CEH v5 Module 09 Social Engineering PDF

Ethical Hacking
Version 5
Module IX
Social Engineering
Scenario
Source: Department of Treasury ,Washington D.C

http://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~
~
~
~
~
~
~
~
~
~
~
~
EC-Council
Social Engineering: An Introduction

Types of Social Engineering
Dumpster Diving
Shoulder surfing
Reverse Social Engineering
Behaviors vulnerable to attacks
Countermeasures for Social engineering
Policies and Procedures
Phishing Attacks
Identity Theft
Online Scams
Countermeasures for Identity theft
Module Flow
Social Engineering
Phishing Attacks
Types of
Social Engineering
Identity Theft
Behaviors vulnerable
to attacks
Countermeasures
Online Scams
Countermeasures
EC-Council
There is No
Patch to Human
Stupidity
EC-Council
What is Social Engineering?

~
Social Engineering is the human side of breaking into

a corporate network
Companies with authentication processes, firewalls,

virtual private networks, and network monitoring
software are still open to attacks
An employee may unwittingly give away key

information in an email or by answering questions
over the phone with someone they do not know, or
even by talking about a project with coworkers at a
local pub after hours
EC-Council
What is Social Engineering? (contd)

~
Tactic or Trick of gaining sensitive information by exploiting basic

human nature such as:
Trust
Fear
Desire to Help
Social engineers attempt to gather information such as:

Sensitive information
Authorization details
Access details
EC-Council
Human Weakness
~
People are usually the weakest

link in the security chain
A successful defense depends

on having good policies, and
educating employees to follow
them
Social Engineering is the

hardest form of attack to
defend against because it
cannot be defended with
hardware or software alone
EC-Council
Rebecca and Jessica

~
Hackers use the term Rebecca and Jessica to

denote social engineering attacks
Hackers commonly use these terms to social

engineer victims
Rebecca and Jessica mean a person who is an

easy target for social engineering, like the
receptionist of a company
Example:
There was a Rebecca at the bank and I am
going to call her to extract privileged
information.
I met Ms. Jessica, she was an easy target for
social engineering.
Do you have any Rebecca in your company?
EC-Council
Office Workers
~
Despite having the best firewall, intrusiondetection and antivirus systems, technology
has to offer, you are still hit with security
breaches
One reason for this may be lack of motivation

among your workers
Hackers can attempt social engineering

attack on office workers to extract sensitive
data such as:
Security policies
Sensitive documents
Office network infrastructure
Passwords
EC-Council
Types of Social Engineering

~
Social Engineering can be divided

into two categories:
Human-based
Gathering sensitive information by
interaction
Attacks of this category exploits trust, fear
and helping nature of humans
Computer-based
Social engineering carried out with the aid of
computers
EC-Council
Human-based Social Engineering

~
Posing as a Legitimate End User

Gives identity and asks for
sensitive information
Hi! This is John, from
Department X. I have forgotten
my password. Can I get it?
Posing as an Important User
Posing as a VIP of a target
company, valuable customer, etc.
Hi! This is Kevin, CFO Secretary.
Im working on an urgent project
and lost system password. Can you
help me out?
EC-Council

( contd)
~
Posing as Technical Support

Calls as a technical support
staff, and requests id &
passwords to retrieve data
Sir, this is Mathew, Technical
support, X company. Last night
we had a system crash here, and
we are checking for the lost
data. Can u give me your ID and
Password?
EC-Council
Technical Support Example
A man calls a company help

desk and says hes forgotten his
password. In a panic, he adds
that if he misses the deadline on
a big advertising project his boss
might fire him. The help desk
worker feels sorry for him and
quickly resets the password
unwittingly giving the hacker
clear entrance into the corporate
network.
EC-Council
More Social Engineering Examples
"Hi, I'm John Brown. I'm with

the external auditors Arthur
Sanderson. We've been told by
corporate to do a surprise
inspection of your disaster
recovery procedures. Your
department has 10 minutes to
show me how you would recover
from a Website crash."
EC-Council

"Hi I'm Sharon, a sales rep out of the
New York office. I know this is short
notice, but I have a group of
perspective clients out in the car that
I've been trying for months to get to
outsource their security training
needs to us.
They're located just a few miles away
and I think that if I can give them a
quick tour of our facilities, it should
be enough to push them over the edge
and get them to sign up.
Oh yeah, they are particularly
interested in what security
precautions we've adopted. Seems
someone hacked into their Website a
while back, which is one of the
reasons they're considering our
company."
EC-Council
"Hi, I'm with Aircon Express

Services. We received a call that
the computer room was getting
too warm and need to check
your HVAC system." Using
professional-sounding terms
like HVAC (Heating,
Ventilation, and Air
Conditioning) may add just
enough credibility to an
intruder's masquerade to allow
him or her to gain access to the
targeted secured resource.
EC-Council

( contd)
~
Eavesdropping
Unauthorized listening of conversations or
reading of messages
Interception of any form such as audio,
video or written
EC-Council
Human-based Social Engineering:

Shoulder Surfing
~
Looking over your shoulder as you

enter a password
Shoulder surfing is the name given

to the procedure that identity
thieves use to find out passwords,
personal identification number,
account numbers and more
Simply, they look over your

shoulder--or even watch from a
distance using binoculars, in order
to get those pieces of information
EC-Council
Passwords
Hacker
Victim

( contd)
~
Dumpster Diving
Search for sensitive
information at target
companys
Trash-bins
Printer Trash bins
user desk for sticky
notes etc
Collect
Phone Bills
Contact Information
Financial Information
Operations related
information etc
EC-Council
Dumpster Diving Example
A man behind the building is loading

the companys paper recycling bins
into the back of a truck. Inside the
bins are lists of employee titles and
phone numbers, marketing plans and
the latest company financials
This information is sufficient to launch
a social engineering attack on the
company
EC-Council
Oracle Snoops Microsofts Trash

Bins
"We weren't spying. We were

trying to expose what
Microsoft was doing," said a
fiery Ellison when reporters
asked repeatedly about the
detective agency's attempts at
buying garbage.
EC-Council
EC-Council
Case Study
Source
courtesy:
http://www.w
ashingtonpost.
com/wpdyn/content/a
rticle/2006/0
9/27/AR2006
092701304.ht
ml
EC-Council

( contd)
~
In person
Survey a target company to collect information on
Current technologies
Contact information, and so on
Third-party Authorization
Refer to an important person in the organization and try to collect
data
Mr. George, our Finance Manager, asked that I pick up the audit
reports. Will you please provide them to me?
EC-Council

( contd)
~
Tailgating
An unauthorized person, wearing a fake ID badge, enters a secured
area by closely following an authorized person through a door
requiring key access
An authorized person may be unaware of having provided an
unauthorized person access to a secured area
Piggybacking
I forgot my ID badge at home. Please help me.
An authorized person provides access to an unauthorized person by
keeping the secured door open
EC-Council

( contd)
~
Reverse Social Engineering

This is when the hacker creates a
persona that appears to be in a
position of authority so that employees
will ask him for information, rather
than the other way around
Reverse Social Engineering attack
involves
Sabotage
Marketing
Providing Support
EC-Council
Movies to Watch for Reverse Engineering Examples:

The Italian Job and Catch Me If You Can
EC-Council
Computer-based Social Engineering

~
These can be divided

into the following
broad categories:
Mail / IM attachments
Pop-up Windows
Websites /
Sweepstakes
Spam mail
EC-Council

( contd)
~
Pop-up Windows
Windows that suddenly pop up, while surfing the Internet and ask for
users information,to login or sign-in
Hoaxes and chain letters

Hoax letters are emails that issue warnings to user on new virus, Trojans or
worms that may harm users system.
Chain letters are emails that offer free gifts such as money, and software
on the condition that if the user forwards the mail to said number of
persons
EC-Council

( contd)
~
Instant Chat Messenger

Gathering of personal information by chatting with a selected online
user to attempt to get information such as birth dates, maiden names
Acquired data is later used for cracking users accounts
Spam email
Email sent to many recipients without prior permission intended for
commercial purposes
Irrelevant, unwanted and unsolicited email to collect financial
information, social security numbers, and network information
EC-Council

( contd)
~
Phishing
An illegitimate email falsely claiming to be from a legitimate site
attempts to acquire users personal or account information
Lures online users with statements such as
Verify your account
Update your information
Your account will be closed or suspended
Spam filters, anti-phishing tools integrated with web browsers can be

used to protect from Phishers
EC-Council
Insider Attack
~
If a competitor wants to cause damage to your organization, steal

critical secrets, or put you out of business, they just have to find a
job opening, prep someone to pass the interview, have that person
get hired, and they are in
It takes only one disgruntled person to take revenge, and your

company is compromised
60% of attacks occur behind the firewall
An inside attack is easy to launch
Prevention is difficult
The inside attacker can easily succeed
Difficult to catch the perpetrator
EC-Council
Disgruntled Employee
Most cases of insider abuse can be
traced to individuals who are
introverted, incapable of dealing
with stress or conflict, and
frustrated with their job, office
politics, no respect, no promotions
etc.
Disgruntled
Employee
Company
Secrets
Send the Data to

Competitors
Using
Steganography
Competitor
Company
Network
EC-Council
Preventing Insider Threat

~
There is no single solution to prevent an insider threat
Some recommendations:
Separation of duties
Rotation of duties
Least privilege
Controlled access
Logging and auditing
Legal Policies
Archive critical data
EC-Council
Common Targets of Social Engineering

~
Receptionists and help desk

personnel
Technical support executives
Vendors of target
organization
System administrators and

Users
EC-Council
Factors that make Companies

Vulnerable to Attacks
~
Insufficient security training and awareness
Several organizational units
Lack of appropriate security policies
Easy access of information e.g. e-mail Ids and

phone extension numbers of employees
EC-Council
Why is Social Engineering Effective?

~
Security policies are as strong as its weakest link, and

humans are the most susceptible factor
Difficult to detect social engineering attempts
There is no method to ensure the complete security

from social engineering attacks
No specific software or hardware for defending against

a social engineering attack
EC-Council
Warning Signs of an Attack

~
An attacker may:
Show inability to give valid callback number
Make informal requests
Claim of authority
Show haste
Unusually compliment or praise
Show discomfort when questioned
Drop the name inadvertently
Threaten of dire consequences if information is not provided
EC-Council
Tool : Netcraft Anti-Phishing Toolbar

~
An anti-phishing system consisting of a toolbar and a central server

that has information about URLs provided by Toolbar community
and Netcraft
Blocks phishing websites that are recorded in Netcrafts central server
Suspicious URLs can be reported to Netcraft by clicking Report a

Phishing Site in the toolbar menu
Shows all the attributes of each site such as host location, country,
longevity and popularity
Can be downloaded from www.netcraft.com
EC-Council

( contd)
Netcraft Toolbar
Site Report
EC-Council

( contd)
EC-Council
Location
details
Website Network Information
Phases in a Social Engineering Attack

~
Four phases of a Social Engineering Attack:

Research on target company
Dumpster diving, websites, employees, tour company and so
on
Select Victim
Identify frustrated employees of target company
Develop relationship
Developing relationship with selected employees
Exploit the relationship to achieve the objective

Collect sensitive account information
Financial information
Current Technologies
EC-Council
Behaviors Vulnerable to Attacks

~
Trust
Human nature of trust is the basis of any social engineering
attack
Ignorance
Ignorance about social engineering and its effects among the
workforce makes the organization an easy target
Fear
Social engineers might threaten severe losses in case of noncompliance with their request
EC-Council
Behaviors Vulnerable to Attacks ( contd)

~
Greed
Social engineers lure the targets to divulge
information by promising something for
nothing
Moral duty
Targets are asked for the help, and they
comply out of a sense of moral obligation
EC-Council
Impact on the Organization

~
Economic losses
Damage of goodwill
Loss of privacy
Dangers of terrorism
Lawsuits and arbitrations
Temporary or permanent closure
EC-Council
Countermeasures
~
Training
An efficient training program should consist of all security
policies and methods to increase awareness on social
engineering
EC-Council
Countermeasures (contd)
~
Password policies
Periodic password change
Avoiding guessable passwords
Account blocking after failed attempts
Length and complexity of passwords
Minimum number of characters, use of special characters and numbers etc.
e.g. ar1f23#$g
Secrecy of passwords
Do not reveal if asked, or write on anything to remember them
EC-Council
~
Operational guidelines
Ensure security of sensitive information
and authorized use of resources
Physical security policies

Identification of employees e.g. issuing of
ID cards, uniforms and so on
Escorting the visitors
Access area restrictions
Proper shredding of useless documents
Employing security personnel
EC-Council
~
Classification of Information
Categorize the information as top secret, proprietary, for internal use
only, for public use, and so on
Access privileges
Administrator, user and guest accounts with proper authorization
Background check of employees and proper termination process

Insiders with a criminal background and terminated employees are
easy targets for procuring information
Proper incidence response system

There should be proper guidelines for reacting in case of a social
engineering attempt
EC-Council

~
Policy is the most critical component to any information

security program
Good policies and procedures are ineffective if they are

not taught, and reinforced by the employees
Employees need to emphasize their importance. After

receiving training, the employee should sign a
statement acknowledging that they understand the
policies
EC-Council
Security Policies - Checklist

~
~
~
~
~
~
~
~
~
~
~
Account setup
Password change policy
Help desk procedures
Access privileges
Violations
Employee identification
Privacy policy
Paper documents
Modems
Physical access restrictions
Virus control
EC-Council
What Happened Next?

Read the PDF
document at the below
URL link.
You will be shocked!
Source: Department of Treasury ,Washington D.C

http://www.treasury.gov/tigta/auditreports/2005reports/200520042fr.pdf
EC-Council
Summary
~
Social Engineering is the human-side of breaking into a

corporate network
Social Engineering involves acquiring sensitive

information or inappropriate access privileges by an
outsider
Human-based social engineering refers to person-toperson interaction to retrieve the desired information
Computer-based social engineering refers to having
computer software that attempts to retrieve the desired
information
A successful defense depends on having good policies
and their diligent implementation
~
~
EC-Council
EC-Council
EC-Council
Phishing Attacks
and
Identity Theft
Hacking News
EC-Council
What is Phishing?
~
A form of identity theft in which a scammer

uses an authentic-looking e-mail to trick
recipients into giving out sensitive personal
information, such as, a credit card, bank
account or Social Security number
Phishing attacks use both social

engineering and technical subterfuge to
steal consumers personal identity data,
and financial account credentials
(adapted from fishing for information)
EC-Council
Phishing News
Source Courtesy: http://news.com.com/Yahoo+adds+phishing+shield/2100-1029_3-6108330.html?tag=nefd.top
EC-Council
EC-Council
EC-Council
Phishing Report
Source: http://anti-phishing.org/
EC-Council
Phishing Report ( contd)
EC-Council
Source: http://anti-phishing.org/
Attacks
~
Phishing is the most common corporate identity

theft scam today
It usually involves an e-mail message asking

consumers to update their personal information
with a link to a spoofed website
To give their schemes a legitimate look and feel,

fraudsters commonly steal well-known corporate
identities, product names, and logos
It is easy to construct authentic websites for email scams
EC-Council
Phishing Example (paypal)
EC-Council
Phishing Example (paypal)
EC-Council
Phishing Example (MSN)
EC-Council
Phishing Example (MSN) ( contd)
EC-Council
Phishing Example (Visa)
EC-Council
Phishing Example (Visa) ( contd)
EC-Council
Hidden Frames
~
Frames provide a popular method of hiding attack content
They have uniform browser support and an easy coding style
The attacker defines HTML code by using two frames
The first frame contains the legitimate site URL information, while
the second frame, occupying 0% of the browser interface, has a
malicious code running
EC-Council
Hidden Frames Example

<html>
<head>
<title>Frame Based Exploit Example</title>
</head>
<body topmargin="0" leftmargin="0" rightmargin="0"
bottommargin="0">
<iframe src="http://www.yahoo.com" width="100%"
height="150" frameborder="0"></iframe>
<iframe src="http://www.msn.com" width="100%"
height="350" frameborder="0"></iframe>
</body>
</html>
EC-Council
Hidden Frames Example

~
EC-Council
In the example, MSN is displayed in a second frame within the

master frame showing Yahoo
URL Obfuscation
~
Using Strings - Uses a credible sounding text string within the URL
Using @ sign - This kind of syntax is normally used for websites that require some
authentication. The left side of @ sign is ignored and the domain name or IP address
on the right side of the @ sign is treated as the legitimate domain (@ can be replaced
with %40 unicode)
Example:
http://XX.XX.78.45/ebay/account_update/now.asp
Example:
http://www.citybank.com/[email protected]/usb/process.asp
Status Bar Tricks- The URL is so long that it can not be completely displayed in the
status bar - Often combined with the @ so that the fraudulent URL is at the end and
not displayed
EC-Council
Example
http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&userso
ption=
SecurityUpdate&[email protected]/verified_by_visa.ht
ml
URL Obfuscation ( contd)

~
Similar Name Tricks- These kinds of tricks

use a credible sounding, but fraudulent, domain
name
Examples:
http://www.ebay-support.com/verify
http://www.citybank-secure.com/login
http://www.suntrustbank.com
http://www.amex-corp.com
http://www.fedex-security.com
EC-Council
URL Encoding Techniques

~
URLs are Encoded to disguise its true value using hex, dword, or
octal encoding
Sometimes @ is used in the disguise
Sometimes @ sign is replaced with %40
Example:
http://www.paypal.com@%32%32%30%2E%36%38%2E%32%31
%34%2E%32%31%33
which translates into 220.68.214.213
http://www.paypal.com%40570754567
which translates into 34.5.6.7
EC-Council
IP Address to Base 10 Formula

To convert 66.46.55.116 to base 10 the
formula is:
~ 66 x (256)3 + 46 x (256)2 + 55 x
(256)1 + 116 = 1110325108
~
After conversion test it by pinging 1110325108

in command prompt
Exercise: Convert your classroom gateway IP address to base 10
EC-Council
Karens URL Discombobulator

It can determine the IP Address(es) associated
with any valid domain name
~ It can also form URLs referencing that
computer, using several URL-encoding
techniques
~
Source courtesy http://www.karenware.com/powertools/ptlookup.asp
EC-Council
Screenshot 1
EC-Council
Screenshot 2
EC-Council
HTML Image Mapping Techniques

~ The
URL is actually a part of an image, which uses map

coordinates to define the click area and the real URL,
with the fake URL from the <A> tag is also displayed
~ Example:
<html>
<head>
<title>CEH Demo</title>
</head>
<body>
<img src="file:///C:/SOMEIMAGE.jpg" width=440" height=356"
border="0" usemap="#Map">
<map name="Map">
<area shape="rect" coords="146,50,300,84"
href="http://certifiedhacker.com">
</map></body>
</html>
EC-Council
Fake Browser Address Bars

This is a fake address
bar
EC-Council
Fake Toolbars
This is a fake toolbar
EC-Council
Fake Status Bar

Fake status bar with
pad lock button
EC-Council
DNS Cache Poisoning Attack

This type of attack is based on a simple
convention of IP address to host resolution
~ Here is how it works:
~ Every system has a host file in its systems
directory. In the case of Windows, this file
resides at the following location:
C:\WINDOWS\system32\drivers\etc
~
This file can be used to hard code domain name

translations
EC-Council
Example of a Normal Host File under

DNS Poisoning Attack:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
Copyright (c) 1993-1999 Microsoft Corp.

This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
This file contains the mappings of IP addresses to host names. Each
entry should be kept on an individual line. The IP address should
be placed in the first column followed by the corresponding host name.
The IP address and the host name should be separated by at least one
space.
Additionally, comments (such as these) may be inserted on individual
lines or following the machine name denoted by a '#' symbol.
For example:
102.54.94.97 rhino.acme.com # source server
38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
XX.XX.XX.XX Citibank.com
EC-Council
In the above example XX.XX.XX.XX depicts the IP address of the Hackers

server, which is hosting a fake log in screen for the legitimate domain of
www.citibank.com
http://www.scandoo.com
~
EC-Council
Scandoo scans all search results to protect the user from visiting
websites that spread malicious viruses or spyware, and the viewing
of offensive content
Identity Theft
EC-Council
What is Identity Theft?
Identity theft occurs when someone steals your name,

and other personal information for fraudulent purposes
EC-Council
Identity Theft
EC-Council
How do you steal

Identity?
EC-Council
How to Steal Identity?

Original identity Steven Charles
~ Address: San Diego CA 92130
~
EC-Council
STEP 1
~
EC-Council
Get hold of Stevens telephone bill, water bill, or electricity bill

using dumpster diving, stolen email, or onsite stealing
STEP 2
~
Go to the Driving License Authority
Tell them you lost your drivers license
They will ask you for proof of identity

like a water bill, and electricity bill
Show them the stolen bills
Tell them you have moved from the

original address
The department employee will ask you

to complete 2 forms 1 for
replacement of the drivers license and
the 2nd for a change in address
You will need a photo for the drivers

license
EC-Council
STEP 3
Your replacement drivers license will be issued
to your new home address
~ Now you are ready to have some serious fun
~
EC-Council
Comparison
~
Original
Same name: Steven Charles
EC-Council
Identity Theft
STEP 4
~
Go to a bank in which the original Steven Charles has an

account (Example Citibank)
Tell them you would like to apply for a new credit card
Tell them you dont remember the account number, and

ask them to look it up using Stevens name and address
The bank will ask for your ID: Show them your drivers
license as ID
ID is accepted. Your credit card is issued and ready for

use
Lets go shopping
EC-Council
Fake Steven has a New Credit Card

~
~
EC-Council
The fake Steven visits Wal-Mart and purchases a 42

plasma TV and state-of-the-art Bose speakers
The fake Steven buys a Vertu Gold Phone worth USD
20K
Fake Steven Buys Car

~ The
fake Steven walks

into a store and applies
for a car loan; minutes
later he is driving a new
Audi
~ Present
your drivers
license as a form of ID
~ the
loan officer does the

credit check, and it comes
out clean since the
original Steven has a
clean credit history
EC-Council
Real Steven Gets Huge Credit Card

Statement USD 40k
Ahhh!!! Somebody
stole my identity!!
EC-Council
What ElseOh My God!

Fake Steven can apply for a new passport
~ Fake Steven can apply for a new bank account
~ Fake Steven can shut down your utility services
~
FAKE STEVEN CAN MAKE THE LIFE OF

REAL STEVEN HELL
~ Scary eh?
~
EC-Council
One bit of personal

information is all someone
needs to steal your identity
EC-Council
Identity Theft - Serious Problem

~ Identity
theft is a serious
problem
~
The number of violations

has continued to increase
~ Securing
personal
information in the
workplace and at home,
and looking over credit
card reports are just a few
of the ways to minimize
the risk of identity theft
EC-Council
http://www.consumer.gov/idtheft/
EC-Council
Nigerian Scam
~
The scam started with a bulk email or

bulk faxing of a number of identical
letters to businessmen, professionals,
and other people who tend to have
greater-than-average wealth
The Nigerian scammers tried to make

their potential victims think that they
were going to scam the Nigerian
Government, the Central Bank of
Nigeria, and so on when, in fact, they
were going to scam the recipients of the
letters. The plan was to charge them to
get in on the scam, or the portion of the
scam for which they were willing to pay
to make it work
EC-Council
Nigerian Scam Letters
EC-Council
EC-Council
Countermeasures
~
Be suspicious of any email with urgent requests for personal

financial information
Do not use the links in an email to get to any web page, if you
suspect the message might not be authentic
Call the company on the telephone, or log onto the website directly
by typing in the Web address into your browser
Avoid filling out forms in an email that asks for personal financial
information
Always ensure that you are using a secure website when submitting
credit card or other sensitive information via a web browser
EC-Council
EC-Council
EC-Council
EC-Council

CEH v5 Module 09 Social Engineering PDF

Uploaded by

Copyright:

Available Formats

CEH v5 Module 09 Social Engineering PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v5 Module 09 Social Engineering PDF

Uploaded by

Copyright:

Available Formats

Ethical Hacking

Source: Department of Treasury ,Washington D.C

Social Engineering: An Introduction

Policies and Procedures

What is Social Engineering?

Social Engineering is the human side of breaking into

Companies with authentication processes, firewalls,

An employee may unwittingly give away key

What is Social Engineering? (contd)

Tactic or Trick of gaining sensitive information by exploiting basic

Social engineers attempt to gather information such as:

People are usually the weakest

A successful defense depends

Social Engineering is the

Rebecca and Jessica

Hackers use the term Rebecca and Jessica to

Hackers commonly use these terms to social

Rebecca and Jessica mean a person who is an

One reason for this may be lack of motivation

Hackers can attempt social engineering

Types of Social Engineering

Social Engineering can be divided

Human-based Social Engineering

Posing as a Legitimate End User

Human-based Social Engineering

Posing as Technical Support

Technical Support Example

A man calls a company help

More Social Engineering Examples

"Hi, I'm John Brown. I'm with

More Social Engineering Examples

More Social Engineering Examples

"Hi, I'm with Aircon Express

Human-based Social Engineering

Human-based Social Engineering:

Looking over your shoulder as you

Shoulder surfing is the name given

Simply, they look over your

Human-based Social Engineering

Dumpster Diving Example

A man behind the building is loading

Oracle Snoops Microsofts Trash

"We weren't spying. We were

Human-based Social Engineering

Human-based Social Engineering

Human-based Social Engineering

Reverse Social Engineering

Movies to Watch for Reverse Engineering Examples:

Computer-based Social Engineering

These can be divided

Computer-based Social Engineering

Hoaxes and chain letters

Computer-based Social Engineering

Instant Chat Messenger

Computer-based Social Engineering

Spam filters, anti-phishing tools integrated with web browsers can be

If a competitor wants to cause damage to your organization, steal

It takes only one disgruntled person to take revenge, and your