1 hour 1 minute
Hey, everyone, welcome back to the core. So in the last video we talked about who I am is your instructor. We also talked about some of the objectives of this course as well as
some information about how the course is structured.
Now, in this video, we're gonna go over a brief introduction to Social Engineering and then we'll move into our labs.
So what is social engineering? Well, you can read there on the screen, but basically the goal here is Steve individuals so that we can get information out of them.
So how do we do that? Well, generally speaking, well researched target company or will resource the victim. But in most cases, as a penetration tester or ethical hacker, we're gonna be going against the company. So you research the target company will select a particular victim or grouping of victims, were distracted, then establish some kind of a relationship. So maybe that's
connecting with them on different social media channels like linked in or Facebook
even and also even going to like a local coffee shop where we know they go to and try to strike up conversation, and then our ultimate goal is to exploit that relationship. So the goal there is to try to get maybe something like user credentials or sensitive information about the company, maybe some of the systems that they're using,
maybe even information about financial stuff. So maybe we could figure out how they're doing specific transactions in the company
and that will allow us to then craft a phishing email that we send off to get somebody to wire us a bunch of money.
So we talk about social engineering, and it's called a human based type of thing
thes air kind of some of the common ways or some of the common method to and they'll actually do something. So with authority, for example,
we have, you know, someone in a position of authority. So maybe you call on your say, Hey, it's the FBI. We're gonna arrest you or, you know, it's I R s. We're gonna arrest you if you don't give us any information. But more than likely an attacker would use something like, Hey, it's I t help Disc or hey, it's, you know, Joe Schmo on the VP of whatever, and I need this money wired quickly
and also might even be like a mid level manager type of person, like a Bill Lumber who's pictured here from the TV office space.
So a lot of different ways that can do this. But generally speaking, some a position of authority. Now what happens with most people as they're scared of like management? And I guess, I guess, scares out the appropriate word to use. But they're concerned over management. Self management calls air, trying to please, right. You're trying to be a people pleaser.
So this is why this works so well. People are like, Oh, well, this is somebody with authority there telling me what to do, you know? And we're conditioned as Children all the way through adulthood, to listen to somebody in a position, position of authority. So we're more likely to take action and say, Oh, well, let me hurry in. You know where this money let me hurry and give you my user name and password,
whatever the case might be. So that's why it's important, as we'll talk about later to develop a security awareness program
for your employees
liking or other people likable. You know, of course, all of us like Oprah, right So are the likable. Are you really gonna listen? You're you're the victim in this situation and on the penetration tester, right?
And I come in and you interact with me, and I'm grouchy and complaining. And are you really gonna want to keep talking to me?
Of course not. Right. But what if I What about if I'm, like, kind of bubbly, happy, like we're joking around having a good time? You're more likely to actually divulge information to me. So that's why you want to be likable. If you're a pen tester, you want to make sure that you're likeable, you're able to adapt to different personality types. So that way, as you're interacting with different people in an organization, you could model yourself,
tow whatever behavior they have,
and then from there, exploit that
reciprocation. So I mentioned here giving a gift. No
one common method that's used is let's say that I call upon, I pretend I'm with I t help disk, And I say, Hey, you know, Sally,
we've had a lot of you know, uh, viruses coming on. The system's lately. I just want to walk you through doing some things to prevent against that or even something as simple as, Hey, I'm calling up from the help desk, and I just want to make sure your computer's running fat as fast as possible.
If they know and that gives opens it up for the user to then say it's been pretty slow lately,
they say, Okay, well, let's run a couple of things and let's try to clear up some things so it runs a little faster, you know? So you thought it shone like basic stuff, like de fragging the disk or whatever. It's running, see cleaner of its windows. And so you do that and hay? Oh, yes, it's running a little faster now. Okay, great.
Oh, by the way, we have this new piece of software. We want to test out this new application. Do you mind just downloading the latest version of it and just testing it out? Now that you know, I know your computer's running faster now, so
and it seems like you're kind of tech savvy because I walked you through the steps, you were able to follow him, which is a great thing. That's a really great job. And if you don't mind just downloading installing this. And while I'm on the phone, just run through it and tell me what you think of this upgraded version.
A lot of times, people will actually fall for that and do that. They'll actually download whatever software you want them to download, and then they'll go ahead and use it. And from there you can take control of their system
consistency. So let's say I'm a new employee, and I've said All right, you know, I'm gonna go ahead and follow along with these policies and let's say you call me up and say, you're Hey, you know, you're with the 90 help desk and you just want to make sure that I'm gonna follow these specifics, you know, security policies and procedures,
you know, as part of using the information systems in the company. And, you know, of course, you're new. You don't know who I am, right? So you assume that it's legitimate
and you say, Yeah, of course. I'm gonna follow that stuff. You say great, you know, you know. All right. Excuse me. I say great. I say All right. Well, you know, all I want to do is make sure that you're complying with your password. Um, And that way I could give you recommendations. If if I don't feel like it's strong enough
and so, you know, you tell me your password over the phone and say, Okay, we're great, you know? So but move forward. What you probably want to do with your password is follow this type of criteria, you know? So that's a little more advanced than you know, what you're currently using and even what we have in the policy without to be the best thing to do. What I'm doing there is the attacker
is I'm trying to get you to structure your password the way I want you to.
And that way I can hopefully guess it a little easier. Now, of course, I have already gotten your password that you're using right now, but I may want to exploit you later on. Maybe. I know the company updates for passwords every 30 days. Makes the user's update their passwords over 30 days. So I'm gonna wait 30 days, and then I'm gonna try to figure out what your password is based off what your old one was
and the new criteria I've given you
because I'm gonna assume hopefully at least that you followed that criteria to develop your new password.
Social validation. So
if I call you a and for example, I say, Hey, you know, I'm conducting a survey from the HR. I'm conducting a survey, and you know, these five other people in your department have already done it, you know, or these five people that I know you know of have already done the survey. You know, they've already cooperated. They've already done the survey.
Then what? You know, Can you go ahead? Just do the survey. It's only five questions. You mind doing that?
And then you know what I could do? There's potentially have questions that help me draw out information about maybe like your user name or your possible
scarcity. You know, this one's a great thing that, like marketers use when they're trying to sell you stuff. So, for example, you go, you get like e mails from, you know, someplace. Let's say you buy suits, you get email from the soup place and they say, Oh, you know, right now it's 20% off or whatever like that. Now, if you actually look at the prices. Realistically, there's usually around the same price.
But they might try to trick you and say, Oh, yeah, it's 20% off. It's only this price.
If you're not mindful of prices, you're like, Oh, I gotta hurry and get This is only for 24 more hours that we're doing the same thing here with social engineering attacks. Right, So you'll see a lot of phishing emails will say, You know, you hurry, You gotta send me the money quickly or, you know, quick, click this link with that update your password in the next 24 hours because your account's been compromised.
Whether in case might be the goal here is to create urgency.
So somebody doesn't think through that. Hey, this might be an actual attack
as I mentioned Security Awareness program. So some of the key things you want include there's how Attackers actually performing these attacks. The best thing to do is show your employees examples. So, for example, if I want to talk about past security, I'll show them an example of cracking a simple password with John the Ripper. Some other equivalent tool
procedures make sure they understand the procedures, the security procedures to follow in the event that they think there's a phishing attack going on right or some kind of social engineering attack. So do they call the manager? Do they call somebody else? Do they call I t to verify things?
Declassification. So if you have different classifications systems in place. So, for example, for working with, like, classified information or even just certain sensitive data in a private company, we want to make sure that we communicate out to employees so they know if there's an extra step they need to take before divulging that information
security policies again. We want to make sure employees are aware of any security policies, policies in place and explain those policies to them and in terms they can understand
and an obligation So, ah, lot of times employees
won't understand. It won't understand their obligation to the organisation for security. So just make sure you communicate that effectively put up like signs and that sort of stuff to say, Look, you're you need to maintain compliance with this because
this is the reason right are These are the reasons, and if you don't hear the consequences to that,
all right, so just a quick post assessment question here. Johnson new employee. He receives a call from Sally. So she said he's claiming to be with I t helped us.
Sally states that there spent a ransomware attack at the company and she needs to just walk John through some steps to prevent against the attack on his particular computer.
What should John do first? So should he just comply automatically? Resellers request and follow her instructing instructions.
Should he ask for a callback number and then call back to that number to verify this is the helpless?
Should he ask for a callback number? Think during his orientation to verify Sally's actually an employee with them.
Where should he just hang up the phone
***? If you guessed answers, See here. That's actually the best answer to do first. So trying to get information about the attacker? No, I actually had a situation years ago where it was a social generating type of attack or a scam, if you will. They called me up, said, Oh, you know, you owe money to whatever I some company that I've never heard of.
Yeah, you and
and you know, you've got to send me this money. And so I just played along to get information because I was gonna file a case with the FBI. So I played along. I got a lot of information. They sent me a bunch of stuff like bank account information of that sort of stuff. So I flip the tables on them there. And of course, you know, I reported to the FBI. I don't know what came of that. Hopefully something good
are. So in this video, we just talked about social engineering at kind of a high level, and the next few videos were to jump into our laps.
We will explore some fake social media profiles, craft our very own phishing email and malicious payload using the Social Engineering Toolkit (SET) in Kali Linux, and play the “victim” by opening the malicious file.