Time
8 hours 53 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:00
social engineering refers to techniques used to trick users into giving away useful information to an attacker.
00:10
So it involves fooling users into giving away information,
00:15
using email
00:17
or instant messaging or phones,
00:20
or getting a user into click a link in an email to download malicious software
00:26
or clicking on a link that takes you to a malicious website
00:31
on that website is not what you think it is. For example, you might think you're going to your bank's website, but it may actually be a spoof website that they've set up that looks like your bank's website.
00:43
So have a look at this e mail that I received.
00:47
So there's an example of a social engineering trick.
00:50
So it says, Good morning, Ali. Tonight the I T team will be performing scheduled maintenance on the service.
00:56
We're contacting a cross section of star for help with this.
00:59
It's already, you know, I'm feeling kind of special because I've been picked out is one of the people.
01:04
And they said, carries on after maintenance is complete. We need to verify that the systems are operating normally and users can still log on without a problem.
01:14
For this, we're gonna need your password,
01:17
please simply hit, reply and just type in your password.
01:21
And as you can see, the email appears to come from the director off T,
01:26
um, and so on. On trusting an unwary user
01:30
might take that at face value, hit the reply button
01:34
and type in the password.
01:37
And they've just given away their password to whoever sent that email.
01:42
But worse than that,
01:44
just opening that email could have downloaded or attempted to download a virus.
01:49
If you look down here,
01:52
you'll see that there was an attempt to download a virus.
01:56
Fortunately, that failed because I have an anti virus program running that detected that this was militias and prevented it from getting downloaded.
02:07
Or what about this?
02:07
An email
02:09
that
02:10
is fairly alarming.
02:13
Security alert. Your account has been compromised. You must click this link and update your password immediately.
02:21
So social engineering often works by creating a sense of panic or urgency. So people stop thinking rationally or being careful.
02:30
So if we look at this e mail,
02:34
you'll see up there, says Bank of America. There's the official logo, online banking.
02:38
All of that looks real,
02:42
but if you look down here.
02:44
Look at that. You are l
02:46
at a quick glance. It says Bank of America.
02:50
But actually it says back of America.
02:53
So what would happen? Clicking on that link
02:54
would take you to a fake website that again would look like the bank's website.
03:00
And because you've just been told your account's been compromised,
03:04
what you would see on that website is a message, apparently from your bank saying, because your account has been compromised, you need to do the following please enter your current password and then choose a new one.
03:15
Now the moment you enter your current password
03:19
that captured it.
03:21
And then before you realize what's happened, they're locking on to Bank of America with your credentials
03:27
on possibly emptying your bank account
03:31
on some social engineering doesn't have to be all that sophisticated.
03:37
So this was a kind of informal survey
03:40
done at Liverpool Street Station in London
03:45
and what they did well, just stop passers by and they offered them chocolate in return for their passwords.
03:52
70% of people said yes, they would reveal their password in exchange for a bar of chocolate,
03:58
but what really a standing is that 34% of respondents volunteered their password without even needing to be bribed with chocolate.
04:06
Now, of course, this is not a scientific survey. Because, of course, what most people would do is say, Okay, give me the chocolate and they tell you a fake password, not their real one,
04:16
but still, the fact that they didn't just say
04:19
Get out of here, you don't know. I'm not giving you my password.
04:23
That's a bit worrying.
04:28
Fishing refers to try to obtain a user's information using email,
04:32
so you've seen a couple of examples of that. So there was, what, the first email that tried to get my password,
04:40
and then the second email tried to get me to go to a fake website.
04:44
So very often these said, Dad, this is These are sent out as spam.
04:48
Spam is answer solicited E mail being sent out randomly to maybe thousands or millions of users.
04:57
Fishing is the same kind of thing, but done by phone. So instead of getting that email asking me for my password,
05:03
I could have received a phone call
05:05
and the phone call might have gone like this.
05:08
Hi, this is the I T department here We're going to be doing some maintenance tonight, and we need to verify off. The maintenance is complete. That I use is constant log on. So, Ali, could you let me know your password?
05:20
And if I get if I'm not
05:23
being careful, I might just reply to it and give him the password, because apparently it's somebody from the I T department that's calling
05:33
spearfishing relies on targeting particular uses,
05:39
for example, stuff in your finance department.
05:43
Now that requires having some prior knowledge of the company, so this often involves earlier reconnaissance.
05:48
But once I figured I
05:50
somebody who works in the Finance Department, I could send them an email.
05:56
And then I could attach to that email
05:58
something that
05:59
they wouldn't think is unusual.
06:00
Cyclops Circe This email is a receipt or an invoice
06:04
with a little link that says, Download the receipt or download the invoice.
06:09
So because that's the kind of email they expect to get,
06:13
they caught off guard and they click on the link. And the moment they do that, militants software's downloaded to their system.
06:21
And to take that one step further, we have wailing.
06:25
Wailing refers to targeting high value individuals such as your CEO or your chief financial officer.
06:32
That again requires some reconnaissance, having figured out who these people are and then sending the emails to them.
06:43
So that brings us to united the issue. Spam suspend generally is just unsolicited. Email often send our center randomly.
06:51
Sometimes it just contains advertisements, and it's not malicious.
06:57
But sometimes it is malicious, contains malicious attachments, or it contains links. When you click on them, they download.
07:04
We are Malicious Software will take you to fake websites.
07:10
Spam can be blocked at the perimeter of the network,
07:14
meaning at the point where your network connects to the Internet.
07:16
You can have appliances such as those made by Barrack Oda that monitor all your incoming email,
07:25
and they look for spire meant. Block that,
07:27
and they also look for malicious attachments for malicious links with an email
07:32
so that could be one layer of security.
07:35
But then that email. If all the email that gets past that appliance gets delivered to your mail server,
07:42
so you can also do checking at the mail server
07:45
and then when users download their email from the mail server.
07:48
Very own email application might also check for spam on try and block it.
07:55
So there's again that concept of multi layered security.
08:01
Users should be educated to never open unsolicited e mails and if they do, never click on any links inside it or download any attachments.

Up Next

CompTIA IT Fundamentals

The CompTIA IT Fundamentals certification is aimed at people considering a career change to IT. The course will prepare you to take the CompTIA IT Fundamentals exam. If you are new to IT this course is prerequisite knowledge that allows you to tackle the more advanced A+ and Network+ CompTIA certifications that many IT professionals hold.

Instructed By

Instructor Profile Image
Ali Wasti
Instructor