1 00:00:07,040 --> 00:00:08,450 - Let's go over a few 2 00:00:08,450 --> 00:00:12,260 social engineering techniques. 3 00:00:12,260 --> 00:00:14,470 The first one that I want to go over 4 00:00:14,470 --> 00:00:18,263 is phishing and spear phishing. 5 00:00:22,760 --> 00:00:25,000 Which still, some of the most 6 00:00:25,000 --> 00:00:27,390 effective social engineering campaigns 7 00:00:27,390 --> 00:00:28,863 that we see nowadays. 8 00:00:30,810 --> 00:00:32,230 Now, starting with phishing. 9 00:00:32,230 --> 00:00:34,800 Phishing is basically whenever an attacker 10 00:00:34,800 --> 00:00:38,770 sends a piece of email to a user 11 00:00:38,770 --> 00:00:42,120 and basically it presents that user, potentially, 12 00:00:42,120 --> 00:00:44,810 with some information that can be 13 00:00:44,810 --> 00:00:46,760 attractive enough to convince them 14 00:00:46,760 --> 00:00:48,280 to follow a malicious link 15 00:00:48,280 --> 00:00:49,950 or click on an attachment. 16 00:00:49,950 --> 00:00:51,200 And then from there the attacker 17 00:00:51,200 --> 00:00:52,870 can compromise their system. 18 00:00:52,870 --> 00:00:55,860 Now, spear phishing is a similar technique, 19 00:00:55,860 --> 00:00:57,310 but in this case, 20 00:00:57,310 --> 00:00:59,320 the email attempt is actually constructed 21 00:00:59,320 --> 00:01:02,606 in a very specific way and directly targeted 22 00:01:02,606 --> 00:01:06,710 to a specific individual or specific company. 23 00:01:06,710 --> 00:01:08,140 For example, let's take a look 24 00:01:08,140 --> 00:01:10,740 at this spear phishing email 25 00:01:10,740 --> 00:01:12,360 that I have in front of your screen, right? 26 00:01:12,360 --> 00:01:15,460 So this is where an attacker 27 00:01:15,460 --> 00:01:17,780 knows a little bit more about the victim. 28 00:01:17,780 --> 00:01:20,060 And in this case, the victim 29 00:01:20,060 --> 00:01:22,260 is Omar, is myself, right? 30 00:01:22,260 --> 00:01:24,990 And that the attacker is spoofing 31 00:01:24,990 --> 00:01:28,100 an email address from Chris Cleveland, 32 00:01:28,100 --> 00:01:30,930 which is an editor from Pearson. 33 00:01:30,930 --> 00:01:34,770 And that attacker already knows that I am working 34 00:01:34,770 --> 00:01:37,910 on a chapter for a book that I'm writing 35 00:01:37,910 --> 00:01:41,170 and then it impersonates Chris 36 00:01:41,170 --> 00:01:43,570 and basically sends an email saying, "Hey, Omar 37 00:01:43,570 --> 00:01:46,830 I actually found a few errors 38 00:01:46,830 --> 00:01:50,760 in Chapter 8 in your next book." 39 00:01:50,760 --> 00:01:51,827 And of course, you know, 40 00:01:51,827 --> 00:01:53,640 "Please find the edits and the attachment 41 00:01:53,640 --> 00:01:55,180 of this document". 42 00:01:55,180 --> 00:01:56,597 And then is asking me to, 43 00:01:56,597 --> 00:01:58,130 "Kindly confirm and advise." 44 00:01:58,130 --> 00:02:01,413 And of course that email has an attachment 45 00:02:01,413 --> 00:02:03,700 that is called chapter 8 46 00:02:03,700 --> 00:02:06,750 and that has a PDF that probably has 47 00:02:06,750 --> 00:02:08,760 some type of payload that it 48 00:02:08,760 --> 00:02:10,710 probably takes advantage of 49 00:02:10,710 --> 00:02:12,120 either a zero day vulnerability 50 00:02:12,120 --> 00:02:13,840 or some non-vulnerability. 51 00:02:13,840 --> 00:02:15,720 And if I double click on that attachment, 52 00:02:15,720 --> 00:02:18,210 it can actually, you know, execute that payload. 53 00:02:18,210 --> 00:02:19,570 And then, you know, the sky's the limit, 54 00:02:19,570 --> 00:02:21,420 the attacker can do many different things. 55 00:02:21,420 --> 00:02:23,440 Redirect me to malicious sites, 56 00:02:23,440 --> 00:02:25,860 put a back door in my system, 57 00:02:25,860 --> 00:02:28,180 establish a command and control communication, 58 00:02:28,180 --> 00:02:29,520 manipulate the system, 59 00:02:29,520 --> 00:02:33,220 further steal information and so on. 60 00:02:33,220 --> 00:02:35,710 The next concept that I want to cover 61 00:02:35,710 --> 00:02:37,510 is a term called whaling. 62 00:02:37,510 --> 00:02:39,410 And basically whaling 63 00:02:39,410 --> 00:02:41,620 is similar to phishing and spear phishing. 64 00:02:41,620 --> 00:02:44,470 But in this case, the attacker 65 00:02:44,470 --> 00:02:47,440 targets high profile business executives 66 00:02:47,440 --> 00:02:49,750 and key individuals of a corporation. 67 00:02:49,750 --> 00:02:52,630 So if you think about a whale, right, a fish 68 00:02:52,630 --> 00:02:54,870 this is actually the term referring 69 00:02:54,870 --> 00:02:57,490 to the attacker, targeting 70 00:02:57,490 --> 00:03:00,290 a big fish of a corporation. 71 00:03:00,290 --> 00:03:03,390 So a big, high profile, you know, 72 00:03:03,390 --> 00:03:06,203 key individual within their corporation as well. 73 00:03:07,078 --> 00:03:09,380 So a high profile and 74 00:03:09,380 --> 00:03:11,363 key individual of a corporation. 75 00:03:12,290 --> 00:03:14,490 The next concept that I want to cover 76 00:03:14,490 --> 00:03:16,010 is called vishing. 77 00:03:16,010 --> 00:03:19,250 And this social engineering technique is whenever 78 00:03:19,250 --> 00:03:22,660 an attacker basically carries out 79 00:03:22,660 --> 00:03:25,320 the social engineering campaign 80 00:03:25,320 --> 00:03:28,472 over a voice conversation, over the phone, right. 81 00:03:28,472 --> 00:03:29,870 Then the attacker, of course, 82 00:03:29,870 --> 00:03:32,800 persuades the user to reveal private information, 83 00:03:32,800 --> 00:03:36,370 probably financial information or any other details 84 00:03:36,370 --> 00:03:39,320 about a person or a company or, you know, 85 00:03:39,320 --> 00:03:40,930 whatever the attacker is actually after. 86 00:03:40,930 --> 00:03:42,740 Whether it's stealing credit card numbers, 87 00:03:42,740 --> 00:03:45,034 social security numbers, information about 88 00:03:45,034 --> 00:03:48,460 key individuals of their organization and so on. 89 00:03:48,460 --> 00:03:51,950 So that is vishing or voice phishing. 90 00:03:51,950 --> 00:03:53,740 Now there's another social engineering technique 91 00:03:53,740 --> 00:03:56,260 called short message service 92 00:03:56,260 --> 00:03:58,821 or SMS phishing, right? 93 00:03:58,821 --> 00:04:02,140 SMS phishing is basically whenever an attacker 94 00:04:02,140 --> 00:04:04,070 find different ways, other than email, 95 00:04:04,070 --> 00:04:07,570 in this case using SMS, or text messages 96 00:04:07,570 --> 00:04:10,080 to actually send either malware or 97 00:04:10,080 --> 00:04:13,080 malicious links to mobile devices. 98 00:04:13,080 --> 00:04:15,420 One example of SMS phishing 99 00:04:15,420 --> 00:04:20,270 is the typical Bitcoin related SMS scams, 100 00:04:20,270 --> 00:04:23,210 or text messages, that we get all the time, right 101 00:04:23,210 --> 00:04:26,640 or messages, you know, related to 102 00:04:26,640 --> 00:04:29,010 potentially a package that you're waiting from 103 00:04:29,010 --> 00:04:31,620 a specific company that you buy, 104 00:04:31,620 --> 00:04:32,830 you know, many things from like 105 00:04:32,830 --> 00:04:34,650 Amazon and so on, right? 106 00:04:34,650 --> 00:04:36,660 And then, you know, from there 107 00:04:36,660 --> 00:04:39,610 they may present a link that will 108 00:04:39,610 --> 00:04:41,290 redirect you to malicious site 109 00:04:41,290 --> 00:04:43,833 and steal different types of information. 110 00:04:44,920 --> 00:04:47,490 Another way that many pen testers and attackers 111 00:04:47,490 --> 00:04:50,620 have successfully compromised many systems 112 00:04:50,620 --> 00:04:53,080 is by just leaving USB sticks, 113 00:04:53,080 --> 00:04:57,410 sometimes referred to as USB keys or pen drives, 114 00:04:57,410 --> 00:04:58,980 basically leaving them unattended 115 00:04:58,980 --> 00:05:01,960 and placing them in some strategic locations. 116 00:05:01,960 --> 00:05:05,480 And often even personalizing a little bit 117 00:05:05,480 --> 00:05:10,190 of the attack by putting the USB key in a key chain. 118 00:05:10,190 --> 00:05:12,130 And then in the same key chain, 119 00:05:12,130 --> 00:05:13,230 probably putting a couple of, 120 00:05:13,230 --> 00:05:14,910 you know, random keys 121 00:05:14,910 --> 00:05:16,940 like physical keys for a door 122 00:05:16,940 --> 00:05:19,500 and probably even pictures of 123 00:05:19,500 --> 00:05:22,485 like a cat or a dog, or even labeling them 124 00:05:22,485 --> 00:05:25,320 saying, you know, "pictures from my vacation 125 00:05:25,320 --> 00:05:26,390 at the beach", right. 126 00:05:26,390 --> 00:05:29,230 Or "bikini pictures" or "photo shoot". 127 00:05:29,230 --> 00:05:31,480 And then the naive user that 128 00:05:31,480 --> 00:05:33,300 just want to make sure 129 00:05:33,300 --> 00:05:34,890 that he or she, you know, wants to actually 130 00:05:34,890 --> 00:05:37,830 try to find out who the USB key belongs to. 131 00:05:37,830 --> 00:05:41,660 Then it puts that USB key into their PC. 132 00:05:41,660 --> 00:05:42,773 And then from there, 133 00:05:43,750 --> 00:05:45,470 the attacker can potentially, you know, 134 00:05:45,470 --> 00:05:47,950 execute some code, you know, some type of payload 135 00:05:47,950 --> 00:05:49,603 and then compromise their system. 136 00:05:50,490 --> 00:05:53,100 Another social engineering attack type 137 00:05:53,100 --> 00:05:55,890 is the watering hole attack. 138 00:05:55,890 --> 00:05:58,150 And basically this is a targeted attack 139 00:05:58,150 --> 00:06:00,750 but basically takes place whenever the attacker 140 00:06:00,750 --> 00:06:04,530 profiles the websites, and 141 00:06:04,530 --> 00:06:06,380 these are legitimate websites that the 142 00:06:06,380 --> 00:06:09,940 intended victim typically access, right. 143 00:06:09,940 --> 00:06:11,670 Then, the attacker can 144 00:06:11,670 --> 00:06:13,150 potentially scan those websites 145 00:06:13,150 --> 00:06:15,010 for potential vulnerabilities. 146 00:06:15,010 --> 00:06:16,170 And if the attacker locates 147 00:06:16,170 --> 00:06:17,860 some type of vulnerability 148 00:06:17,860 --> 00:06:20,020 like a cross site request forgery, 149 00:06:20,020 --> 00:06:21,810 cross site scripting, 150 00:06:21,810 --> 00:06:23,990 and probably inject some malicious JavaScript 151 00:06:23,990 --> 00:06:27,140 or any other similar, you know, code injection 152 00:06:27,140 --> 00:06:29,870 that is designed to redirect the user 153 00:06:29,870 --> 00:06:31,740 to a malicious site and of course, you know, 154 00:06:31,740 --> 00:06:34,400 that way the attacker can then 155 00:06:34,400 --> 00:06:35,540 do many different things. 156 00:06:35,540 --> 00:06:38,450 Steal cookies, or session IDs 157 00:06:38,450 --> 00:06:40,950 from the user's browser. 158 00:06:40,950 --> 00:06:43,230 It can, you know, of course manipulate the user 159 00:06:43,230 --> 00:06:44,890 to reveal additional information, 160 00:06:44,890 --> 00:06:47,260 install malware and, you know, 161 00:06:47,260 --> 00:06:49,860 many different other ways that the attacker can 162 00:06:49,860 --> 00:06:52,029 potentially compromise data or 163 00:06:52,029 --> 00:06:55,493 the victim's system, as well. 164 00:06:56,550 --> 00:06:58,060 Now, another thing to highlight is that 165 00:06:58,060 --> 00:07:00,170 all these attacks can be done 166 00:07:00,170 --> 00:07:01,870 by an external attacker. 167 00:07:01,870 --> 00:07:04,080 That means, an attacker that is external 168 00:07:04,080 --> 00:07:06,410 to your organization but 169 00:07:06,410 --> 00:07:10,410 they can also be carried out by insiders. 170 00:07:10,410 --> 00:07:12,641 And the insider threat is extremely 171 00:07:12,641 --> 00:07:15,280 relevant nowadays, a lot of attacks starts 172 00:07:15,280 --> 00:07:17,690 from the inside and in the next lesson, 173 00:07:17,690 --> 00:07:19,130 we'll take a look at 174 00:07:19,130 --> 00:07:22,103 a few pointers related to that insider threat.