Security fundamentals Social Engineering Techniques and Exploits
Phishing
Phishing is a type of attack that uses social engineering as its base. It uses technical deception to convince a user to provide personal information, such as passwords, social security numbers, credit card numbers, bank account details, and so on. In the phishing attack, the attacker creates a replica Website or Webpage that tricks the user into providing personal information. The Website or Webpages are real look-alikes of the original Website or Webpages that the user can get tricked. The URLs are close to the original, which users don't bother to check most of the time. One of the key intents of using phishing is for financial advantage. Phishing can also be used for getting personal and confidential information from the target. The attacker may simply use an identity, which is legitimate. The attacker does not reveal his or her own identity. Using the legitimate identity of someone else, the attacker requests information from the target. The target may simply be convinced with the legitimate identity and provide the necessary information to the attack, which can then use this information for harmful activities. Generally, phishing takes place using Email. An attacker would pose as an authorized entity and demand information in reply to that mail.
Pharming
In this type of phishing attack, the user is redirected to a real look-alike Website. When a user types the correct URL in the Web browser, the user is redirected to a real look-alike Website. The user has simply clicked on the URL, which is not incorrect or wrong, but the attack has still occurred. This is done by DNS cache poisoning. The real IP address mapped to the legitimate URL is changed to an IP address to redirect the user to a malicious Website, which is a real look-alike. The user will not be able to suspect anything here because the URL is correct.
Phishing can be conducted through various methods: In-person
In-person Through a malicious Website Through E-mail malware attachments
By the end of the fourth stage, the phishing attack is completed. In a phishing attack, the attacker can use various attack methods. Some of these attack methods are:
Man-In-The-Middle Session hijacking Phishing through search engines Link Manipulation URL Obfuscation Attacks Client-side vulnerabilities Cross-site scripting Malware / Keyloggers / Screen loggers / Trojans E-mails (Deceptive Phishing) Hosts file poisoning DNS-based Phishing Content-Injection
Phishing Methods
Mass mailing: A large number of audiences are targeted. It is quite likely that some of the audiences are going to fall for this method. This method is usually performed using SPAM. Instant messaging: In the last few years, instant messaging is one of the key media in phishing. Malicious URLs are sent with attractive messages to lure users into clicking them Malicious Websites: Phishing can also be initiated through malicious Websites.
Social engineering can be performed in various ways:
Over the telephone In-person Performing a task on a system Social engineering can be considered as the base of mostly all types of passive information gathering techniques. The outcomes of social engineering can be devastating. With one user as a target in an organization, the attacker can perform a security breach of the entire network. It is just a matter of getting inside the network using the information provided by the user.
There can be various types of users who can be the target of social engineering. Some of the common targets are:
Receptionist IT Helpdesk HR department Top management
Smishing
Smishing is a type of vishing and is a social engineering attack that uses text messaging to obtain sensitive information such as account details.
Social Engineering
Social engineering is the art of manipulating and utilizing human behavior to conduct a security breach. In social engineering, the victim, who is being used as a subject for a security breach, does not realize that he or she is being used. Users are considered to be the weakest link in the security chain and are easy to exploit. The attacker can use various methods in social engineering to gain sensitive and confidential information. The attacker can use methods such as sending an E-mail or redirecting the user to a malicious Webpage. Several methods can be used, but each method intends to get sensitive and confidential information for a security breach.
Phishing Process
Phishing is a four-stage process. These stages are as follows: Initiation - The attacker prepares for an attack. Execution - The attacker sends out the mass mail or instant message to hundreds or thousands of users. User Action - User performs two tasks - first, clicks on the URL and then enters the personal information on the Webpage that is loaded. Completion - The information that is entered by the user is received by the attacker and saved at his end. It is now up to the attacker to use this information.
Watering Hole
A Watering Hole is a more complex type of phishing attack. In this type of attack, an attacker infects a website that is often visited by the target users. The website is infected with malware that is injected into the user's system when they connect to the website. It is a multi-phased attack in which the attacker first profiles the target, who are employees of an organization or a government agency. In the profiling stage, the attacker learns about the website these employees frequently visit. Then, the website is infected with malware. When the users visit the website, their systems are infected.
Vishing
Vishing attack is another form of phishing and is conducted over Voice over IP (VoIP) lines where the attacker pretends to be a legitimate caller from a bank or financial institution. Using the vishing attack, the caller attempts to obtain personal information, such as a bank account number or credit card information.
Whaling
Whaling is another form of phishing and spear phishing. However, in whaling, the target is highly focused. Whale phishing is meant to target high-profile candidates, such as the CEO or CIO in an organization, or maybe a well-known and established person, such as a film star. High-profile people have high-profile secrets to keep - personal or business-related, which can be used against them. Remember, phishing is just another form of social engineering, and your convincing power plays a major role. The attacker may create a sense of urgency in an E-mail and force a person to click a URL embedded in the E-mail.
Example of whale phishing
You could get your hands on an executive's official E-mail and official bank account credentials. You cannot only approve monetary transactions but also perform them. To prevent whale phishing, you need to ensure that you build enough technical and detection controls. Not only in the office, but they also need to be secure at home and when they are using mobile phones.
spear phishing
Spear phishing, unlike general phishing, targets specific individuals and companies. This entity could be an individual or several individuals. An attacker may target a top executive of an organization to steal information, and the spear phishing may be used to install malware on to his or her system and eventually get into the network. The spear-phishing Emails are usually designed to look like they originate from a well-known company or a Website. For example, as a firm's top executive, you may receive an Email from eBay asking you to reset your account password. The E-mail includes a URL to click and states that there have been unauthorized login attempts, and thus, you should reset your password. Otherwise, your account will be locked. In this example, the E-mail was designed to create a sense of urgency.