltego
Features of the software
Technical specifications
How to use Maltego?
Maltego for network data gathering Step 1 – opening Maltego
Step 2 – choosing a machine
Step 3 – choosing a target
Step 4 – results
Using Maltego to collect data on an individual Step 1 – selecting the machine
Step 2 – specifying a target
Step 3 – results
Hacking personal information
Hacking servers Apache servers
Microsoft servers
Oracle servers
IBM servers
Netscape servers
Red Hat servers
System reports
Error message queries
Social engineer toolkit (SET)
Spear phishing
Web attack vector
Infectious media generator
SMS spoofing attack vector
Wireless access point attack vector
QRCode attack vector
Third-party modules – fast track exploitation
Create a payload and listener
Mass mailer attack
Phone tools Caller ID spoofing
Scripts
The way back machine
Spokeo
Metagoofil
Fingerprinting Organizations with Collected Archives (FOCA)
The credential harvester attack method
Social engineering exercise
Phishing with BeEF
Zabasearch.com
Job postings
Shodan.io
Default passwords
Hardware keyloggers
Toll-free number providers
Netcraft website
Netcraft toolbar
Microsoft Edge SmartScreen Windows Defender application guard
SmartScreen filter
Windows Defender network protection
Highly recommended
Ask the experts
Tips
Summary
Prevention and Mitigation Learning to identify social engineering attacks Emails
Phishing attempts
Baiting
Responding to unasked questions
Creating distrust
Other signs
Mitigating social engineering attacks Phone calls
Emails
In-person attacks
Social engineering audit
Summary
Case Studies of Social Engineering What is social engineering? Information gathering
Developing relationships
Exploitation
Execution
Why is it so effective?
Case studies of social engineering CEO fraud
Financial phishing
Social media phishing
Ransomware phishing
Bitcoin phishing
Social engineering case study - Keepnet labs phishing simulation Analysis of top ten industries
Examination of total emails sent within one year
Evaluation of social engineering attacks of the top five companies with the largest number of users
Tips
Summary
Ask the Experts – Part 1 Troy Hunt
Jonathan C. Trull What is social engineering? Staying safe from social engineering attacks People
Process
Technology
Developing an effective cyber strategy Resources
Business drivers
Data
Controls
Threats
Marcus Murray and Hasain Alshakarti Sample scenario – the workstation-data collection job Step 1 – preparing the attack
Step 2 – staging the attack
Step 3 – selecting the target
Step 4 – launching the attack
Step 5 – result
Key points from this example
Physical exposure
The physical attack
Emre Tinaztepe Malvertising Prevention
Rogue/fake applications Prevention
Documents with malicious payloads Prevention
Public Wi-Fi hotspots Prevention
Phishing/spear phishing
Milad Aslaner Information is everywhere User activities
Understanding reconnaissance Practical examples of reconnaissance
Real-world examples
Ask the Experts – Part 2 Paula Januszkiewicz Twisted perception of a hacker and due diligence
Şükrü Durmaz and Raif Sarıca Real-world examples Operation Game of Thrones
Operation Gone with the Wind
Operation Scam the Scammer
Operation Mobile Phone Fraud
Operation Chameleon
Operation Lightspeed
Operation Double Scam
Andy Malone Social engineering – by Andy Malone
Phishing
Ransomware
Conclusion
Chris Jackson
Daniel Weis Diffusion of responsibility
Chance for ingratiation
Trust relationships
Moral duty
Guilt
Identification
Desire to be helpful
Cooperation
Fear
Phishing
Ask the Experts – Part 3 Raymond P.L. Comvalius Raymond on the future of pretexting
George Dobrea
Dr. Mitko Bogdansoki Securing the weakest link in the cyber security chain against social engineering attacks
Introduction Social engineering definition
Social engineering attacks life cycle
Taxonomy of the social engineering attacks Phishing
Dumpster diving
Shoulder surfing
Advanced Persistent Treat (APT)
Reverse social engineering
Baiting
Waterholing
Tailgating
Trojan horses
Surfing online content
Role-playing
Pretexting
Spear phishing
Quid pro quo
Vishing
Real-world examples of social engineering attacks
Staying safe from social engineering attacks References
Ozan Ucar and Orhan Sari Ask the expert–tips to prevent social engineering (SE) and personal real-life experiences of SE
Keepnet Phishing Simulator is an excellent tool for fighting against phishing attacks Template management
Edit button
Adding a new template
Report manager
Phishing incident responder
Sami Lahio
Ask the Experts – Part 4 Oguzhan Filizlibay The aftermath – what follows a social engineering attack?
Yalkin Demirkaya Unauthorized Email access by CIO Case study 1 – sample incident response report Background
Incident response
Malware Analysis
Overview
Persistence mechanism
Execution of Malware
Configuration
Conclusion
Data exfiltration analysis
Summary and findings
Unauthorized email access by CIO Case study 2 – employee misconduct Background
Challenge
Response
Results
Case study 3 – theft of intellectual property FORTUNE 100 company cleared of wrongdoing Background
Challenge
Response
Results
Case study 4 – Litigation support Bankruptcy fraud Background
Challenge
Response
Results
Leyla Aliyeva Cybercriminal cases like a chain Phishing for bank customers
Crime in the victim's room
A phone call and the loss of thousands of dollars
Why do we become victims?
Aryeh Goretsky Social engineering – from typewriter to PC
That was then – social engineering with postal mail
30 years of criminal evolution
This is now – Business Email Compromise (BEC)
Defending against BEC
References/Further reading
About the author
Dr. Islam, MD Rafiqul, and Dr. Erdal Ozkaya Privacy issues in social media
Abstract
Introduction Background information
Motivation for the study
Research questions
Literature review Privacy issues in social media
Evaluating social media privacy settings for personal and advertising purposes
The privacy issues on different social media platforms
Research Methods Research method
Data collection
Data analysis
Conclusion
References
Other Books You May Enjoy Leave a review - let other readers know what you think
Preface
This book will provide you with a holistic understanding of social engineering. It will help you to avoid and combat social engineering attacks by giving you a detailed insight into how a social engineer operates.
Learn Social Engineering starts by giving you a grounding in the different types of social engineering attacks,and the damages they cause. It then sets up the lab environment to use different tools and then perform social engineering steps such as information gathering. The book covers topics from baiting, phishing, and spear phishing, to pretexting and scareware. By the end of the book, you will be in a position to protect yourself and
your systems from social engineering threats and attacks.
All in all, the book covers social engineering from A to Z , along with excerpts from many world wide known security experts.
Who this book is for
This book is aimed at security professionals, security analysts, penetration testers, or any stakeholder working with information security who wants to learn how to use social engineering techniques. Prior knowledge of Kali Linux is an added advantage.
To get the most out of this book
A step-by-step practical guide that will get you well acquainted with Social Engineering. You'll be able to get started with this book in a matter of minutes with the help of different tools such as the Social Engineering toolkit , Kali Linux and so on.
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/LearnSocialEngineering_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Whois.net lists information such as the email addresses, telephone numbers, and IP addresses of targets that one searches information about."
A block of code is set as follows:
intitle:"not for distribution"
"confidential" site:websitename.com
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Company stalker: Company stalker is important for gathering email information."
Warnings or important notes appear like this.
Tips and tricks appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: Email feedback@packtpub.com and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at questions@packtpub.com.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packtpub.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Reviews
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packtpub.com.
Disclaimer
The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.
Introduction to Social Engineering
In any battle, there is no better knowledge than knowing about the enemy's tactics. This chapter will introduce you to the world of social engineering and look at what social engineering is all about. Social engineering is a set of techniques that are widely being used in cyberattacks to orchestrate some of the most successful attacks. Social engineering uniquely targets a weak component in the cybersecurity chain—the user. Unlike systems and networks, users cannot be protected from social engineering by means of expensive tools, such as firewalls and antivirus programs. They are always in the open and they are always giving out information that can be used by attackers to hit them when least expected. People also have the higher return on investment compared to systems. Within an hour, a social engineering expert can make away with as much information as it would have taken him or her 100 hours to gather trying to attack a protected system directly. Attackers are aware of the current sophistication of the security elements that protect systems. Most organizations use multiple layers of security. Even if one is compromised, the hacker cannot get past the others easily. It has, therefore, become harder to try to attack the systems themselves. At the same time, hackers are discovering that it is easy to hack today's users and this has been confirmed by the rising number of mediated social engineering attacks. This chapter will give an overview of social engineering. It will cover the following topics:
Elicitation
Pretexting
Mind tricks
Persuasion
Tools used in social engineering
Overview of social engineering
One of the biggest cyber attacks of the century happened on Yahoo!, where it is believed that attackers were able to breach its systems in 2014 and make away with the account details of over 500 million users. The FBI has confirmed that social engineering was used in the attack to get the attackers past the scrutiny of the layers upon layers of security tools and systems used to protect such data. This attack on Yahoo!, a giant tech company, therefore confirms that social engineering is more dangerous than it's given credit for. No one is secure if one of the oldest email service providers that invests heavily in cyber security tools can be compromised so easily using this technique.
