Introduction to Social Engineering

00:00

Hey, everyone, welcome back to the course in this video. We're gonna go over a brief introduction to social engineering, so we'll talk about what social engineering actually is. We also talk about some of the phases of a social engineering attack, and we'll talk about some different types of social engineering attacks that can be done.

00:17

So what is social engineering? Well, at the end of the day, it's really just more of an art, right? It's an art of convincing people to reveal sensitive information.

00:28

It could be user names and passwords. It could be banking information. It could be causing someone to like an accountant, for example, to transfer X amount of dollars to some new account. Because, hey, it's an urgent thing. So there's a lot of different types of information that could get that could be gathered or or had

00:47

via social engineering.

00:48

But at the end of the day, it's just using human psychology against people to try to get information or to get them to do some kind of action that you want them to take.

00:58

And it's basically exploiting that natural human trust. So the vast majority of people by nature are trusting, right? They trust other people. They trust what people say, especially if that person is in in a perceived position of authority, they'll usually say, Well, they must know what they're talking about, right There are police officer or their CEO,

01:17

so they must be smarter than me.

01:19

And I should trust what they're saying. So it's exploiting that human trust element that most people have. It also could be a fear, right? It could be exploiting fear of

01:29

Oh, if I don't do this and then the FBI is gonna arrest me if I don't transfer $25,000 to this account I've never heard of before. Or if I don't go get a bunch of Western Union's and send them to South Africa, then I'm gonna be arrested by the FBI. People will ignore common sense because they're scared that

01:49

if they don't comply with the request,

01:51

something bad is gonna happen to them.

01:53

And it could also be greed. It could be the fact that I allow myself to be socially engineered because I'm greedy in the fact that I think I've just won the lotto, right. So, for example, I get one of those emails from my cousin, the Nigerian prince, and he tells me that hey, you've won the lottery and all you have to do is Western Union

02:13

or PayPal or Bitcoin

02:15

X amount of dollars to pay the fee, the processing fee for your millions of millions of dollars of winnings, right? And because I'm greedy and I'm like, Oh, I deserve this. I send them thousands of dollars and I never hear anything, obviously because it's a scam, right? But social engineering can take advantage of that as well, because some people are greedy and desperate

02:36

and they ignore common sense

02:38

because they're so focused on being greedy or desperate that they just flat out ignore the fact that this doesn't make any sense at all.

02:46

So what are the typical phases and a social engineering attacks? So typically, just just like a pen test right? Research, reconnaissance, information gathering, they're going to do research on the target company. This could include things like dumpster diving, so gathering information, uh, the old school way

03:04

could include analyzing websites or marrying websites, as we've talked about before in the course.

03:08

Could be researching employees like on social media could even be something like touring the actual company. So there you may. As an attacker, you may want to actually go into the company and, uh, maybe do a tour or find them at some kind of event.

03:25

You could watch a virtual venter join a webinar with them, just getting that inside information or additional information about the organization.

03:34

Next, it's usually selecting the victims. So whether that's, uh, a specific individual or or way in. But usually it's gonna be an individual here.

03:43

Thio identify like alright, whose whose maybe like frustrated with their job and doesn't wanna be there or who's maybe frustrated with the fact they don't get paid a lot of money. Who's who could identify and social media that's talking a little bit bad about their company? Or that might just

04:00

be kind of a weaker target that I could say, Well, I could probably manipulate this person into

04:03

giving me some sensitive information about the organization or maybe their I t. Infrastructure because of the way they're posting on social media

04:13

developing that relationship. So once I identify that target, I reach out to them. I build that report with them, they start trusting me again going back to that inherent trust that most humans are programmed with. They start trusting me. We develop that relationship. And then, of course, at the end of the day, I exploit that relationship so I can get whatever my objective is complete. So that might be

04:32

pretending that I'm friends with them. We

04:34

talk on social media, they're all excited and then casually ask them questions like, Hey, what do you guys using over there for your AWS infrastructure? Like what? I'm having trouble trying to figure out I r. I am over here. What kinds of things are you guys doing? Like what? You what you can talk about and

04:50

you'd be surprised, even though it's sensitive information. A lot of people just freely share

04:56

their entire organizations network infrastructure with you because they believe again going back to that inherent trust. They believe that you're actually legitimate and you're not trying. Thio do something nefarious against them.

05:08

So what are some of the different types of social engineering attacks? Well, some of the broader categories or human based, computer based and mobile based on what kind of talk about these a little bit

05:16

so with human base. This is where we're gathering information by interacting with the actual human. So this could be something like Impersonating ourselves. So pretending that we're someone we're not we could pose is like an authority figure. So Hey, I'm a police officer. I'm with the FBI. You need toe. Follow this or you're going to jail. Or, um, or common one is Hey, I'm with the I. R. S.

05:36

You're going to get arrested for your taxes. If you don't

05:40

send information or confirm your W two information, then you're gonna go to jail.

05:46

It could be someone posing as, ah, legitimate and user. So just saying, Hey, I'm Suzy Q and Accounting and then trying to get information about Hey, I forgot my user name. Can you tell me what it is? And then from there I can maybe get my password as well and log in a Susie Q. Or I can convince the helped us to reset my password

06:04

for me posing his tech support. This is very common scam out there.

06:08

So saying, Hey, this is John with tech support, and I know you're a new employees. We just wanted to make sure that your password is meeting our criteria for the organization. And do you mind just confirm your password so I could make sure it meets our complexity requirements, etcetera, etcetera. And then you give your password over the phone to this individual

06:27

without verifying their really with the help desk, and

06:30

they go ahead and log in as you change your password and do all sorts of nefarious things. By the way, you should never have to change. Never have to confirm your password

06:38

with the I T department. They can reset it for you. They've got admin access, so it would never make sense to give someone your password over the phone or via email, etcetera. You should never share those credentials.

06:48

Some other human based things are are things like eavesdropping,

06:53

which, as the name implies, is just Hey, we're listening in on some other conversation that we shouldn't be listening into. Um, this could also be things like intercepting like Zoom Call, right, so intercepting audio or video or even written communication, we could eavesdrop via email or whatever messaging service they're using shoulder suffering. So,

07:11

at the end of the day, just looking over someone's shoulder, right, so as they're entering their password or maybe typing in a pin

07:16

or account numbers were just looking over the shoulder and gathering that information. We can do it from a distance as well. We don't have to be right up on somebody looking over the shoulder being creepy. We could do this from a distance with various visual aids. Eso like, for example, binoculars. I could look at you from afar with binoculars.

07:34

We have things like piggy backing. So piggybacking and tailgating are things you're gonna want to know. If you do take the CH exam from easy council, you wanna make sure you know the difference between the two. So essentially, piggybacking is just someone that comes up to you and says, Oh, I forgot my badge at home or I forgot my badge in the car.

07:50

And so the person that actually has a batch it works, scans the man, let him in the door

07:56

because they assume oh, well, maybe they work in a department I don't know of. And yeah, sometimes I forget my I d badge, too. So let me go ahead and scan this person in

08:05

tailgating is where, um, the individual that the adversary is basically wearing a fake i d badge, but they're they're coming in behind someone that's authorized to go through the door. So, for example, they've got an I. D badge that's fake, so it looks legitimate.

08:22

And since we're both going through the door anyways and I go in first, I just scan in

08:26

and then I hold the door for that person to let them in. That's tailgating. So the difference you want to know their piggybacking again is Hey, I forgot my ID badge. Please let me in. Tailgating is more of Hey, I've got a fake I d badge. But let me just come behind you because we both work here.

08:41

We have computer based, so things like pop up windows. You don't see these as much anymore. We will pop up blockers things like spam letters or spam emails that that you see going around so saying, Hey, give me your information or send me that Western Union payment

08:54

things like phishing attacks. So gathering information via emails as the primary method of phishing attacks are fishing, phone fishing or smashing via text messaging. Aziz well as chat. So there's chatting with someone and trying to gather that some sensitive information via chat service.

09:11

And then we have mobile based so things like malicious APS. So putting out malicious APs like on the APP store. For example, a user downloads that than that APP is actually harvesting their credentials or harvesting their information as a log into different things. Or as they make phone calls, etcetera, etcetera,

09:28

repackaging legitimate APS, eso reversing them and then repackage them with malware, uh, putting in fake security applications. So basically saying, Hey, you're you need You've got malware on your device

09:41

and now you need to download this antivirus software that will clean it all up in. A lot of people will not realize they already have a virus on their machine, and that's what's causing all that.

09:48

And so they'll down the sap, which is the actual malware on Then,

09:54

from there, the attacker can get the information they need

09:56

as well as, ah, SMS attacks.

10:00

Eso, for example. Let's say that I work in, you know, accounting or whatever. I get a text message on my phone says, Hey, this security department you need, it's urgent. You've got a call us right now at this number. And so I'm like, Oh, no, I've got a call And so I call the phone number and I'm assuming it's legitimate

10:18

on what they're asking for. It could be it could be a person. On the other hand, it could also be a recording asking me for sensitive information.

10:26

For example, you might see this with, like, a bank scam where I give that text messages from my bank. It says, Oh, you've got to call us to verify your information. I call, I get like a recording that tells me, Hey, put in your credit card number or your debit card number to verify your identity. And so I enter that information in thinking that

10:43

I want Thio need to verify and authenticate myself to be able to talk to a representative and make sure that

10:50

I'm not, you know, an adversary. And now the adversary has my information because I've entered it in there. So some other attacks a social engineering taxes you wanna keep in mind, especially around things like fishing, are spear phishing, which is where it's a very direct target or a specific group of individuals in an organization

11:07

as well. This whaling which is when we're going after essentially the big fish, right? So

11:11

maybe like a CEO or other executive, and we're targeting them. So it is a targeted attack like spearfishing. But the whaling aspect of it is it's a big fish. It's someone that's very influential or important, and if we are able to trick them, we can get Ah, lot of information or we could get a lot of money

11:30

out of this particular social engineering attack.

11:33

So just a quick, quick question here for you and this type of phishing attack. Where the attacker This is a type of phishing attacks where the attacker focuses on a single large target. Eso someone like a CEO. It's a spear. Fishing is a called shark fishing. Eso think of the shark tank show or is it whale fishing?

11:50

Alright, we just talked about it, so this one was a little easier. It's whale fishing again. The whale. We're going after that big fish, that big target.

11:58

So this video, we just talked about what social engineering is. We also talked about some of the phases of a social engineering attack again. Basically, we're gathering information. We're identifying the soft targets were building a relationship with those targets. And then we're exploiting that relationship. And then we talked about some of the different types of social engineering attacks again.

12:15

Human based, computer based and mobile base. You're kind of the major categories there,