Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lesson, Subject Matter Expert Dean Pompilio discusses social engineering techniques that are used to manipulate people into giving out sensitive information or performing in certain ways that allow attackers to be more successful with less effort when hacking computers or stealing information. This lesson covers the following techniques:

  • Dumpster diving
  • Impersonation
  • Shoulder surfing
  • Making malicious copies of legitimate Web sites
  • Phishing
  • Making a malicious copy of an Interactive Voice Response (IVR) system
  • Baiting
  • Quid pro quo
  • Tailgating (also known as Piggybacking)

You will learn where you can legally dumpster dive, how effective impersonation can be, where shoulder surfing can be done, and how malicious copies of Web sites or IVRs can be used to obtain sensitive information. SME Pompilio discusses the differences between phishing, spearfishing, and whaling and how baiting is done with iUSB flash drives infected with malware that runs with the autorun or autoplay function when the flash drive is inserted into a victim's computer. This lesson covers the techniques of quid prop quo – where the attacker convinces the victim that they are each doing a favor for the other person – and tailgating, which is also known as piggybacking. An attacker uses tailgating to enter a building by surreptitiously joining a group that has legitimate entry to the building. This technique also can be carried out by dressing as a technician or delivery person to gain entrance or by impersonating someone who genuinely works in the building.

Video Transcription

00:04
Okay, so now let's talk about some social engineering techniques
00:08
already mentioned Dumpster diving. This is a time honored technique,
00:13
and it involves some different different methods.
00:17
One not that is to just
00:19
try to stake out the area, try to sneak in and dig through the trash. And the U. S. This is considered legal in many European countries is actually illegal to do this.
00:30
So make sure you understand
00:32
the laws as it relates to your social engineering engagement. But Dumpster diving might be done through a different method, maybe through an impersonation method
00:40
where the engineer dresses
00:42
as if they work for the waste removal company,
00:46
and this gives them the pretext. And the, uh, the persona
00:52
that they've developed
00:53
gives them a chance to use that to try to get maybe behind the gates to go look at the dumpster that's in a secured area
00:59
that might be possible.
01:02
And there are lots of different techniques you can use to get to that point. We're going to attempt that level of
01:07
impersonation. Impersonation could also apply to any other thing
01:11
social engineers might impersonate on H back technician
01:17
so they could try to get into the data center. Go look at the heating, the ventilation system
01:21
that might also work.
01:23
Really, a lot of it depends on how you're dressed, how you carry yourself, the language that you use and, if necessary, maybe even identification that gets produced just for this purpose.
01:34
Shoulder surfing is another social engineering technique.
01:38
This is an identity theft technique as well.
01:41
We all have
01:42
phones, right. We all have video cameras in our pockets, so it's very simple to Thio. Stand behind somebody and make it look like you're texting on your phone. But really, you're recording what they're doing.
01:55
This happens at airports, coffee shops, bars, restaurants standing along at the grocery store. Anybody could be recording at any time for whatever purpose they they have. And most people around them have no idea that that's happening unless they happen to glance at the screen and see the fact that it's being that's being used to record.
02:15
So that could be a great technique to get information which the social engineer could review later
02:21
to get more clues or to get information about watching someone logged into their banking website recording bad information. That's a possibility.
02:30
I mentioned trying to harvest credentials, so making copies of websites
02:36
is a fantastic trick in the bag of the social engineer.
02:40
They want to trick you into going to your banking website, your credit card website,
02:46
some website that's useful to them to get your credentials.
02:50
Generally, the way that works is they make the copy.
02:53
They send you malware which infects your computer, maybe changes your D. N s settings to point you to that website or you click a link because it looks like it comes from your bank and you're in a hurry. Maybe you click the link. You get what looks like your banking website. You type in your password and your log in it doesn't work
03:12
almost always if it doesn't work the first time.
03:15
That's what the malicious copy of the website will. D'oh. It'll capture that information when you try the second time and actually send you to the real website that where you don't become too suspicious.
03:27
So there are some some nuances to these techniques that can make or break your success factor,
03:34
and we talk about another common technique of a social engineer. I mentioned this a little bit earlier. This is fishing.
03:40
So when a phishing email your maybe you're trying to get someone to click that linked to a copy of the website
03:46
you. In order to do this properly, you must have a very professional looking email. If you can capture examples of legitimate email from that target organization, and you can make your email look just like theirs,
04:01
trying to make sure you don't have any spelling errors, no grammatical errors, no punctuation errors, making sure the logos look correct, making sure the color scheme looks correct. These are all very critical factors and making that phishing email appear to be legitimate
04:17
email might have a malicious attachment, or it could have a malicious link.
04:23
You could make the link say one thing, and it actually goes somewhere else is obviously a feature of HTML,
04:30
but it can be exploited by the hacker or the social engineer, too,
04:33
to trick someone into doing something that they might not normally. D'oh.
04:38
As I mentioned before, Spear fishing is going after one individual and wailing is going after an individual that's very highly placed, like the president or CEO of an organization, or maybe a politician or someone else in a position of power that is a desirable target for the social engineer. Another interesting technique is to try to build
04:58
interactive
05:00
voice response system.
05:01
I normally refer to these as, ah, voice menu systems. We're all familiar with them. You call an organization
05:10
and you have to pick from different choices using the keypad of your phone.
05:15
I personally find these voice menu systems very annoying. I'd much rather talk to a person,
05:19
but they serve their purpose that they're cheaper to do. Implement then,
05:24
ah, staffing Health ducks help desks,
05:27
and it also gives a social engineer an interesting technique. They could create a force a voice menu system using this interactive voice response tools
05:39
that mimics the organization,
05:41
trying to get the target to call into this system, to try to follow the menus, trying to get them to reveal information may be there.
05:47
Maybe you capture their phone number. Maybe you capture their social Security number or a driver's license number or an account number
05:55
that all might be elicited through the use of this I v R.
05:59
By carefully crafting the questions, making it sound professional
06:02
and so on. It's an interesting idea. Is one of dozens you might be able to try.
06:08
Just I'm just throwing it out there as an interesting choice. I mentioned using USB drives with malware on, and this is called baiting
06:15
right. You drop the bait, hoping that the at any number of victims might pick up that bait and stick it into their computer, especially if people are curious. They will read the label
06:27
and the oldest looks like something I'd want to know about. I'm just dying to find out what's on this thumb drive so they might put it into a computer.
06:33
And maybe that computer becomes part of a botnet or becomes gets a root kit installed. Maybe some back doors get installed.
06:41
Now the attacker gets alerted that this malware installation has successfully completed,
06:46
and they can go toe work trying to get access to that system.
06:49
The social engineer now has a way in to the organization, perhaps
06:55
as well as maybe perhaps being able to capture some credentials from that target.
07:00
It's definitely possible.
07:01
We also have the idea of quid pro quo. This means I do a favor for you. You do a favor for me
07:08
quite often. This involves the helped ask
07:11
the person that calls the help desk wants a favor. Please help me reset my password at the Classic. Example. If you do this, I'll tell your boss you did a great job will make a recommendation for you. Or it could go in different direction where
07:25
the attacker offers something up front, hoping to get the information or some action taken by their target.
07:32
You know I will. I'll give you some free software. That's that's useful for you to do your job. If you tell me you know where you work and tell me a little bit about what you do there
07:45
that could just look like a telemarketing attempt. Or maybe someone's doing this in person. The idea is that people like Thio do deals with each other. It's part of our how we're wired as well. I do you a favor. You do me a favor, I scratch your back. You scratch mine
08:00
that human behavior that human nature could be exploited by the social engineer to get more details about their
08:07
their target or to help their social engineering pen test move further along to the next steps.
08:13
We're about tailgating
08:15
or piggybacking their kind of the same thing. The idea here is that the engineers trying to get into a facility, trying to get into an office, trying to get into a warehouse,
08:24
trying to get into the area where the Dumpsters kept perhaps
08:28
tailgating, basically means you're tryingto walking behind somebody else who has permission to be there. So they opened the door, and then you just kind of walk in behind them before the door closes. Or maybe you catch the door before it closes,
08:41
and you might be able to gain access that way.
08:45
This isn't always going toe work of many organizations, especially ones that I've worked for.
08:50
Each individual person must swipe their badge. There's no exceptions made. There's a guard standing there watching you,
08:56
but in some cases there might not be a guard.
08:58
A good example of tailgating would be people that want to get into a building. They might just wander around looking for people that are outside smoking.
09:07
Maybe there's an entrance off the side of the building where the smokers go
09:09
so they might go hang out with the smokers. Maybe they offer some cigarettes in order to be part of the group. Or maybe they bum a cigarette in order to be part of the group. Either way,
09:18
they might appear as if they belong there. So when people start to go back into the building, they just walk in with them.
09:26
People that are not paying attention might not notice. Hey, that guy doesn't have a badge. Who are you? Why are you here?
09:31
If it's a really large organization, they might just say, Well, that someone I've never seen before. But obviously they work here. Why would they be hanging out by this door anyway?
09:39
That could be the case. Another time locating technique involves
09:43
trying to dress up as a technician of some sort of mentioned in H back technician, or maybe an electrician's something of that nature. And you walk up to the door
09:54
carrying some heavy bags or a heavy box
09:56
and hoping that you get the timing right so that as you approach the door, someone is going in right before you.
10:01
The idea is that that person wants to be helpful. That's Oh, hey, let me hold the door open for you.
10:07
You know that that way you don't have to set down your heavy box. Open the door, try to hold it open with your foot and then pick up your box again.
10:15
That's a great way to to try to gain access to a building where you don't belong.
10:18
It could also be that there there's a known identity of someone that works there. This goes back to the impersonation idea
10:26
that's a little bit risky if people know what that person looks like, or if your badge doesn't look to be accurately created than those techniques may backfire. And, of course, you have to remember that
10:37
if you're doing a social engineering audio, you have permission, so
10:41
you need to operate within the scope of that audit.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor