1 hour 47 minutes
everyone welcome back to the core. So in the last video, we just took a brief introduction to the course. We talked about the core structure as well as my background is your instructor, and we also talked about the prerequisites again. There aren't really any specific ones. However, it's a good idea. Have some general understanding of I T or security related topics.
In this video, we're gonna talk about our first part
into the introduction to social engineering. So we'll talk about some specific things in this video, and then we'll have one more video just to kind of wrap up the intro to social engineering.
So in this particular video, we're gonna talk about the different types of social engineering attacks. So some common types will also talk about the components of social engineering.
And so the three components of social engineering are elicit ation, interrogation and pretexting. And so let's talk about each one of those briefly. Now, I want to stress that we don't use these individually. So, for example, I wouldn't just use elicit ation. I wouldn't just use interrogations. I want to use a combination because that's gonna help me be a much better,
uh, individual doing social engineering.
So elicit ation is basically when an attacker uses, like, open ended questions
to try to get more information about the victims. So if you think of this as a sales person and so I am a sales person and I call up a potential customer
and I'm on the phone with them and rather than asking them, do you like your current service provider, which is a yes or no question
in a close ended question? What I want to do instead is ask them open ended questions. So what I might ask them is,
What kinds of things don't you like about your current service provider, Right? Or what kinds of challenges do you have that your current service providers not meeting
and you see how that's open ended, right? It allows them to answer more than just like yes or no.
They're able to give us more information about that particular issue,
so we want to do the same thing here in social engineering it so I may ask. Instead of asking somebody,
does your company use Windows servers? Right, that's a yes or no. That's a close ended question. That's Yes, we do know we don't.
What I might ask instead is say, Hey, if you have you guys have any heading trouble in your company of migrating to a juror? Or have you had any cloud migration issues, etcetera, etcetera? Right, Because they might say, Yeah, our AWS has been a problem because a lot of organizations or multi cloud right now, right? So they might specify
what the issue is,
right? They might say, Yeah, we've had some trouble with Miss Configured History buckets. Well, you know, right away, that's a W s. And that's s three bucket. So guess what? You might have just found a way into that company, right? So that's why we do elicit ation interrogation, as the name implies, right? We're asking them questions
now. A key point of this one is the body language,
right? We're normally in person, or maybe somehow, someone like video, chat or civil and grab with them, but traditionally in person. And so we're reading the body language. We're looking at any type of gestures that they do. So are they moving their hands or they stop in their feet? Does her eyebrow twitch? Are they blinking a lot. Are they sweating?
Are there rubbing their hands? What kind of facial expressions
do they have?
Are they frowning? Are they smiling? Do they do a certain thing? Do they look a certain way when they're speaking certain things right, that those are all clues that can number one. Help us determine? Are they lying about something? And number two, Is there something more there? Is there more information that they would like to share?
But they're not sharing with us yet.
And then pretexting. This is basically us giving false information to to basically get information. So we're essentially saying like, Well, we need this because I'll give an example. So let's say that I pretend I'm a delivery driver for, like, uber eats or door dash or one of these food delivery companies, right?
And so I go to the front desk of a company.
Ah, and my goal is to try to get physical access, be past the gatekeeper of the receptionist. And so I say, Oh, I've got food here for Sally Smith in accounting and they say, Well, there's no Smith, Sally Smith or maybe they tell me there is a Sally and accounting. And so what I could do is I can have a receipt of someone named Sally and that's make the receipt
look really bad with last names crossed off
And so I could then say I got food here for Sally and accounting.
Can I go? Can go take it to him. Okay. Well, who Who's Sally, Right? What's your last name? Oh, I don't know. We see the receipt. I mean, you know Hey, I'm just trying toe work with Well, that God, I'm just trying to deliver food,
you know? What can I do? How can you help me bubble lot, right? Basically saying that I'm there for this reason of delivering food when in reality, my goal is to get into that company or to get more information from someone. And so that's what pretexting is.
There's different types of social engineering. I want to stress. This is not gonna be an all inclusive list, at least on the bullet points. But we'll cover kind of the main areas of social engineering. So we got fishing, spear fishing, whaling was got hoax ing farming on while also, we'll talk through all of these shoulder surfing as well as baiting and tailgating. So
basically fishing, which you might have heard about if you're totally brand new, do I T and cyber and everything.
You've probably heard about this in the media a little bit. So fishing is essentially getting someone to
take the action that you want them to take. So whether that's done via email, which is the most common form of fishing that you're probably going to see or whether it's done through like text messaging so SMS or smashing as it's called or through the phone or fishing. So with a V,
that's that's, Ah, fishing is through the phone. So that's fishing, right? That's all the phishing attacks. And so the goal there is to get someone to take action, and that action might be to give you information they might be to get them to click on something so you get their log in credentials. Might be to get them to click on something and download something to
spreading malware on the company systems
could also be to get them to take an action where they wire you money because you say, oh, to CEO and oh my goodness, it's so urgent you gotta send me the money, right? Another thing is spear phishing, which is a targeted attack. So where fishing might be? Ah, big blast of e mails saying, Hey, your Amazon account is locked out.
Click this link to log in and change your password.
That might just go out to a 1,000,000 different people, right? That's not really targeted towards people that have an Amazon account. It's just kind of targeted as a blanket Spam email, Right? So a blanket phishing email
where a spearfishing might be. Let me target
Ken's computer, right? Let me Let me Target Can is try and get him to click a link. Or it might just be Let me see if I could target everyone at at this company over here, this healthcare company, to to do a certain action.
When we talk about whaling, that's where we're talking ATM or of the executive type of level. Or, you know, sort of the quote unquote the big fish level, right, the hence the term willing. And so this is where we really target, like a senior executive or some other type of high profile individual. To get them to do, send some kind of inaction. So
maybe we target the CEO or CFO or something like that.
Farming is basically where I type in, for example, google dot com. And instead of me going to google dot com, I actually get redirected to a malicious site. But that still looks like google dot com. So that's all we're doing with that. That's Ah, Deena's cash poisoning attack, and we're basically just redirecting them, too.
Ah, malicious website or some other website besides the rial website
Hope seeing many people probably got this way back in the day where they'll send the email kind of those chain letter emails, right? If you send this to a 1,000,000 people, you make a 1,000,000 bucks. Or the other thing is, maybe, hey, there's a new virus. Spread this around, share with your friends, protect everybody, By the way, click the link to download update to fix the virus right
shoulder surfing. As the name implies, she's looking over your shoulder baiting eso. This is where we see like USB drop attacks, so I take a bunch of USB storage devices. I go spreading around the company's parking lot in the hopes that somebody will take that in? Plug it into their computer to see who it is. Who's it is or what? You know what kind informations on it.
Ah, And then from there I spread malware, do whatever I wanted to do
and then tailgating, Basically where I follow somebody into the building. So I say, Oh, you know what? I forgot my bags today. Ah, Mo is forgetting it. Andi, most people are like, Yeah, I forget mine to Oskanyan real quick, right? And they're not gonna ask any questions. So that's what tailgating is. It lost me to get physical access to your company's just by following somebody else in the door.
So a quick quiz question here to check your knowledge. Susan's the CFO of Action Incorporated. She received an email from the CEO stating an urgent wire transfers needed to pay an invoice.
What is this is what is this in an example of? Is it baiting, forming or whaling?
So if you answered whaling, you would be correct. So one of the key things here is that Susan's a CFO and she's beginning being targeted specifically.
And you know, with that we know it's a phishing attack because we're seeing that. Hey, Ah, wire transfers needed. It's urgent. There's normally a sense of urgency with phishing attacks. Oh, my goodness. The world's gonna end if you don't send me the money. Right?
So in this video, what has talked about the different types of social engineering attacks? We also talked about the different components of social engineering and the next video We're going to talk through some behavioral as well as technical controls that you can implement to help protect against social engineering attacks.