Professional Documents
Culture Documents
Countermeasures
INF 203
Content
• Social Engineering
• Key Principles
• Reconnaissance
• Attack Vectors
• Countermeasures
• Toolkit
Social Engineering
• Many attackers claimed that the easiest way to get the
information you want, is by asking to the victims
themselves.
- Psychological techniques to get private information
- Does not require a computer science background
- Attack vectors: spear phishing, phone calls with impersonation, …
• Kevin Mitnick
- One of the most famous social engineers
- Possibly one of the first ones using
these techniques extensively
- (5 years in jail, after that consultant)
Social Engineering
• Social Engineering is a psychological manipulation of people
into revealing confidential/sensitive information of the
organization or performing certain actions, such as:
- open an infected attachment via e-mail
- click on a URL of a compromised website.
–David Letterman
Social Engineering:Phases
• A Social Engineering attack can be roughly divided in two main phases:
- Phase 1: Reconnaissance: The attacker learns as much as possible (e.g., through Open
Source Intelligence) to result credible and lure the victims into revealing sensitive
information of perform dangerous actions.
◆ Roles in the company
◆ Company contacts (e.g., e-mail, phone numbers)
◆ Key persons in the company
◆ Choosing a victim
- Phase 2: Victim Approach: The actual attack of the social engineer is performed by
contacting the victim through one of the possible attack vectors, such as:
◆ Phone
◆ Email
◆ Social network
Social Engineering
Key Principles
Social Engineering: Key Principles
• Professor Robert Cialdini
- Regents' Professor Emeritus of Psychology and
Marketing at Arizona State University
- Identified six key principles of influence that
correspond to human behaviors heavily exploited by
Social Engineering.
- Originally intended for “Marketing” purposes
• In Social Engineering, these principles are often
exploited by the attacker to lure victims into:
- Revealing informations
- Performing actions
Social Engineering: Key Principles
• Principle 1: Reciprocity
- People tend to return a favor.
- If the attacker is for example generous or does
something for the victim, he/she will feel more
compelled to do a favor also to the attacker
- For example,
◆ bending the rules,
◆ provide special access without
passing by the protocol.
Social Engineering: Key Principles
• Principle 2: Commitment and Consistency
- If people commit to an idea or goal, they are
more likely to honor that commitment because
they have stated that that idea or goal fits their
self-image.
- The attacker may find and exploit victim’s
commitments
- For example,
◆ Particular charity activities
◆ Recycling
◆ Eating particular types of foods
Social Engineering: Key Principles
• Principle 3: Social Proof/Consensus
- People will do things that they see other people are doing.
- For example:
◆ Attackers may create fake websites with testimonials
and lure the victim into clicking something.
◆ Or maybe convince the victim that another
employee has already done that, or that it is not the
first time a similar request has been made.
Social Engineering: Key Principles
• Principle 4: Authority/Intimidation
- People will tend to obey authority figures, even if they are asked to perform
objectionable acts.
• Once a candidate victim is chosen, you need to spot the list of elements that
will create a confidential “feeling” between you and the victim
- Exact victim’s position in the company
- Use of nicknames known only in the company
- Praising the role of the victim (e.g., knowing what they do)
- Belonging to some mailing list
- Personal interests of the victim
Social Engineering
Phase 2: Victim Approach
Approaching the Victim
• After initial reconnaissance, the attacker will get in contact with the victim
- By phone
- By Mail
- By Social Network
- …
- Common strategies:
◆ Impersonating a manager/senior member of the organization
◆ pretending to be a colleague in need
Social Engineering: Attack Vectors
• Watering Hole:
- Compromising part of a legitimate website (e.g.,
through stored XSS, or DNS poisoning) trusted by
the victim (e.g., the victim’s bank website).