I welcome back to the course. So in the last module, we wrapped up our discussion on sniffing
in this module. We're gonna talk about social engineering.
So what is social engineer? Well, basically, it's someone using deception to manipulate the human behavior
to get confidential or personal information, so that could be things like you're using a password. It could also be something like making having you wire money to a certain place. If you remember back to, like the Nigerian phishing email scams that used to go out, you don't see those too much anymore.
But they are still out there that they try to get you to send money because you want some magical lottery in another country,
so different types of phases. This is more so based off going after a company, not in a specific individual s. So basically, we would research the target company than selective victim that cos we're looking for people that are maybe a little mad, you know, they're stuck in the same position year after year or they're being told they're gonna be laid off.
Just somebody that's frustrated, you know, they're not being paid Well, whatever the case might be,
you know, And that might be you know, you may if you were doing like Wal Mart, for example. That's pretty easy, right? Because a lot of some companies out there may or may not have certain benefits or pay people correctly or released what their value is
after we select a victim. We want a deal. Develop a relationship. So we may casually, we might also note that they go to a certain coffee shop, right? So we may casually strike up a conversation of the coffee shop. We gotta chat et cetera, et cetera, and then eventually rebuild that trust relationship, and then we're gonna exploit that relationship. So at a certain point, we're gonna
just kind of ask like, Oh, what kind of technology does your company use?
You know, for X Y Z You know, you guys used to cloud for email, you know? What do you guys use?
Hey, are they offering? You have any positions? You know who you who? You guys, you know, like, what's your financial department? You know how big is your company? How many people work there? Are you guys global? You know, all these little bits of information that once you build that trust relationship, the person is very willing to give you
so human based social engineering on this is gonna be basically a psychology type stuff, right? So we're doing it on a human level. Eso We're doing things like impersonation fishing, which we'll talk about what that is. Fairly straightforward. Eavesdropping, shoulder surfing, dumpster driving, reverse social engineering, piggybacking and tailgating.
So impersonation. Everyone probably knows that one. It's pretending to be somebody else, right? So generally when Attackers doing it, they're gonna act like they're in some position of authority. So that might be them calling and saying Hey, on the on the police, you better do what I say. It could be more common. One is actually a tech support. So it could be
doing the tech support type of thing is saying, Hey, it's tech support.
I need to reset your password. What do you want it to be? I'll go, Henry said it. Now we had some issue with it on than any other type of authority. You know, they could call and say, Hey, I'm you know, Joey, the VP of whatever and you know, blah, blah, blah and generally you know, larger companies, they may not know who this all the executives or management people are,
so they might feel that there's,
you know, some type of thing they need to take action on for them
fishing. Actually, the exact same things. Impersonation except for using a telephone. So again it stands for voice phishing. That's really the relationship there. This is the most popular with the tech support's games that you'll hear about in the media and stuff, or that he may have even been a victim of a known somebody that's become a victim of them.
He's dropping. This is very straightforward. So basically, we're listening in on conversations so we may not use ah glass at the side of the door like this guy's doing. But just sitting there inside of places where, like employees of a company you're targeting,
are going right. So I mention the coffee shop earlier. That's a great place, you said at the coffee shop. Just sit there for a few hours in the morning, few hours in the evening. I just read a book or whatever, but really, you're listening in death here with conversations have to say,
or even If you're in the waiting area of a company, you might hear different conversations as well
shoulder suffering. So basically, as the name implies, we're looking over the shoulder of somebody else. So that could be a good way to see what kind of password there typing in. Maybe could get some of the password there. You could also see user names. You can see what kind of software they're using, what they're doing on that device. You know what, what they're doing on the laptop and, you know, it gives you a good idea of kind of
the software that the company might be using.
Uh, you know, does this user even acknowledge that you're looking over the shoulder? A lot of people don't even notice, you know, they're so in growing and whatever they're doing that they don't notice that someone's looking over the shoulder and seeing everything that they're doing. That could be also beneficial as an attacker, if if this is a financial person for the company. And so now you can see some of the financial rector's, if that's what they're accessing
dumpster diving. So most people don't actually do this. It's tested on the City Council material, so we we touch on it. But basically, most people are gonna jump in the dumpster just to get some shredded papers that may or may not have a password written on them far easier ways to get that stuff.
But basically dumpster diving. As the name implies, we jump in the dumpster, and, you know, we probably don't jump in like this guy here. But we do jump in the dumpster, we sort around and try to find a different documentation from the company that might be beneficial for us in our testing
reverse social engineering. So this is more of the tech support scam stuff. So what they might do is some kind of brother redirect or, you know, even poison your cookies and basically this might show up under computer, actually had someone I know. Their kid had the show up on their laptop. And, you know, of course, they were all panicking. They're not I t stuff in all our security at all,
s So he asked me and was like, Oh, yeah, this sounds like you need to clear the cache,
and you let me know if the message is still there. she cleared the cash and she was gonna go. But
you might You might get this type of thing popping up here, and basically, it's trying to create a sense of urgency and telling me like you got a you know, you gotta call us, right? And that's where the reverse social engineering comes into play. The attacker wants you to contact them, and then they could do whatever they want, Right? So this type of thing that might say, Hey, we found mail. You're aware on your computer, which they actually have a little
public there that says that the route kid in the
the Trojan is well, s o they may tell you that. And then you call and you call that number and then, you know, or you chat with them here and they tell you Okay, you know, we just need to reset your using a password and I'll fix this for you. I just need those credentials, and I could do this. And let me tell you, real tech support can just reset your stuff if they need to get in your computer.
So this is obviously a scam
piggybacking and tailgating, which will touch on next. In real life, these were pretty much the same thing. Most people just link them together for the E C Council exam. You want a? No. Tailgating contains an I d. And that's the main difference. So piggybacking we basically go up to the doors, the attacker and we say, Hey, you know, I forgot my badge. Can you let me in?
And then, you know, if the person is not security aware, they'll just let you right in
tailgating again. I mentioned the attacker usually has it like a fake badge made, and so they may or may not just come up to someone and say, Hey, can you let me in a lot of times with the doings of this walking behind you that kind of hang out by the door, Whatever. Pretend they're on the phone or something, and then just walk in right after you. And if you're not,
if you don't recognize you like the badge looks somewhat legit,
you might just glance over, you know, like okay, it's a big company. I probably don't know everybody, so this might be legit
fishing. You see that with the phishing emails and then also Ah, things like whaling, where they go after the CEO and stuff like that thistles. An example of a phishing email. And basically you can pretty much tell him that there is, ah, highlighted that Give it away. But if you hover over the link, it's gonna take you to actually a different link.
Bank of America does not use a Comcast email address, especially one on one with random characters in it.
Um, you know, they don't send it to undisclosed recipients. They'll send it like directly to you on then. Also things that say, like, Do you remember? You know, you know, different banks will actually say, like, you know, and most of time the bank won't email you, but they'll say, Dear whomever you know, our here's your statement, that sort of stuff,
and they also generally won't make you sign into your account or anything. You'll just go to your actual bank's website and sign it.
So phishing e mails are pretty easy to spot as long as you're on the lookout for them.
So that's why security awareness is very important in any organization.
Dismissing similar think here is trying to get you to click on sent up a link. So this is gonna come for your text messaging? Zor es esa Excuse me? SMS messaging. And that's why it's called Smashing on. So if you get some kind of text here saying, Hey, you don't take some kind of action and click this link. So
in this example here Hey, you just got a you know, a free best buy gift card.
All you gotta do is click this link and then enter free for 15 and you're good to go.
Obviously, you don't click that length is just gonna download malware on your device.
So insider threat. So as the name implies, these were people inside of the company or with inside access. So employees, former employees, even people that were recently terminated and then contractors were business associates. Basically anyone that has thean route of the company
two different types of a starter threats based on the resource is might differ. But you've got non responders and those are the ones. They don't really pay attention in the security awareness training, so they're consistently negligent on their actions of security.
Then you've got inadvertent insiders, and this is actually the biggest category so they generally comply with, like security policies and training. However, those little times that they forget to do that, that's when they cause the most damage, right? They click on that link or they download that file. Whatever the case might be
inside of collusion. Celeste, basically an insider colluding with an external actor. You don't see that too much, but it does occur.
Persistent, delicious insiders also the ones that basically steal data to build out a second stream of income. So they sell the data, and they're usually pretty good about keeping it very like small amounts. So they're generally not caught for a long period of time.
And then you've got to your disgruntled employee. So people that were just recently fired a would not nominate do things like sabotaging data. Or they might even steal intellectual property with a motive of making profit off it as they go to the next position.
So social media are fake profiles. We've all heard of them in the media, and there's a ton of them out there. I will say that
if you're gonna work as a pen tester, you wantto make sure you understand the laws in your jurisdiction. So, for example, where I live right now is actually a felony charge. If you create a thick account and impersonate a fake individual online, you know, obviously assuming, like what you're doing a four, right? If it's if it's for malicious intent than
you know that you're more than likely. If they catch you, you're gonna be charged and again. Potentially, it's a felony charge.
So fake profiles again. We've seen them all out there, And female profile is kind of work better if you're gonna work as a pen tester and you wanted to see, like, created fake profile while I get responses created with a female on in definitely attractive female and that should get you a lot of people connecting with you. They don't even check and verify who you actually are
so different. Engineer, social engineering countermeasures. So obviously research rights if you get a friend request, unlike Lincoln or something that you don't really recognize, and it just doesn't seem right to trust your gut if it doesn't seem right, you know, trying to research down and see like Is this a real thing?
Reject requests for help or like hey, you know I can help you do something. Reject all those don't post personal data or photos. Obviously, people still do that. But don't put post like a birthdate. Use all the privacy settings that are available in the social media platforms. So you don't worry about that stuff.
Don't reveal any sensitive data to people you don't actually know and then follow your organization's policies and procedures.
So different countermeasures for insider threat. Basically, we want to make it a deterrent. So we wanted to make it difficulty so that the people going to be insider threats kind of separate themselves from the pack so we can quickly see who they are. No, you're weaker. Links are some people that might be frustrated. Excuse me, Frustrated in their current position,
Identify a different valuable information. So what other people may be targeting and then monitor that like crazy. So the ingress and the egress were inside in and turn coming in and exiting. Basically, that's what that needs.
So a couple of post assessment questions here, So I should post my personal information online because of Social Media Website has https. So they're using like t l s S L in the west that you're ill. So I'm safe, right? They're using encryption, right?
Right. Exactly. That's false that we don't want a post personal information at all.
So our second question here, I don't wanna be rude, so I should respond to this email message that's asking me for help. And I should go ahead and click on this link to give the person's go fund me page some money,
All right, again, That's false as well. We don't want to click on any legs that we don't actually know the center from, and that we verify that this is a legit like
So in this video, we covered social engineering. We're gonna jump into the lab next. We're actually gonna do, ah, hands on of social engineering reconnaissance. So we're gonna look a particular social media page. It's a fake page, but we'll go through all the aspects of kind of researching of what we need to look for