Cybrary Pro Day is here!

Social Engineering

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 53 minutes
Difficulty
Beginner
CEU/CPE
11
Video Transcription
00:00
social engineering refers to techniques used to trick users into giving away useful information to an attacker.
00:10
So it involves fooling users into giving away information,
00:15
using email
00:17
or instant messaging or phones,
00:20
or getting a user into click a link in an email to download malicious software
00:26
or clicking on a link that takes you to a malicious website
00:31
on that website is not what you think it is. For example, you might think you're going to your bank's website, but it may actually be a spoof website that they've set up that looks like your bank's website.
00:43
So have a look at this e mail that I received.
00:47
So there's an example of a social engineering trick.
00:50
So it says, Good morning, Ali. Tonight the I T team will be performing scheduled maintenance on the service.
00:56
We're contacting a cross section of star for help with this.
00:59
It's already, you know, I'm feeling kind of special because I've been picked out is one of the people.
01:04
And they said, carries on after maintenance is complete. We need to verify that the systems are operating normally and users can still log on without a problem.
01:14
For this, we're gonna need your password,
01:17
please simply hit, reply and just type in your password.
01:21
And as you can see, the email appears to come from the director off T,
01:26
um, and so on. On trusting an unwary user
01:30
might take that at face value, hit the reply button
01:34
and type in the password.
01:37
And they've just given away their password to whoever sent that email.
01:42
But worse than that,
01:44
just opening that email could have downloaded or attempted to download a virus.
01:49
If you look down here,
01:52
you'll see that there was an attempt to download a virus.
01:56
Fortunately, that failed because I have an anti virus program running that detected that this was militias and prevented it from getting downloaded.
02:07
Or what about this?
02:07
An email
02:09
that
02:10
is fairly alarming.
02:13
Security alert. Your account has been compromised. You must click this link and update your password immediately.
02:21
So social engineering often works by creating a sense of panic or urgency. So people stop thinking rationally or being careful.
02:30
So if we look at this e mail,
02:34
you'll see up there, says Bank of America. There's the official logo, online banking.
02:38
All of that looks real,
02:42
but if you look down here.
02:44
Look at that. You are l
02:46
at a quick glance. It says Bank of America.
02:50
But actually it says back of America.
02:53
So what would happen? Clicking on that link
02:54
would take you to a fake website that again would look like the bank's website.
03:00
And because you've just been told your account's been compromised,
03:04
what you would see on that website is a message, apparently from your bank saying, because your account has been compromised, you need to do the following please enter your current password and then choose a new one.
03:15
Now the moment you enter your current password
03:19
that captured it.
03:21
And then before you realize what's happened, they're locking on to Bank of America with your credentials
03:27
on possibly emptying your bank account
03:31
on some social engineering doesn't have to be all that sophisticated.
03:37
So this was a kind of informal survey
03:40
done at Liverpool Street Station in London
03:45
and what they did well, just stop passers by and they offered them chocolate in return for their passwords.
03:52
70% of people said yes, they would reveal their password in exchange for a bar of chocolate,
03:58
but what really a standing is that 34% of respondents volunteered their password without even needing to be bribed with chocolate.
04:06
Now, of course, this is not a scientific survey. Because, of course, what most people would do is say, Okay, give me the chocolate and they tell you a fake password, not their real one,
04:16
but still, the fact that they didn't just say
04:19
Get out of here, you don't know. I'm not giving you my password.
04:23
That's a bit worrying.
04:28
Fishing refers to try to obtain a user's information using email,
04:32
so you've seen a couple of examples of that. So there was, what, the first email that tried to get my password,
04:40
and then the second email tried to get me to go to a fake website.
04:44
So very often these said, Dad, this is These are sent out as spam.
04:48
Spam is answer solicited E mail being sent out randomly to maybe thousands or millions of users.
04:57
Fishing is the same kind of thing, but done by phone. So instead of getting that email asking me for my password,
05:03
I could have received a phone call
05:05
and the phone call might have gone like this.
05:08
Hi, this is the I T department here We're going to be doing some maintenance tonight, and we need to verify off. The maintenance is complete. That I use is constant log on. So, Ali, could you let me know your password?
05:20
And if I get if I'm not
05:23
being careful, I might just reply to it and give him the password, because apparently it's somebody from the I T department that's calling
05:33
spearfishing relies on targeting particular uses,
05:39
for example, stuff in your finance department.
05:43
Now that requires having some prior knowledge of the company, so this often involves earlier reconnaissance.
05:48
But once I figured I
05:50
somebody who works in the Finance Department, I could send them an email.
05:56
And then I could attach to that email
05:58
something that
05:59
they wouldn't think is unusual.
06:00
Cyclops Circe This email is a receipt or an invoice
06:04
with a little link that says, Download the receipt or download the invoice.
06:09
So because that's the kind of email they expect to get,
06:13
they caught off guard and they click on the link. And the moment they do that, militants software's downloaded to their system.
06:21
And to take that one step further, we have wailing.
06:25
Wailing refers to targeting high value individuals such as your CEO or your chief financial officer.
06:32
That again requires some reconnaissance, having figured out who these people are and then sending the emails to them.
06:43
So that brings us to united the issue. Spam suspend generally is just unsolicited. Email often send our center randomly.
06:51
Sometimes it just contains advertisements, and it's not malicious.
06:57
But sometimes it is malicious, contains malicious attachments, or it contains links. When you click on them, they download.
07:04
We are Malicious Software will take you to fake websites.
07:10
Spam can be blocked at the perimeter of the network,
07:14
meaning at the point where your network connects to the Internet.
07:16
You can have appliances such as those made by Barrack Oda that monitor all your incoming email,
07:25
and they look for spire meant. Block that,
07:27
and they also look for malicious attachments for malicious links with an email
07:32
so that could be one layer of security.
07:35
But then that email. If all the email that gets past that appliance gets delivered to your mail server,
07:42
so you can also do checking at the mail server
07:45
and then when users download their email from the mail server.
07:48
Very own email application might also check for spam on try and block it.
07:55
So there's again that concept of multi layered security.
08:01
Users should be educated to never open unsolicited e mails and if they do, never click on any links inside it or download any attachments.
Up Next
Instructed By