Ingeniería social/en

From FdIwiki ELP
Jump to: navigation, search

Introduction

"You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk." Kevin Mitnick.

What is Social Engineering?

Social Engineering consists on manipulating people in order to make them "voluntarily" perfom actions that they would not normally carry out. This could be the simplest, lowest risk and most effective attack to perfom by an attacker. Said attacker could rely on employees' ignorance about security measures in order to obtain information for his benefit, this could also apply to anyone related to the target.

If the attacker were to disguise himself as an angry executive that demanded access to certain information using threats and a display of "Power" such as"DON'T YOU KNOW WHO I AM?", or on the other han, prend to be a pitiful and whimpering colleague, pleading for certain information that he needs before the sun goes down or he will be fired, he can obtain from people unbeknown/ignorant to these attacks, the desired information.

Against any suspicion that may arise, it is best to notify our superiors and colleagues, and generally, keep cautious when we are asked for information or feel coerced.

With this curious term we englobe all the possible tricks, ruses & baits designed to confuse,or even worse, manage to make the target compromise severely, the integrity of his security systems.

How To Combat Social Engineering

The best way to be protected is to be informed and aware. It is crucial to educate people, specifically people who work near the stations, from operators to cleaning staff. Use an Antivirus to analyze all incoming emails. Never inform over any communications system about the technicalities of our network, no disclosure of employees' personal information such as name, etc. Physical access to all stations should be controlled. Safety policies in place at Operating System level.

Techniques

- Intruders pretending to be employees from a different department within the company, personel from an external IT contractor, telephone or internet operator from an external company.

- Emails sent pretending to be another person or organisation, they may include click-bait texts or appealing attachments.

- Users that use online forums and chats as a tool to gain access to specific information or sensitive archives with relation to the target system; or any other relevant information related tothe configuration and security measures set in place to protect the computer systems; by disgruntled employees for example.

- "Shoulder surfing" [existe link?] spying on users to obtain their username and password, by directly watching what they type into the PC.

- "Dumpster diving" [existe link?] checking the rubbish for physical archives that have not been disposed of properly.

- Setting up malicious websites that try to trick it's users e.g. windowsupdate.microsft.com

- "Baiting", an attacker purposefully abandons a storage device, for example, a "Memory Stick" or CD/DVD. This device will be infected with malicious software, designed to install itself on our computer, even without us knowing.

- "Piggybacking" refers to tagging along with someone who has clearance to access a restricted area.

Examples

1. Advance-fee scam

It is a type of fraud that is executed using one of the most common types of "Confidence Trick" ([1]) which involves promising the victim a large sum of money in return for a small sum of money. We will use the "Nigerian Prince Scam" as an example; this modern scam is an evolution of the 18th Century "Spanish Prisoner Scam" ([2]). Who hasn't dreamt of receiving money from a rich distant realative? This is the idea that entices people to donate a small amount of money, many variants exist of course. Online versions of the scam originate primarily in the United States, the United Kingdom and Nigeria, with Ivory Coast, Togo, South Africa, Benin, the Netherlands, and Spain also having high incidences of such fraud. The scam messages often claim to originate in Nigeria, but usually this is not true. The number "419" refers to the section of the Nigerian Criminal Code dealing with fraud, the charges and penalties for offenders.

2. Scams related to Celebrity Deaths

There are many cases where cibercriminals use people's fame in order to attract users into clicking on dubious links, these criminals take advantage of a Celebrity's death or even fake it. Some examples include: false death of singer Ricardo Arjonaca aswell as the F1 driver Michael Schumacher or the rumour that Michael Jackson was alive, along with 2Pac, Biggie and Bob Marley.


3. Pics and Videos of Famous people

Many celebrities were victims of a hacker o hackers that leaked private & sensitive photos, amongst them Jennifer Lawrence, Ariana Grande, Rihanna, Kate Upton & Kim Kardashian, this event last year was known as Celebgate, this is not the only example (the Fappening 1 & 2). As a consequence, many different types of archives became available "containing these pictures", of course that was the mask. Our region was not an exception: here, in Spain, Shakira was the subject of a campaign on facebook where a fake intimate vídeo was released claiming that Shakira had engaged publicly in an act of indecency. Soon after, another supposed video appeared that claimed to prove a hidden romance between her and Alexis Sanchez (Barca football player).

Related Video

- https://www.youtube.com/watch?v=xDdVnRHO3CE


Sources

[Intro]

[Piggybacking]

[Advanced-Fee scam]