Social Engineering – CompTIA A+ 220-1102 – 2.4

Social engineering can circumvent security controls without using any technology. In this video, you’ll learn about phishing, shoulder surfing, piggybacking, wireless evil twins, and more.

Attacks that involve social engineering are constantly evolving. Attackers are finding new ways to engage with people to get around existing security controls. Some of the latest social engineering techniques involve communicating with you from multiple people using multiple methods of communication. This is all to earn your trust and ultimately provides them with access that they would not normally have.

We’ve seen cases where an attacker will pose as an angry customer and yell at you over the phone as a way to try to intimidate you. Other forms of social engineering take a bit more work but end up having a lot more of a personal effect. For example, there have been situations where the attacker has found that someone in the organization has passed away, and they’ll send an email, which is asking for donations but the links in the email are actually connecting you with malware.

Phishing is a type of social engineering that includes a bit of spoofing. So the attacker that’s performing this phishing attack is often imitating or pretending to be someone you know. For example, you might get a link that opens a window to your online email system. But in reality, this is not your email system. This is a third party website. And when you type in your email address and your password, you’re effectively sending that to the attacker

Fortunately, many of these attackers are not very good with details and you’ll notice that things may not be quite right on the screen. For example, some of the graphics on the screen may not be the normal logo that you might expect to see. Of course, this phishing can occur over other types of media. It doesn’t have to be in a web browser. They could call you on the phone and when it is voice calls it’s called voice phishing or phishing.

You might see this come through with what appears to be a local phone number. But in reality, they’re spoofing the phone number that you see on your phone. And they might be providing fake security checks or they may say they’re from your bank and they need some additional information from you. Here’s a comparison of a phishing attack with a legitimate login. On the left side is the phishing attack with the bad logo that they’ve attached, and on the right side is the actual login to the web based email system.

If you didn’t know exactly what the login screen should look like, you may be very easily fooled into providing your login credentials on the phishing screen. One way to get private information from someone’s computer is to simply look at the information that’s on their screen. We refer to this as shoulder surfing. This might be someone who simply curious to know what’s on your screen, or it may be someone who is intentionally targeting you to find information that may be on your display.

You may have been a victim of shoulder surfing or been the shoulder surfer yourself if you’ve been to an airport or a coffee shop, and you’ve seen somebody working on their computer by simply walking by you can easily see what’s on their screen. And sometimes the information on their screen may contain sensitive information. Sometimes you don’t even have to be physically near the computer to be able to see what’s on someone’s screen.

If you’re in a city, it’s very easy to see the people that are in the building next to you. And with a pair of binoculars or telescope, you might be able to make out what’s on somebody’s display. And of course malware that’s on a system may be able to monitor the screen, capture information, and provide those screen captures back to the attacker.

It’s up to you to be aware of your surroundings so that you can prevent these types of shoulder surfing attacks from occurring. Make sure you know exactly who may be around you. And you may want to position yourself with your back to the wall so that nobody can walk behind you to see what’s on your computer. You might also want to try adding privacy filters to your LCD. That will allow you to use your computer facing straight on at the screen.

But anyone who’s off to the side will not be able to see anything that’s on your display. These work exceptionally well. I’ve been on flights where someone in the middle seat has a privacy filter on their laptop, and they’re able to use their computer normally throughout the flight. I’m sitting right next to them on a window seat and to me the screen looks completely black. This is a great way to prevent shoulder surfing especially if you’re in a very dense area with a lot of people around you.

You might also want to see where your computer faces on your desk and prevent people from walking by your office and being able to see what happens to be on your screen. And if you’re in an area where there will be people behind you who are able to see your displays, it might be best to avoid putting any sensitive information on your screen.

Of course, these attackers aren’t interested in talking to you unless you have valuable information that you can provide to them. And often the attacker will do some research beforehand to know exactly who in the organization may have access to the information they need. This type of phishing is very directed and we refer to this as spear phishing. A good example of someone who would be a victim of spear phishing is the person in charge of finances for an organization.

Maybe it’s somebody who has access to the bank account or somebody who may have private information about customer details. If the target of this phishing attack is somebody at the executive level, we often refer to this type of spear phishing as whaling. This is someone who probably has access to a vast amount of private information, and could potentially have access to the company finances.

The attackers would love to have access to your bank account or find someone who’s able to make transfers out of your bank account. And using these types of spear phishing attacks can be very, very lucrative to the attacker. When you’re walking into an office building you may see a sign next to a locked door that says no tailgating, they’re referring, of course, to someone walking into the building without having proper access.

This is somebody who may try to catch a locked door before it closes or somebody who walks in behind somebody else who already has authorized access. In this situation, the person who allowed the door to be unlocked may have no idea that somebody caught the door at the end and snuck through without them knowing. If the authorized person who unlocked the door has complete knowledge of walking through that door, we refer to that as piggybacking.

This type of attack might be more involved for instance the attacker might have their hands full of equipment or food, and ask somebody who already has opened the door to continue to hold the door so they can get through. Unfortunately in many organizations, once you make it through that first locked door, a vast amount of the information inside of that building is available to you. So getting through that single lock could provide the attacker with a wealth of information.

To avoid this type of attack, there should be some well established policies on how you deal with visitors in your organization. If there’s somebody inside of your building who does not have a visible pass or badge, every employee should feel enabled to ask that person who they are and what they’re doing there. The no tailgating sign is referring to the number of people who are able to walk through that particular door at a time.

So one badge allows you one person through the door. And if you ever have a badge where multiple people are allowed through the door, then that would be an invalid entry. Some organizations take this a step further and have doors that will only allow one person through at a time. So you have to scan your badge and walk through the entrance.

And there certainly been situations where I have been a visitor inside of a building, I took my jacket off, and got a cup of coffee. And while I was doing that, somebody stopped by and said where’s your badge? Oh it’s on my jacket. Let me get that for you to prove that I’m really allowed to be in this building. These attackers that are performing the social engineering make extensive use of impersonation. They are pretending to be someone they really are not in order to gain access to certain types of information.

To be able to make a more believable impersonation, they’ve gained information from the internet from a third party or they may have even gone through your trash to find more details about the internals of your company. They may call and tell you they’re from the helpdesk or they may call and tell you they’re from the executive team. In either of those situations, people may want to react or want to help and provide information that they normally would not provide.

Sometimes the attacker will use large words or jargon to confuse the user. Or they may pretend that their friend and they should be providing more information because they already have this friendly rapport. The idea of going into a company’s trash to gather more intel is a very common form of social engineering. You’ll often hear this technique described as dumpster diving because it’s describing the brand of the rubbish skip that we use here in the United States.

This is a dumpster. And if you’re looking through the dumpster, you’re dumpster diving. It is remarkable how much interesting and valuable information is thrown out with the trash. You may find a telephone directory, financial details, or information about a project that you can then use on a social engineering attack. This is why we often say that you should be very careful about the garbage that you’re putting in the trash bin because that information could be used against you.

They might also know that your company throws away information on a monthly or quarterly basis. So they’ll wait until you put everything into the trash and then they’ll retrieve it before your normal garbage pickup. Another attack that uses a bit of technology and a bit of social engineering is a wireless evil twin attack. This is when the attacker would install a wireless access point that has the same configuration and looks almost identical to a legitimate access point.

They might use the same, SSIDs they might have the same logos on their captive portal, and someone connecting to this malicious network thinks they’re logging in to the normal network. If the evil twin is transmitting with enough power, it may be able to even overwhelm the existing legitimate access point and then everyone is going to connect to the evil twin. This is an especially useful attack if the access points are completely open and have no type of security associated with them.

The attacker would simply create a new access point and wait for users to connect. This is why we often say it’s important to encrypt all of the data coming from your system, not just use HTTPS to a website, but use a VPN to encrypt everything that you’re sending to and from your device.