10 - Social Engineering - Requires Internet

NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Social Engineering
What is Social Engineering?
Social engineering is the art of manipulating people so they give up confidential information. The types of
information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying
to trick you into giving them your passwords or bank information, or access your computer to secretly install
malicious software–that will give them access to your passwords and bank information as well as giving them control
over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it
is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their
password than it is for you to try hacking their password (unless the password is really weak).
Security is all about knowing who and what to trust. It is important to know when and when not to take a person at
their word and when the person you are communicating with is who they say they are. The same is true of online
interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide
your information?
Ask any security professional and they will tell you that the weakest link in the security chain is the human who
accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and
windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel;
if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to
see if he is legitimate you are completely exposed to whatever risk he represents.
What Does a Social Engineering Attack Look Like?
Email from a friend

If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s
contact list–and because most people use one password everywhere, they probably have access to that person’s
social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave
messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
Taking advantage of your trust and curiosity, these messages will:

Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll
trust the link and click–and be infected with malware so the criminal can take over your machine and collect your
contacts info and deceive them just like you were deceived
Contain a download of pictures, music, movie, document, etc., that has malicious software embedded. If you
download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal
has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone
you know. And on, and on.
Email from another trusted source

Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly
logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data,
1
financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data
Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are
responsible for 93% of successful data breaches.
Using a compelling story or pretext, these messages may:

Urgently ask for your help. Your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They
need you to send money so they can get home and they tell you how to send the money to the criminal.
Use phishing attempts with a legitimate-seeming background. Typically, a phisher sends an e-mail, IM, comment, or
text message that appears to come from a legitimate, popular company, bank, school, or institution.
Ask you to donate to their charitable fundraiser, or some other cause. Likely with instructions on how to send the
money to the criminal. Preying on kindness and generosity, these phishers ask for aid or support for whatever
disaster, political campaign, or charity is momentarily top-of-mind.
Present a problem that requires you to "verify" your information by clicking on the displayed link and providing
information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the
criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate,
you trust the email and the phony site and provide whatever information the crook is asking for. These types of
phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if
they can get you to act before you think, you’re more likely to fall for their phishing attempt.
Notify you that you’re a ’winner.’ Maybe the email claims to be from a lottery, or a dead relative, or the millionth
person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your
bank routing so they know how to send it to you or give your address and phone number so they can send the prize,
and you may also be asked to prove who you are often including your social security number. These are the ’greed
phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their
information, then having their bank account emptied, and identity stolen.
Pose as a boss or coworker. It may ask for an update on an important, proprietary project your company is currently
working on, for payment information pertaining to a company credit card, or some other inquiry masquerading as
day-to-day business.
Baiting scenarios
These social engineering schemes know that if you dangle something people want, many people will take the bait.
These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or
music. But the schemes are also found on social networking sites, malicious websites you find through search results,
and so on.
Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion,
you can see the seller has a good rating (all planned and crafted ahead of time).
People who take the bait may be infected with malicious software that can generate any number of new exploits
against themselves and their contacts, may lose their money without receiving their purchased item, and, if they
were foolish enough to pay with a check, may find their bank account empty.
2
What is Phishing
Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing
that the message is something they want or need — a request from their bank, for instance, or a note from someone
in their company — and to click a link or download an attachment.
What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of
some kind, often a real or plausibly real person, or a company the victim might do business with. It's one of the
oldest types of cyberattacks, dating back to the 1990s, and it's still one of the most widespread and pernicious, with
phishing messages and techniques becoming increasingly sophisticated.
"Phish" is pronounced just like it's spelled, which is to say like the word "fish" — the analogy is of an angler throwing
a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers
aiming to trick AOL users into giving up their login information. The "ph" is part of a tradition of whimsical hacker
spelling, and was probably influenced by the term "phreaking," short for "phone phreaking," an early form of hacking
that involved playing sound tones into telephone handsets to get free phone calls.
Credit to source: https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-

how-to-prevent-it.html
3
Response to a question you never had
Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help.
They pick companies that millions of people use such as a software company or bank. If you don’t use the product
or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good
chance you will respond because you probably do want help with a problem.
For example, even though you know you didn’t originally ask a question you probably a problem with your
computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond
you have bought the crook’s story, given them your trust and opened yourself up for exploitation.
The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or,
have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you,
or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to
enter will open a way for the criminal to get back into your computer later.
Creating distrust
Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you
know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want
to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by
extortionists who want to manipulate information and then threaten you with disclosure.
This form of social engineering often begins by gaining access to an email account or another communication
account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering,
or simply guessing really weak passwords.
The malicious person may then alter sensitive or private communications (including images and audio) using basic
editing techniques and forwards these to other people to create drama, distrust, embarrassment, etc. They may
make it look like it was accidentally sent, or appear like they are letting you know what is ’really’ going on.
Alternatively, they may use the altered material to extort money either from the person they hacked or from the
supposed recipient.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they
can socially engineer users through this kind of exploit is the criminal’s imagination. And you may experience
multiple forms of exploits in a single attack. Then the criminal is likely to sell your information to others so they too
can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s
misplaced trust.
Don’t become a victim

While phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign,
there are methods for protecting yourself. Most don't require much more than simply paying attention to the details
in front of you. Keep the following in mind to avoid being phished yourself.
Tips to Remember:
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-
pressure sales tactics be skeptical; never let their urgency influence your careful review.
4
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use,
do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone
number.
Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine
to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom,
but a good fake can still steer you wrong.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts
(and other communication accounts) has become rampant. Once they control an email account, they prey on the
trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an
email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading
anything is a mistake.
Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown
relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Ways to Protect Yourself:

Delete any request for financial information or passwords. If you get asked to reply to a message with personal
information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide
help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores,
refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or
organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations
on your own to avoid falling for a scam.
Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and
set these to high–just remember to check your spam folder periodically to see if legitimate email has been
accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on
the name of your email provider plus the phrase ’spam filters’.
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your
operating system to automatically update, and if your smartphone doesn’t automatically update, manually update
it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to
alert you to risks.
Webroot's threat database has more than 600 million domains and 27 billion URLs categorized to protect users
against web-based threats. The threat intelligence backing all of our products helps you use the web securely, and
our mobile security solutions offer secure web browsing to prevent successful phishing attacks.
Credit to Source: www.webroot.com
5
HANDS-ON LAB: Phishing
Lab Objectives:
▪ To protect the company’s network infrastructure from phishing attacks
▪ Detect phishing sites
Lab Duration:
▪ Time: 10 minutes
Lab Environment
▪ You need internet connection
Lab Tasks
▪ To provide the company a solution to phishing problem
▪ To detect social engineering method
Tools
▪ Netcraft to detect phishing
▪ PhishTank to detect phishing
Why use the Netcraft Extension?
▪ Protect your savings from Phishing attacks.

▪ See the hosting location and Risk Rating of every site you visit (as well as other information).
▪ Help defend the Internet community from fraudsters.
▪ Check if a website supports Perfect Forward Secrecy (PFS).
▪ See if a website is affected by the aftermath of the Heartbleed vulnerability
You can download this from https://toolbar.netcraft.com/
Key features of the Netcraft Extension:
1. Site Reports: Link to a detailed report about the site, helping you to make informed choices about their
integrity.
2. Risk Ratings: We evaluate the characteristics of the site and compare these against those depicted by
fraudulent sites. The result is a simple visual summary displayed on the Extension. A lower risk rating is
better as it indicates lower risk.
3. Additional information about the site at a glance, including:
▪ Country: The country where the site is hosted
▪ First seen: The first Netcraft Web Server Survey this site was seen in
▪ Site rank: The popularity of the site amongst Netcraft extension users.
▪ Host: The name of the organisation hosting the site
▪ PFS: Check if sites using SSL for encryption support Perfect Forward Secrecy (PFS). PFS ensures that if
the private key of the site is compromised - for example by a court order, social engineering, an attack
against the site, or cryptanalysis - your historical encrypted traffic remains safe.
▪ SSLv3: Indicates whether the web server supports SSLv3, which could mean that a downgrade attack is
possible.
4. Report suspected phishing sites: At the click of the button you can report suspected web forgeries to
Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site
submissions, including iPads, backpacks, and mugs.
6
The Netcraft Extensions also:
▪ Traps suspicious URLs containing characters which have no common purpose other than to deceive.
▪ Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against
pop up windows which attempt to hide the navigational controls (Firefox only).
▪ Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the
real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).
Credit to Source: https://toolbar.netcraft.com/
Installation of netcraft
1. Go to NEXUS-KALI – open a browser – click open menu from the upper righ corner – click add-ons – click
extensions
2. Under extensions type netcraft then enter
3. The netcraft extensions will appear -double click it – click add to firefox – add - ok
You should now see a letter N icon from the browser
4. Go to www.paypal.com and click Netcraft and you should see a “Risk Rating: 0” similar display output which
states the following
Site Report
Country
Site Rank
First Seen
Host/ISP
SSLv3
Detecting the site using the PhishTank
1. Go to http://www.phishtank.com/
2. Type any suspicious site used for phishing then click is it a phish
7
Social Engineering Penetration Testing using SET
As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing
HANDS-ON LAB: Cloning the site
Lab Objectives:
▪ To find out the tools used by attacker in cloning a Website
▪ To discover how attacker, gather the username and password using the credential harvester
Lab Duration:
▪ Time: 30 minutes
Lab Environment
▪ You need internet connection
Lab Tasks
▪ To provide the company a solution to phishing problem
▪ To detect social engineering method
Tools
▪ SET
▪ Credential harvester
▪ Kali Linux
Step-by-Steps Instructions
Step 1. Click Applications - Social Engineering Tools - SET
Step 2. Select 1) Social-Engineering Attacks - press enter
Step 3. Select 2) Website Attack Vectors - press enter
Step 4. Press 3) Credential Harverster Attack Method - press enter
Step 5. Press 2) Site Cloner - press enter
Step 5. Press enter if the IP address of your NEXUS-KALI is 192.168.145.130
Step 5. Press enter if you understand what they’re saying
Step 6. Enter the website you want to clone www.facebook.com and press enter. You will see the following
message
[*] The Social-Engineer Toolkit Credential Harvester Attack

[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
8
Step 8. Once you see the message above, it will start recording the login ID and Password.
Go to your desktop - open a browser and type the ip address of which the cloned site is hosted which in
this case is the NEXUS-KALI so type in your browser 192.168.145.130 this is the fake facebook phishing site
which just cloned
Step 9. Enter a fake a facebook login ID test@yahoo.com and password passworko click login
Step 10. Go to NEXUS-KALI press CTRL-C to break and the file should be exported
Step 11. Now open a new terminal and type cd /root/.set/reports/ and type ls -altr
Step 11. Open the reports xml where the login ID and password was saved.
type leafpad '2019-03-17 06:59:06.711525.xml' ; Replace the sample file with the exact output filename
name including quotation
Search from leafpad the word email and pass and you will see the victim's login ID and Password
Congratulations !!! you just hacked facebook using social engineering
Result of penetration testing: by now you should know how attacker gather the username and password used
for phishing.
Question: As a Nexus Ethical Hacker what should you do to protect your company from Phishing?

10 - Social Engineering - Requires Internet

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 - Social Engineering - Requires Internet

Uploaded by

Copyright:

Available Formats

NEXUS EDUCATION SERVICES

What is Social Engineering?

What Does a Social Engineering Attack Look Like?

Email from a friend

Taking advantage of your trust and curiosity, these messages will:

Email from another trusted source

Using a compelling story or pretext, these messages may:

Credit to source: https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-

Response to a question you never had

Don’t become a victim

Ways to Protect Yourself:

Credit to Source: www.webroot.com

HANDS-ON LAB: Phishing

Why use the Netcraft Extension?

▪ Protect your savings from Phishing attacks.

You can download this from https://toolbar.netcraft.com/

Key features of the Netcraft Extension:

The Netcraft Extensions also:

Credit to Source: https://toolbar.netcraft.com/

2. Under extensions type netcraft then enter

Detecting the site using the PhishTank

Social Engineering Penetration Testing using SET

HANDS-ON LAB: Cloning the site

Step 1. Click Applications - Social Engineering Tools - SET

Step 2. Select 1) Social-Engineering Attacks - press enter

Step 3. Select 2) Website Attack Vectors - press enter

Step 4. Press 3) Credential Harverster Attack Method - press enter

Step 5. Press 2) Site Cloner - press enter

Step 5. Press enter if the IP address of your NEXUS-KALI is 192.168.145.130

Step 5. Press enter if you understand what they’re saying

[*] The Social-Engineer Toolkit Credential Harvester Attack

Congratulations !!! you just hacked facebook using social engineering

You might also like