Time
23 hours 21 minutes
Difficulty
Intermediate
CEU/CPE
23

Video Transcription

00:02
Hi. Welcome back to the course. So we just wrapped up our module seven on social engineering.
00:06
So a couple of pre assessment question before we jump into the lab.
00:10
So question number one
00:12
this So whatever this is, it's the use of deception to manipulate individuals into divulging confidential or personal information that might be then used for either fraudulent purposes or to gain access into a company.
00:24
So which one of those choices is that?
00:28
All right, he said. Answer. See, you are correct. It's social engineering now. De Dos, of course, is distributed denial of service, which will actually cover in the next module for printing. We went over earlier, and that's similar to social engineering. In the aspect of regaining information, however, footprint is more so of on the network level of what we're trying to get,
00:47
and the sniffing of courses were monitoring network traffic and grabbing the packets.
00:53
All right, so question number two and this one's pretty much common sense. So I should list my personal information for public view on social media websites because the social media provider tells me that my data is safe.
01:03
Is that true or false?
01:07
You're correct it's false. Obviously, we don't want to put too much public information out there. And especially we don't want to trust the social media websites because at the end of the day they make their money. Even though it's a free site, they make their money off advertising and selling our data, so just keep that in mind.
01:23
All right, so here we just have the definition again. A social engineering, you know, the use of deception to manipulate individuals. So again, we're just using that psychology of people, so to speak, to get them to tell us information or give us information.
01:37
So some common types of social engineering in tax, probably most
01:41
well known one is gonna be your phishing attacks of these phishing emails. So back in the day used to be hey on the Nigerian prince. And you know, you've won the Nigerian lottery off $50 million all you have to do is send me 10,000 us via Western Union.
01:55
I mean, obviously, most people nowadays know about those types of scams and they don't fall for them. There are still people out there that will wire money to random people, and you know, be become victimized.
02:07
But most things you'll see nowadays our Attackers trying to basically spoof the I P address and the content of a legitimate provider. So I've got an example screenshot here. So we're gonna talk about a couple things here. So on the front field, we see that
02:21
it's missing the A. So it's not really from Amazon, you see, And then also was kind of that generic management at Amazon. You know,
02:28
Amazon doesn't send you an email from imagining right. It might be like customer service or something like that.
02:34
And then also, it's just gonna send it to, ah, whomever. The address is. Another thing that tipped you off that it's a phishing email. It won't have your name, like most legitimate providers air gonna populate your name in there.
02:46
So it's gonna be like, you know, dear Joe, you know our dear Mr Smith, or whatever the case might be, it's not going to say dear client or dear customer or, you know, lovely customer, anything like that.
02:57
Also, a lot of them will contain some type of link, and this might be shortened with, like something like Billy or something like that or ah, other shorter providers. But basically it's gonna have some type of length that I want you to click on. Now we see here, this is a sign in page. We don't
03:13
We never want to click any link in a phishing email. Now, if you're working at an employer and you get an email from
03:17
from like H R, this is hey, click on this link and put in your user name and password or putting your personal information,
03:23
pick up the phone and call that person and say, Hey, did you actually send me this or not? I do the same thing myself. I also worked as a professor, agent, professor. And so when I signed up and got going in the on boarding process there, I got some e mails like one of them was like, Hey, here's your payroll information and here's a link
03:43
and I immediately emailed the person s sake. Is this legitimate? You know, it's just something else,
03:47
you know, and that's a bit of paranoia, but you need to have that nowadays you don't just click on links.
03:53
And so in that case, you know, of course, that was legitimate and So I went ahead and open it and did all what I needed to, but never. My basic thing here is don't click on a link in a single unless you legitimately No, it's a link that you can trust.
04:08
Now, a lot of times you can hover your mouths over top of the particular link, and it will show you where that link is actually going to something. Got to be careful on that. That's not 100% foolproof
04:17
and that also it may or may not show you a ah date range here. So pay attention to that because a lot of times they might just throw an old date date year in there
04:29
and then also, depending on how you're normally emails come. I don't get animals from Amazon. It just goes into the Amazon platform there. So I would be immediately suspicious of this.
04:42
So next type of attack is pretexting. So basically, this is building a sense of trust with the victim. So it could be something as simple as you created. You created fictitious modeling companies. So when you get like women or men toe send you, you know, partially clothed photos or you know, photos of them in the Maquis or even *** photos, and then you exploit the victim. That way,
05:00
it could also be you showing up at the door of a company. It's a knee on the I t. Auditor of whatever, you know, because you've done reconnaissance on the company. So you know that
05:08
they're going through an audit right now and you say, Yeah, I'm part of you. No company X as an auditor. And, you know, can you just let me and I just need to get, you know, a little more documentation or whatever, and that doesn't work a larger companies because they do a lot of security awareness. But smaller companies, you can usually get away with stuff like that.
05:26
And then also, you might be contacted by somebody you know, at your bank. You know, we're like in the email above the phishing email where hey confirmed your identity with us. That's another type of thing that also involves pretexting.
05:36
I'm baiting a similar fishing. The main difference is that their promise some type of good. So one of the frequently seen ones out in different media articles. It's about the worthy penetration testers will go and drop a bunch of USB devices around the parking lot of a company and just see what kind of information they can get.
05:54
And people you know, even if they put a label on it like, Hey, this is whatever.
05:58
And then people, employers of the company will go in and just pick up those and go plug him into the company.
06:03
And so, you know, good way to do that is put some type of reward on their right, some type of good that you're exchanging for what you want to do. Nefariously. So in this example here, we could just label the photo in on one of the U. S. Bees as a funny capture. So they double click on it to open it up. Ha ha. You know, it's a funny name or something about
06:21
this cat is doing whatever, but they don't realize in the background it's actually darling, a key logger under their machine. And now you could start harvesting user credentials.
06:31
We've got quid pro quo, which is similar debating, but the difference here is you know, an example I use is a tech support can't scam. So basically, someone calls you there. Say hi tech support and, you know, let me get out. You know, what's the I P address of your computer? Let me walk you through how to do that, you know, or even I see, even had some reports of people I know getting a piece of mail that says,
06:53
you know Hey, this is so and so Company, Contact us immediately urgent. You know that sense of urgency like and fishing.
07:00
Contact us immediately. But your count, you know, we need to talk to you. Whatever or your system might be compromised. Here's a free malware scan. Give us call. Our tech support will walk you through. And of course, they've been coach, right? So the tech support people are very nice friendly. They're very professional. You don't suspect anything at all.
07:16
And so basically, they're asking access to your machine. Once they do, they usually most cases still deactivate your anti virus from anti Mel, where sometimes they won't and then what they will do. That was the only stall different types of malware on your actual machines. So then you have to end up calling the back and paying a ransom to get your machine unlocked or just get the, uh,
07:36
malicious software removed
07:39
Tailgating that piggybacking. So we're gonna talk about this in the context of the definition from easy counsel. So keep that in mind, because tailgating is essentially incorporates pigging backing. But for the EEC counsel certified ethical hacker examination purposes, you want to know the difference here. Tailgating is when the attacker has some type of a fake badge,
07:58
and then they basically just follow unauthorized person through the door so they might
08:01
either just jump behind them and go through the door, or they just asked them to let them in. But the big difference here is they have a fake badge,
08:07
according to the City Council, and that piggybacking is just when the attacker doesn't have a badge and they asked somebody to let them in.
08:13
So again, those are easy council exam definition type stuff. So if you're not taking that exam, you know you can pretty much just incorporate those in real life as the same thing. Everyone just kind of incorporates those. It's the same thing in real life.
08:28
So in this video, we just talked about an introduction to social engineering in our lab. We're gonna go ahead and do social engineering reconnaissance. So we're gonna we have a target we're gonna use. And then if you're not using cyber labs on that one, just use like yourself or a friend or family member on deck. Basically, just gonna look at all the different times that information that someone puts online that weaken potentially use
08:48
for our purposes.

Up Next

Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor