Social Engineering¶
Social engineering is a form of manipulation and deception attackers use to exploit human psychology and influence individuals or organizations into performing actions or divulging sensitive information. It involves leveraging psychological tactics, trust, and social dynamics to bypass security controls and gain unauthorized access to systems, data, or resources.
Class Discussion¶
What are some examples that you have seen of social engineering conducted against you or maybe someone you know?
Bribery¶
Within cybersecurity, bribery refers to the act of offering, giving, receiving, or soliciting something of value to influence the actions of an individual or organization responsible for securing information systems, networks, or data. It could involve monetary payments, gifts, favors, or other benefits exchanged for compromising security measures or gaining unauthorized access to sensitive information.
Example Scenario¶
Jane approaches John with a delicious box of Krispy Kreme donuts at his desk. She asks him for assistance obtaining some classified documents that she cannot access, but she needs to complete her task. Rather than going through the proper channels, Jane asks John (who has access to the documentation in question) to help her in exchange for the sweets. She assures him she will still go through the proper channels in time, but she needs the documents sooner. Swayed by the allure of sugary goodness, John obliges. Though not necessarily done with malicious intent, Jane committed bribery and gained unauthorized access to sensitive information.
Blackmail¶
Blackmail is a form of extortion where an individual or entity threatens to reveal embarrassing, damaging, or sensitive information about another person or organization unless specific demands are met. These demands often involve the payment of money or the fulfillment of specific requests.
Application in Cybersecurity¶
In cybersecurity, blackmail typically involves threats to expose vulnerabilities, data breaches, or confidential information unless the victim complies with the attacker's demands. These may include demands for monetary payment, access to sensitive systems or data, or other concessions.
Example Scenario¶
Joe casually checks his emails one morning at work when one subject line catches his eye: "CHEATERS HAVE TO PAY." The email is from an unknown sender, but there are no malicious attachments or links, only the following text:
So here we see that the hacker has already compromised the victim's social media account. This compromise alone was insufficient to provide the hackers with what they wanted: money. However, they were able to leverage the information gained from the social media breach to blackmail the victim and demand compensation. Faithfulness aside, this scenario could have been prevented had the victim done a better job protecting their personal information, depriving attackers of leverage.
https://www.youtube.com/watch?v=gSQgbCo6PAg <- video depicting phishing
Phishing¶
Phishing is a cyber-attack method where attackers masquerade as legitimate entities, typically via email, to trick individuals into revealing sensitive information such as usernames, passwords, financial data, or personal information. Phishing attacks often involve deceptive tactics, including fake websites, urgent requests, and social engineering techniques.
Whaling¶
Whaling is a specialized form of phishing targeting high-profile individuals within organizations, such as executives, CEOs, or senior management. Unlike traditional phishing attacks, which target a broad audience, whaling attacks are tailored to exploit the status and authority of these individuals for financial gain or data theft.
Spear Phishing¶
Spear phishing is a targeted attack focusing on specific individuals or groups within an organization. Unlike traditional phishing attacks, which cast a wide net, spear phishing campaigns are highly tailored and personalized to exploit their intended targets' interests, relationships, or vulnerabilities.
Pretexting¶
Pretexting is a social engineering technique in which attackers create false identities or scenarios to manipulate individuals into disclosing sensitive information or performing specific actions. It involves extensive planning, research, and deception to establish credibility and gain the trust of the target.
Role-Playing¶
Often an integral component of pretexting; role-playing is the act of assuming a false identity in order to deceive a target. This might be acheived by impersonating a family member or coworker in an attempt to gain trust. Reconnaisance of the target would assist in establishing a more convincing false identity.
Quid Pro Quo¶
"Quid pro quo" is a Latin term that translates to "something for something" or "this for that." In cybersecurity, it refers to the exchange of goods, services, or favors for something of seemingly equal value between parties.
Bribery vs Quid Pro Quo¶
It is important to note that while all bribery is considered quid pro quo, not all quid pro quo is considered bribery. In most cases, quid pro quo can be conducted within legal and ethical boundaries. For example, if you go to a convenience store and buy three cans of Monster Energy for the day, this is a completely legal exchange; one thing for another. However, when a trade is based on malicious motives and has negative outcomes, this violates QPQ and constitutes bribery.
Example Scenario¶
One afternoon, John receives a call from a person claiming to be a representative from his bank. This individual informs John that his bank account has been compromised and may soon be emptied out if he doesn't act quickly. The caller assures John that he can take care of everything if he simply provides his account credentials. John is worried about the safety of his finances, so he complies, only to find his account wiped and his actual bank calling days later.
So here we see several social engineering techniques (what are they?), which are very common if an attacker wants to take advantage of a victim effectively. What makes this quid pro quo is that the attacker is offering to fix the problem if John can provide his account information. John may think this is a fair transaction, but in reality, he has become the victim.
Dumpster Diving¶
Dumpster diving is a physical security attack method where individuals or attackers rummage through trash or waste disposal bins to obtain sensitive or confidential information. In cybersecurity, dumpster diving involves searching for discarded documents, electronic devices, or other materials containing valuable information that can be exploited for malicious purposes.
Mitigation Strategies¶
Secure Disposal Practices¶
- Implement secure disposal practices, including shredding, incineration, or electronic data wiping, to ensure sensitive information is appropriately destroyed before disposal.
Employee Training¶
- Provide employees with training on the importance of proper data disposal procedures and the risks associated with improper handling of sensitive information.
Physical Security Measures¶
- Enhance physical security measures, such as surveillance cameras, locks, or access controls, to prevent unauthorized access to trash bins or dumpsters on organizational premises.
Road Apple¶
A road apple (the colloquial term for horse manure) attack is a social engineering attack where attackers strategically place infected USB flash drives or other removable media in public areas, such as parking lots, conference venues, or corporate offices. These attacks aim to entice unsuspecting individuals into plugging the infected devices into their computers, leading to malware infection or unauthorized access to sensitive information.
Real-world Examples:¶
- The Stuxnet worm, discovered in 2010, was believed to have been spread via infected USB flash drives. It targeted industrial control systems, particularly those used in Iran's nuclear program, causing physical damage to centrifuges.
-
The Conficker worm, first identified in 2008, spread through network shares and removable media, including USB drives. It infected millions of computers worldwide, causing widespread disruption and data theft.
-
Agent.BTZ is a sophisticated malware strain discovered in 2008 that spread through infected USB drives. It targeted US military networks and compromised classified information, leading to significant security concerns and remediation efforts.
Operation Buckshot Yankee and US Cyber Command¶
-
In 2008, the United States Department of Defense (DoD) experienced a significant cybersecurity incident when the Agent.BTZ malware infected classified military networks. This malware, believed to be of Russian or Chinese origin, spread rapidly through the use of an infected USB drive planted in the parking lot of a DoD facility at a base in the Middle East
-
Operation Buckshot Yankee was the codename given to the DoD's response to the Agent BTZ malware infection. It involved a large-scale effort to identify, contain, and eradicate the malware from DoD networks. The operation highlighted the vulnerability of military systems to cyber attacks and the need for enhanced cybersecurity capabilities.
-
Operation Buckshot Yankee and other cyber threats posed challenges, so the United States established the US Cyber Command (USCYBERCOM) in 2009.
Mitigation Strategies¶
Employee Education¶
Educate employees and users about the risks of using untrusted USB devices and the importance of caution when encountering unknown media.
Security Policies¶
Implement security policies and procedures that restrict the use of removable media and require devices to be scanned for malware before use on corporate systems.
Technical Controls¶
Deploy technical controls, such as endpoint security solutions, intrusion detection systems, and USB port restrictions, to detect and prevent road apple attacks.
Define Drive-by Download¶
A drive-by download is a malicious technique attackers use to install malware on a victim's computer without their consent or knowledge. This type of attack occurs when a user visits a compromised or malicious website, and malware is automatically downloaded and executed on their system through vulnerabilities in web browsers, plugins, or operating systems.
This technique can trick the user into authorizing malware download without full implications (such as bundleware), or it can install itself unauthorizedly without any notification.
Real-World Examples¶
Angler Exploit Kit¶
The Angler Exploit Kit, active between 2013 and 2016, used drive-by download attacks to distribute various types of malware, including ransomware, banking Trojans, and exploit payloads, to victims worldwide.
CryptoWall Ransomware¶
CryptoWall, a notorious ransomware variant, was often distributed through drive-by download attacks via compromised websites or malvertising campaigns. It encrypted victims' files and demanded ransom payments for decryption keys.
Flashback Trojan¶
The Flashback Trojan, which targets macOS systems, was discovered in 2011. Drive-by download attacks spread it by exploiting vulnerabilities in Java. The original version used a fake installer of Adobe Flash Player, hence the name. It infected hundreds of thousands of Mac computers worldwide, compromising their security and privacy.
Mitigation Strategies¶
Patch Management¶
Update web browsers, plugins, and operating systems regularly to address known vulnerabilities and reduce the risk of exploitation through drive-by downloads.
Web Filtering¶
Implement web filtering solutions to block access to known malicious websites or prevent users from downloading potentially harmful content.
Endpoint Security¶
Deploy endpoint security solutions, such as antivirus software, intrusion detection systems, and endpoint protection platforms, to detect and block drive-by download attempts.