Isys20261 lecture 10

Computer Security Management(ISYS20261)Lecture 10 - Social Engineering

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Today ...

… we will discuss:

• Pretexting

• Phishing

• IVR or phone phishing

• Baiting

• Quid pro quo


Social Engineering

• Manipulating people into performing actions or providing confidential information

• Social engineering techniques are based on specific attributes of human decision-making known as cognitive biases

• These biases are exploited in various combinations to create criminal attack techniques

• Examples of social engineering:– Pretexting

– Phishing

– IVR or phone phishing

– Baiting

– Quid pro quo

– Etc.


Social Engineering Attacks

• Attacker might pose as:– fellow employee

– employee of a vendor, partner company, law enforcement

– Someone with authority

– Systems manufacturer offering system patch or update

– Offering help if problem occurs, then making the problem to occur

• Attacker might use software:– Sending free software of patch to victim to install (Trojan)

– Sending viruses or Trojans as email attachment

– Using a false pop-up window asking user to log in

– Leaving a CD with malicious software lying around

• Others– Offering prize for registering on Web site

– Dropping document in mail room for intra-office delivery


Pretexting (1)

• Creating and using an invented scenario (pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone

• Often involves some prior research or set up and the use of pieces of known information, e.g. for impersonation: name, date of birth, last bill amount, to establish legitimacy in the mind of the target

• Used for example to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives

• As most companies authenticate clients by asking only for a name, date of birth, or mother's maiden name, the method is effective in many situations


Pretexting (2)

• Can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim

• The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet


Example (1)

• Mary arrived early to a head start on what she expected to be a long day and was surprised to find her phone ringing. She picked it up and gave her name:

Hi, this is Peter Sheppard. I’m with Arbuckle Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer connecting to the network?


Example (2)

• She told him she didn’t know yet. She turned her computer on and while it was booting he explained what he wanted to do:

I’d like to run a couple of tests with you. I’m able to see on my screen the keystrokes you type and I want to make sure they’re going across the network correctly. So every time you type a stroke I want you to tell me what it is and I’ll see if the same letter or number is appearing here. Okay?


Example (3)

• With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him: I have the login screen and I’m going to type in my ID. I’m typing it in: M A R Y

Great so far. I’m seeing that here. Now go ahead and type your password but don’t tell me what it is. You should never tell anybody your password not even tech support. I’ll just see asterisks here – your password is protected so I can’t see it.


Example (4)

• None of this was true but it made sense to Mary. And then he said:

Let me know once your computer has started up.

• When she said it was running he had her open two of her applications and she reported that they launched just fine

• Mary was relieved to see that everything seemed to be working. Peter said:

I’m glad I could make sure you’ll be able to use your computer ok. And listen, we just installed an update that allows people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?


Example (5)• She was grateful for the help he had given her and readily agreed.

Peter walked her through the steps of launching her application that allows a user to change passwords (a standard element of Windows operating system)

• Peter said: Go ahead and enter your password but remember not to say it loud.

• When she had done so, Peter said: just for this quick test, when it asks for your new password enter ‘test123’. Then type it again in the verification box and click Enter.

• He talked her through the process of disconnecting from the server. He told her to wait a couple of minutes, then connect again, this time trying to log on with her new password. It worked fine and Peter seemed pleased. He talked her through changing it back to her original password once more cautioning her not to say it out loudly.


Example (6)

• Well Mary Peter said we didn’t find any trouble and that’s great. If any problems come up just ring us at Arbuckle. I’m usually on a special project but anyone here can help you.

• Analysing the con:– Ringing reception at 7:30 – emergency, need to talk to anyone in accounting

– Call Mary, say there is problems, give her jitters so she is keen for help

– After giving ‘help’ ask for favour

– Quickly logged on with temporary password and installed his own program and cleared access from logs

• Common:– Con is embedded into long palaver

– If con would be at the end of the day Mary would remember this last thing but after a busy working day she will forget


Phishing

• criminal technique of fraudulently obtaining private information

• Typically, the phisher sends an e-mail that appears to come from a legitimate business (e.g. a bank, or credit card company) requesting "verification" of information and warning of some dire consequence if it is not provided

• e-mail usually contains a link to a fraudulent web page that seems legitimate (I.e. with company logos and content) and has a form requesting everything from a home address to an ATM card's PIN


Phone Phishing (IVR phishing)

• Uses a fake Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system

• Typically victim receives an e-mail asking to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information

• A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords

• More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning


Baiting

• Trojan Horse that uses physical media and relies on the curiosity or greed of the victim

• Attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device

• Examples could be:– Installation disks for expensive Office software

– Fake electronic executive reports (infected spreadsheets)

– Fake demo programs


Quid pro quo

• “Something for something”

• An attacker calls random numbers at a company claiming to be calling back from technical support

• Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them

• The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware (see pretexting example!)


Summary

Today we learned:

• Social engineering exploits human cognitive biases

• Manipulating people into performing actions or providing confidential information

• Social engineering techniques include:– Pretexting

– Phishing

– IVR or phone phishing

– Baiting

– Quid pro quo

Isys20261 lecture 10

Documents

Transcript of Isys20261 lecture 10