ZEROTHCODE

zerothcode blog

Tutorials

What is Social Engineering?

 Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.

While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for information gathering, fraud,

or computer system access; in most cases, the attacker never comes face-to-face with the victim.

http://zerothcode.com/blog/what-is-social-engineering/
http://zerothcode.com/blog/what-is-social-engineering/

“Social engineering” as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick.

The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.
Example 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.

In the message, he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message. Social Engineering

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password.

This application is prepared to steal your password to access the bank account and sends it to the attacker. Social Engineering

Some Examples of Social Engineering

Example 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.

In the message, he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message.

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password.

This application is prepared to steal your password to access the bank account and sends it to the attacker

Example 2: You receive an e-mail saying that your computer is infected by a virus.

The message suggests that you install a tool available on an Internet site, to eliminate the virus from your computer.

The real function of this tool and does not eliminate a virus, but I give someone access to your computer and all data stored on it.

Example 3: a stranger calls your house and says it is the technical support of your ISP.

In this connection, he says that his connection to the Internet is presenting a problem and then, ask your password to fix it.

If you give your password, this so-called technical can perform a multitude of malicious activities, using your access account Internet and therefore such activities relating to its name.

Practical Examples:

Retail Paging Systems

———————

Wal-Mart store phones have marked buttons for the paging system.

Wal-Mart is the exception, not the rule. So how do you get on the paging system to have a little fun when you’re bored out of your mind shopping with your girlfriend?

Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op.

The key here is to become a harried employee, saying something similar to…”This is Bill in shoes. What’s the paging extension?”

More often than not, you’ll get the extension without another word. Now, get some by saying something sweet over the intercom.

Airport White Courtesy Phones

—————————–

Imagine you’ve already been stripped searched and you’re waiting for your delayed flight.

Naturally, you gravitate to a phone. Is it white? Then you’ve got a free call right in front of you.

Just pick up to get the op. “This is Bill at Southwest, Gate A5.

We’re swamped and our phones are tied. Can I get an outside line?”

If the phone does not have DTMF, or the op wants to dial the call for you, do not call a number related to you.

Hotels

——

Hotels hold such promise. Some hotels have voice mail for each room, guests receiving a PIN when they check-in.

Hotels also have “guest” phones; phones outside of rooms that connect only to rooms or the front desk. Pick up a guest phone, make like a friendly guest and say, “I forgot my PIN. Could I get it again?

Room XXX.” Knowing the registered name of the target room helps, for the Hotel and Restaurant

Management Degree Program graduate may ask for it.

Do not follow through with the next social engineering example. Or, like the author, try it on a friend. Go to the front desk and tell the attendant that you’ve locked our key (card) in the laundromat, in your room, lost it, etc.

Do not try this with the attendant that checked you in. And again, do not enter someone’s room without permission.

Calling Technical Support

————————-

So you’ve found a new-fangled computerized phone and you want to learn more about it.

Do the same thing you do when you have trouble with your AOL – call tech support. First, do a little planning

(after getting the tech support number off of the phone or the web).

Get some info on the phone, like phone number, model number, other identifying numbers, etc.

Also, know the name of the facility in which the phone is located. Now that you’ve got some ammo, you’re ready to make the call.

Posing as an employee of the facility, call tech support and make up a problem for the phone you’ve identified.

Act a little dumb and be apologetic, acting like you don’t want to waste their time.

All the while, pumping them for information – “I hate to bug you for this, but

<insert problem here>.”

<You’ll get some info from tech support here.>

<Build on what you’ve learned and curiously ask another question.>

And so on until you reach the point where you can feel that it’s time to end the call.

Occasionally acting amazed at their knowledge may be helpful.

Methods of Social Engineering

Phishing

Phishing is a technique of fraudulently obtaining private information.

Typically, the phisher sends an e-mail that appears to come from a legitimate business —

a bank, or credit card company — requesting “verification” of information and warning of some dire consequence if it is not provided.

The e-mail usually contains a link to a fraudulent web page that seems legitimate —

with company logos and content — and has a form requesting everything from a home address to an ATM card’s PIN.

For example, 2003 saw

the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update a credit card

(information that the genuine eBay already had).

Because it is relatively simple to make a Web site resemble a legitimate organization’s site by mimicking the HTML code,

the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently,

were going to eBay’s site to update their account information.

By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.


Vishing or Phone Phishing:

This technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution’s IVR system.

The slave is prompted to call into the “bank” via a phone number provided to “verify” information.

Baiting

Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the slave.

In this attack, the attacker leaves a malware-infected floppy disc, CD ROM, or USB flash drive in a location sure to be found,

gives it a legitimate-looking and curiosity-piquing label, and simply waits for the slave to use the device.

Quid pro quo

Quid pro quo means something for something:

* An attacker calls random numbers at a company claiming to be calling back from technical support.

Eventually, they will hit someone with a legitimate problem, grateful that someone is calling back to help them.

The attacker will “help” solve the problem and in the process have the user type commands that give the attacker access or launch malware.

* In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.

Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they did not attempt to validate the passwords.

Read Here How to Bypass proxy site