International Air Force Semester

2020-1-EL01-KA203-079068

Cyber Warfare
Syndicate Work – Social Engineering
Panagiotis Karampelas
Hellenic Air Force Academy
 Learning Objectives

• To understand the basic steps of the social

engineering attack
• To familiarize with the attacking methods
• To learn how to use tools for social engineer
attacks
• To recognize a phishing email
Contents
Social Engineering
01
The Steps
02
Attacking Methods
03
The Tools
04
Phishing vs. Spear Phishing
05
The Anatomy of a Phishing E-mail
06
First Assignment
07
Social
Engineering
 What is Social Engineering?

“Social engineering is the art or better

yet, science, of skillfully maneuvering
human beings to take action in some
aspect of their lives that may or may
not be in their best interest”
Christopher J. Hadnagy
 Introduction

• Social engineering refers to humans and not the

computing devices
• The attacker attempts to gain the trust of a person
or to bring the person in a position that will reveal
involuntarily sensitive information
• It is also known as
“people hacking”
 Introduction

• In order for a social engineering attack to be

successful, the attacker should
▪ prepare the attack meticulously in order to understand
how the target either individual or company operates in
everyday life
▪ select the most appropriate tactic to carry out the
attack
 Social Engineering Goals

• Getting sensitive company or personal data

• Getting physical access to a location or assets

• Getting electronic access to a system

 Facts About Social Engineering

• Everyone is a potential target!

• It’s often easier for cybercriminals to manipulate a
human than a computer network or system
• Social engineering attacks can be relatively
low-tech, low-cost, and easy to execute
Is it easy to hack people?
Jimmy Kimmel Live
Basic Steps to perform a
Social Engineering Attack
 Steps to Success

Success

Social Engineering Attack

Advancing Relationship

Building Trust
Reconnaissance
 Basic Steps of the Attack
Reconnaissance
• This step is common in all the
attacking tactics since it entails
the collection of information
about the victim organization
or individual.
• In the social engineering, there are several
interesting methods that are used by the attackers.
 Basic Steps of the Attack
Building Trust
• The next step is to build trust with
the victim
• This is a very difficult process since it
entails
▪ personal communication with the
victim
▪ a very good pretext to start talking
about sensitive information such as
personal or professional information
• This is a rather complicated step and sometimes requires an
innate talent for the attacker to establish connection with
the victim without the victim suspecting something
 Basic Steps of the Attack
Advancing Relationship
• Develop a closer relationship
with the victim
▪ by flattering the victim for a
quality that is appreciated
▪ then asking whether they could
collaborate again

• It progressively could be evolved to other levels

• It allows the direct request of specific information
 Basic Steps of the Attack
Social Engineering
Attack
• The implementation of the
attack mainly depends on
▪ the information collected in the
previous steps
▪ the talent of the attacker and
▪ the planning of the attack.

• The attacker in all stages should be very resourceful in

order to have better chances with the attack since the
attack may evolve differently than planned
Attacking Methods
 Attacking Methods
Direct requests
• Social Engineers may contact
directly their targets by
▪ pretending to be someone else
▪ attempting to put some pressure
by creating a rather urgent
situation in order to get access to
a location or extract important
information
A volunteer is wanted to make a
delivery
 Delivery of goods/courier/sales
person
Direct requests
• By pretending to be a courier
or salesperson it is easy to
access the physical location of
the victim to
▪ collect useful information
▪ gain his/her trust
A volunteer is wanted to search a
recycle bin
Findings
 Dumpster diving
Direct requests
• Collecting information from
the garbage thrown by the
victim
• The recycle bins are extremely
helpful since the papers or
other useful objects are thrown
intact
 Attacking Methods
Direct requests
• Tailgating – The attacker
▪ follows the victim during a day
in order to see his/her routine
▪ follows an authorized person
into a building-basically, riding on
their coattails
Tailgating
Catch me if you can: The story of Frank William Abagnale Jr.
A volunteer is wanted to make a
video – Bring your phone with you
 Attacking Methods
Direct requests
• Shoulder surfing
▪ It is a classic no-tech attack
that’s been around about as long
as shoulders themselves.
▪ The attacker records information
behind the back of the victim.
 Attacking Methods
Forced situation
• The social engineer put a lot of pressure to a
person in order to
▪ get the information needed for the subsequent hacking
▪ get access to a physical location for collecting
information
Forced situation
Sneakers (1992) with Robert Redford
 Attacking Methods
Personal persuasion
• The specific tactic requires more time than the
previous tactics
• It entails a systematic approach to gain the trust of
the victim and then convince him or her to provide
the attacker with
▪ valuable information regarding the network of the
company or
▪ his/her user credential in order to carry out the attack
Social Engineering
Tools
 Tools Used in Social Engineering
Emails
• The attackers fake legitimate businesses and lead
the receivers to open the email
• The content of the email is usually urgent or
demanding for the receiver to take immediate
action and follow the link
• The link most of the times requests personal
information such as pins, user credentials,
identification numbers, date of birth, etc.
 Tools Used in Social Engineering
Emails
• Alternatively, the emails contain infected
documents as attachments
• The receivers download and open the infected
documents
• Thus provide access to the attackers in their
computer systems
Phishing email
A volunteer is needed to demonstrate
his/her facebook account
 Tools Used in Social Engineering
Web applications
• Another computerized tool is fake web applications
▪ A fake login page is set up in a server
▪ It is able to record unsuspicious user’s credentials and
then redirect the user to the legitimate page
▪ The fake login page is constructed in such a way that is
identical to the original service and thus it is very hard
for the user to understand the scam
 Tools Used in Social Engineering
Password profilers
• The attackers use specific techniques and existing
dictionaries to produce potential passwords for the
specific user
▪ they provide the first and the last name of the victim, the
date of birth, the names of the family members, the names
of the pet and any other personal information
• The tools automatically produce some thousands of
potential passwords
▪ An example of such a password for a user who is called Anita
and her year of birth is 2002 can be an1t@2oo2 or
anita_2OO2.
 Tools Used in Social Engineering
Telephone tools
• Using a Voice Over IP phone, it is possible to
change the caller ID number programmatically and
mimic a phone number that is familiar to the target
of the attack
• Then, the attackers can easily trick the victim to
provide them with sensitive personal data that can
be used to perform a financial transaction
Phishing - Spear Phishing
 Phishing statistics

• The number one type of social engineering attack

is phishing
• 75% of companies worldwide were victims of
phishing in 2020
• With 241,342 successful incidents, phishing was
the most common cybercrime in 2020 in the US.
• 96% of phishing attacks use email
• 45% of employees click emails they consider to
be suspicious “just in case it’s important.”
 Phishing

• A type of attack often used to steal user data,

including login credentials, personally identifiable
information or credit card numbers
• It occurs when an attacker poses as a trusted
entity, dupes a victim into opening an email or
instant message (SMS)
 Spear Phishing

• Similar to phishing
• Spear phishing is an email or electronic
communications scam targeted towards a specific
individual, organization or business
 Phishing forms

• Nigerian (advance fee or identity theft variants)

• Financial/Payment services
• Social media
• High-profile event exploitation
• Operating systems
• Streaming platforms
Nigerian scam
Streaming platform
 Level one phishing
How can we recognize it?

• Impersonal greeting and closing

• Misspellings/bad grammar
• Easy message/improbable pretext (for example,
“you've inherited millions”)
• Appeals to sense of greed, fear, or curiosity
• Bad links in body
• Bad origin e-mail address/unknown sender
Examples

l 1
ve
L e
 Level two phishing
How can we recognize it?

• Impersonal greeting and closing

• Spelled properly with some bad grammar
• Messaging more complex but still basic
• Appeals to sense of greed, fear, or curiosity
• Bad links in body
• Bad origin e-mail address/unknown sender
Examples

l 2
ve
L e
 Level three phishing
How can we recognize it?

• Personalized greeting and closing

• Spelled properly
• Generally good grammar
• Complex message that appeals to a sense of fear or
curiosity
• Bad links in body
• Sometimes a bad origin e-mail address, but sender
can appear legitimate
• Branding in many cases
 Examples

l 3
ve
L e
 Level four phishing (spear)
How can we recognize it? Most of the times we can’t

• This level is very advanced, very personal, and, many

times, very successful
• What's interesting about a level four or spear phish is
that it may contain personalization, branding, no
spelling errors, and the like
• But it may also be the simplest e-mail on earth
▪ E.g., “Please review the attached file. Thanks”
• To make the email appear more authentic, attackers
gather information about potential targets from various
sources such as social networking sites, blogs, and
forums
Examples

l 4
ve
L e
The anatomy of a phishing email
 How to recognize a phishing email

1. Sense of urgency in the subject

2. Fake email address (usually different order of letters)
3. There is no name or the addressing is impersonal
4. Grammar mistakes in the body of the email
5. Presented link is different than the real link
6. Threat in the content to urge reaction
7. Impersonal signature
8. Logos are usually wrong
9. Attachments are .zip or .iso files
It’s time for your first mission
 Please scan this QR-Code to complete
the First Assignment or type in the
link

mi n
15
Cyber Thursday
Warfare 3-Nov-2022

https://forms.gle/D9qdZpk3bN3tWBdG9
Questions?
 References

• Hadnagy, C., & Fincher, M. (2015). Phishing dark

waters: The offensive and defensive sides of
malicious Emails. John Wiley & Sons.
• Sonowal, G. (2022). Phishing and communication
channels.
• Sobers R. (2018). The Anatomy of a Phishing Email.
Retrieved from
https://www.varonis.com/blog/spot-phishing-scam
 Syndicate Work: Social Engineering
3 November 2022

International Air Force Semester

2020-1-EL01-KA203-079068

The European Commission support for the production of this publication does not
constitute an endorsement of the contents which reflects the views only of the
authors, and the Commission cannot be held responsible for any use which may be
made of the information contained therein.