Trung Pham Duy - October 2023

Introduction

Presenter: Trung Pham Duy
Email: duytrung.tcu@gmail.com
Slides is published at slides.nauda.dev

Weakest link in cybersecurity systems

“Humans are the weakest link in cybersecurity systems”
- Unlike technology and processes, people are both predictable and unpredictable .
- They think for themselves and make their own decisions.
- Decisions can be good and other times bad ones, sometimes rational, other times irrational.

Cybercriminals loves chaos

“Adversaries love chaos, and this was a time of chaos.”

COVID-19 pandemic has shifted a variety of everyday activities onto platforms on the Internet, increase in the presence of people on the Internet is almost never preceded by education about cybersecurity.
- Also, making chilren potential targets for child-specific attacks.

Cybercriminals loves chaos (2)

Covid-19 imposed a wide range of threats in the realm of cybersecurity.

Economic Hardship
Fear and Uncertainty
Remote Healthcare Services
COVID-19 Themed Scams

Cybercrime, especially Social engineering attacks, increases after the COVID-19 pandemic.

The COVID-19 pandemic had a significant impact on cybercrime, leading to various consequences in the realm of cybersecurity. Here are some of the key consequences related to cybercrime during the pandemic:

Fear and Uncertainty: The pandemic created a climate of fear and uncertainty, which makes people more susceptible to social engineering tactics. Attackers often use fear or urgency to manipulate victims into taking action without thinking rationally.

Lack of Cybersecurity Training: Many individuals and organizations were unprepared for the sudden shift to remote work, leading to inadequate cybersecurity measures and a lack of awareness about social engineering tactics.

COVID-19 Themed Scams: Attackers capitalized on the pandemic by sending phishing emails, text messages, and social media messages with COVID-19-related lures, such as fake health advisories, vaccine offers, and financial relief scams. These exploited people’s fear and desire for information.

Isolation and Loneliness: The pandemic led to social isolation, making people more susceptible to social engineering attacks, as they may be more willing to engage with strangers or provide personal information to combat feelings of loneliness.

Economic Hardship: Many people faced financial difficulties during the pandemic. Attackers preyed on these vulnerabilities with financial scams, such as investment schemes or job offers, which appeared more enticing to those in need.

Remote Healthcare Services: The healthcare sector also moved more services online, which presented new opportunities for attackers to impersonate healthcare providers, exploit patient trust, and obtain sensitive medical information.

What is SE?

Social engineering (SE) is a manipulation technique that exploits human error to gain private information, access, or valuables.

“Any act that influences a person to take an action that may or may not be in their best interest” (Christopher Hadnagy, Social Engineering: The Science of Human Hacking. 2nd ed. Hoboken, NJ: Wiley Publishing, 2018).

What is SE? (2)

SE is a blend of science, psychology, and art. While it is amazing and complex, it is also very simple.
These “human hacking” scams tend to lure unsuspecting users into
- Exposing data.
- Spreading malware infections.
- Giving access to restricted systems.

What is SE? (3)

Scams based on social engineering are built around how people think and act.
SE attacks are especially useful for manipulating a user’s behavior.
- Once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user effectively.

What is SE? (4)

Hackers also try to exploit a user’s lack of knowledge.
- Thanks to the speed of technology, many consumers and employees aren’t aware of certain threats like drive-by downloads.

Drive by download attacks specifically refer to malicious programs that install to your devices — without your consent.

What is SE? (5)

Users also may not realize the full value of personal data, like their phone number.
As a result, many users are unsure how to best protect themselves and their information.

What is SE? (6)

What Is Social Engineering? from Social-Engineer on Vimeo.

SE Goals

Sabotage: Disrupting or corrupting data to cause harm or inconvenience.
Theft: Obtaining valuables like information, access, or money.

How SE work

Most social engineering attacks rely on actual communication between attackers and victims.

The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach your data.

How SE work (2) - SE attack cycle

The attack cycle gives these criminals a reliable process for deceiving you.

Prepare by gathering background information on you or a larger group you are a part of.
Infiltrate by establishing a relationship or initiating an interaction, started by building trust.
Exploit the victim once trust and a weakness are established to advance the attack.
Disengage once the user has taken the desired action.

How SE work (3) - SE attack cycle

This process can take place in:
- A single email
- Over months in a series of social media chats.
- A face-to-face interaction
Beware of social engineering as a means of confusion.
- Few pieces of information can give hackers access to multiple networks and accounts.

How SE work (3) - A common scenario

By masquerading as legitimate users to IT support personnel, they grab your private details — like name, date of birth or address.
From there, it’s a simple matter to reset passwords and gain almost unlimited access.
They can steal money, disperse social engineering malware.

Traits of SE Attacks

Social engineering attacks center around the attacker’s use of persuasion and confidence.
When exposed to these tactics, you are more likely to take actions you otherwise wouldn’t.

Traits of SE Attacks (2) - Heightened emotions

Emotional manipulation gives attackers the upper hand in an any interaction.
- You are far more likely to take irrational or risky actions when in an enhanced emotional state.

Fear, Excitement, Curiosity, Anger, Guilt, Sadness

Traits of SE Attacks (3) - Urgency

Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal.
You may be motivated to compromise yourself under the guise of a serious problem that needs immediate attention.
Alternatively, you may be exposed to a prize or reward that may disappear if you do not act quickly.
Either approach overrides your critical thinking ability.

Traits of SE Attacks (4) - Trust

Believability is invaluable and essential to a social engineering attack.
Since the attacker is ultimately lying to you, confidence plays an important role here.
- They’ve done enough research on you to craft a narrative that’s easy to believe and unlikely to rouse suspicion.

Traits of SE Attacks (5) - Trust (2)

In some cases, attackers use more simplistic methods of social engineering to gain network or computer access.
For example, a hacker might frequent the public food court of a large office building and “shoulder surf” users working on their tablets or laptops.
- Doing so can result in a large number of passwords and usernames, all without sending an email or writing a line of virus code.

Types of SE Attacks

Almost every type of cybersecurity attack contains some kind of social engineering. For example, the classic email and virus scams are laden with social overtones.
Social engineering can impact you digitally through mobile attacks in addition to desktop devices.

Types of SE Attacks (2)

However, you can just as easily be faced with a threat in-person.

Phishing Attacks

Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables.
1. Spam phishing, or mass phishing, is a widespread attack aimed at many users. These attacks are non-personalized and try to catch any unsuspecting person.
2. Spear phishing and by extension, whaling , use personalized info to target particular users.

Phishing Attacks (2)

Phishing Methods - Voice phishing

Voice phishing (vishing) phone calls may be automated message systems recording all your inputs.
Sometimes, a live person might speak with you to increase trust and urgency.

Phishing Methods - SMS phishing

SMS phishing (smishing) texts or mobile app messages might include a web link or a prompt to follow-up via a fraudulent email or phone number.

Phishing Methods - Email phishing

Email phishing is the most traditional means of phishing, using an email urging you to reply or follow-up by other means. Web links, phone numbers, or malware attachments can be used.

Phishing Methods - Angler phishing

Angler phishing takes place on social media, where an attacker imitates a trusted company’s customer service team.
- They intercept your communications with a brand to hijack and divert your conversation into private messages, where they then advance the attack.

Phishing Methods - Search engine phishing

Search engine phishing attempt to place links to fake websites at the top of search results.
- These may be paid ads or use legitimate optimization methods to manipulate search rankings.

Phishing Methods - URL phishing

URL phishing links tempt you to travel to phishing websites.
- These links are commonly delivered in emails, texts, social media messages, and online ads.
- Attacks hide links in hyperlinked text or buttons, using link-shortening tools, or deceptively spelled URLs.

Phishing Methods - In-session phishing

In-session phishing appears as an interruption to your normal web browsing. For example, you may see such as fake login pop-ups for pages you’re currently visiting.

Baiting Attacks

Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker.
- Typically, potential for something free or exclusive is the manipulation used to exploit you.
- The attack usually involves infecting you with malware.

Baiting Methods

USB drives left in public spaces, like libraries and parking lots.
Email attachments including details on a free offer, or fraudulent free software.

Physical Breach Attacks

Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorized areas or information, most common in enterprise environments, such as governments, army, businesses, or other organizations.
- Attackers may pretend to be a representative of a known, trusted vendor for the company.
  - Some attackers may even be recently fired employees with a vendetta against their former employer.

Pretexting Attacks

Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly impersonating a vendor or a facility employee.
- This approach requires the attacker to interact with you more proactively. The exploit follows once they’ve convinced you they are legitimate.

Access Tailgating Attacks

Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area. Attackers may play on social courtesy to get you to hold the door for them or convince you that they are also authorized to be in the area.

Quid Pro Quo Attacks

Quid pro quo is a term roughly meaning “a favor for a favor,”.
The exploit comes from getting you excited for something valuable that comes with a low investment on your end. However, the attacker simply takes your data with no reward for you.

Dumpster diving attacks

Dumpster diving is a social engineering attack whereby a person searches a company’s trash to find information, such as passwords or access codes written on sticky notes or scraps of paper, that could be used to infiltrate the organization’s network.

Other attacks

DNS Spoofing: manipulates your browser and web servers to travel to malicious websites when you enter a legitimate URL.
Cache Poisoning Attacks specifically infect your device with routing instructions for the legitimate URL or multiple URLs to connect to fraudulent websites.

Other attacks (2)

Scareware Attacks is a form of malware used to frighten you into taking an action. This deceptive malware uses alarming warnings that report fake malware infections or claim one of your accounts has been compromised.
Watering Hole Attacks look for existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day exploits.

Other attacks (3)

Fax-based phishing.

Traditional mail malware distribution

Other attacks (4) - Simple unusual attack

Simple Social Engineering Trick with a phone call and crying baby

Examples - Trojan horse

Examples - Frank Abagnale

Used various tactics to impersonate at least eight people, including an airline pilot, a doctor and a lawyer.

Examples - Worm Attacks

The cybercriminal will aim to attract the user’s attention to the link or infected file – and then get the user to click on it.
- The Loveletter worm that overloaded many companies’ email servers in 2000

The virus arrives in an email with the subject line of “ILOVEYOU” with an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” that people were encouraged to open. The message body is “kindly check the attached LOVELETTER coming from me.” The sender line will be the address it was sent from. The user must download and execute the worm by clicking on it.

The Loveletter worm, memorable for its “LOVE-LETTER-FOR-YOU” attachment and “ILOVEYOU” subject line, was one of the early worms to gain a great deal of media attention. It was also one of the first to reportedly reach a multi-billion dollar damage toll.

When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory. It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it. It also create a new Local Machine RunServices key named Win32DLL and adds WIN32DLL.VBS as a value to it, so it will run when the system boots, before the user even logs on.

Examples - Kevin Mitnick

Mitnick called Motorola, then convinced a Motorola employee that he was a colleague and persuaded that worker to send him the source code for the MicroTAC Ultra Lite, the company’s new flip phone.

Once known as “the world’s most wanted hacker,” Kevin Mitnick persuaded a Motorola worker to give him the source code for the MicroTAC Ultra Lite, the company’s new flip phone. It was 1992, and Mitnick, who was on the run from police, was living in Denver under an assumed name. At the time, he was concerned about being tracked by the federal government. To conceal his location from authorities, Mitnick used the source code to hack the Motorola MicroTAC Ultra Lite and then sought to change the phone’s identifying data or turn off the ability for cellphone towers to connect to the phone.

To obtain the source code for the device, Mitnick called Motorola and was connected to the department working on it. He then convinced a Motorola employee that he was a colleague and persuaded that worker to send him the source code. Mitnick was ultimately arrested and served five years for hacking. Today, he is a multimillionaire and the author of a number of books on hacking and security. A sought-after speaker, Mitnick also runs cybersecurity company Mitnick Security.

Examples - RSA Data breach

An attacker sent two different phishing emails over two days to small groups of RSA employees.
- The emails had the subject line “2011 Recruitment Plan” attaching an Excel file attachment contained malicious code that, once the file was opened, installed a backdoor through an Adobe Flash vulnerability.
- RSA’s SecurID two-factor authentication (2FA) system was compromised, and the company spent approximately $66 million recovering from the attack.

How to spot

Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding.
Attackers expect you to take action before considering the risks, which means you should do the opposite.

How to spot (2)

Some questions to ask yourself if you suspect an attack:

Are my emotions heightened?
Did this message come from a legitimate sender?
Did my friend actually send this message to me?
Does the website I’m on have odd details?
Does this offer sound too good to be true?
Attachments or links suspicious?
Can this person prove their identity?

Are my emotions heightened? When you’re especially curious, fearful, or excited, you’re less likely to evaluate the consequences of your actions. In fact, you probably will not consider the legitimacy of the situation presented to you. Consider this a red flag if your emotional state is elevated.
Did this message come from a legitimate sender? Inspect email addresses and social media profiles carefully when getting a suspect message. There may be characters that mimic others, such as “torn@example.com” instead of “tom@example.com.” Fake social media profiles that duplicate your friend’s picture and other details are also common.
Did my friend actually send this message to me? It’s always good to ask the sender if they were the true sender of the message in question. Whether it was a coworker or another person in your life, ask them in-person or via a phone call if possible. They may be hacked and not know, or someone may be impersonating their accounts.
Does the website I’m on have odd details? Irregularities in the URL, poor image quality, old or incorrect company logos, and webpage typos can all be red flags of a fraudulent website. If you enter a spoofed website, be sure to leave immediately.
Does this offer sound too good to be true? In the case of giveaways or other targeting methods, offers are a strong motivation to drive a social engineering attack forward. You should consider why someone is offering you something of value for little gain on their end. Be wary at all times because even basic data like your email address can be harvested and sold to unsavory advertisers.
Attachments or links suspicious? If a link or file name appears vague or odd in a message, reconsider the authenticity of the whole communication. Also, consider if the message itself was sent in an odd context, time, or raises any other red flags.
Can this person prove their identity? If you cannot get this person to verify their identity with the organization, they claim to be a part of, do not allow them the access they are asking for. This applies both in-person and online, as physical breaches require that you overlook the attacker’s identity.

How to Prevent

Beyond spotting an attack, you can also be proactive about your privacy and security. Knowing how to prevent social engineering attacks is incredibly important for all mobile and computer users.

How to Prevent (2) - Safe Communication and Account Management Habits

Never click on links in any emails or messages.
Use multi-factor authentication.
Use strong passwords (and a password manager).
Avoid sharing names of your schools, pets, place of birth, or other personal details.
Be very cautious of building online-only friendships.

Never click on links in any emails or messages . You’ll want to always manually type a URL into your address bar, regardless of the sender. However, take the extra step of investigating to find an official version of the URL in question. Never engage with any URL you have not verified as official or legitimate.

Use multi-factor authentication. Online accounts are much safer when using more than just a password to protect them. Multi-factor authentication adds extra layers to verify your identity upon account login. These “factors” can include biometrics like fingerprint or facial recognition, or temporary passcodes sent via text message.

Use strong passwords (and a password manager). Each of your passwords should be unique and complex. Aim to use diverse character types, including uppercase, numbers, and symbols. Also, you will probably want to opt for longer passwords when possible. To help you manage all your custom passwords, you might want to use a password manager to safely store and remember them.

Avoid sharing names of your schools, pets, place of birth, or other personal details. You could be unknowingly exposing answers to your security questions or parts of your password. If you set up your security questions to be memorable but inaccurate, you’ll make it harder for a criminal to crack your account. If your first car was a “Toyota,” writing a lie like “clown car” instead could completely throw off any prying hackers.

Be very cautious of building online-only friendships. While the internet can be a great way to connect with people worldwide, this is a common method for social engineering attacks. Watch for tells and red flags that indicate manipulation or a clear abuse of trust.

How to Prevent (3) - Safe Network Use Habits

Never let strangers connect to your primary Wi-Fi network.
Use a VPN.
Keep all network-connected devices and services secure.

Compromised online networks can be another point of vulnerability exploited for background research. To avoid having your data used against you, take protective measures for any network you’re connected to.

Never let strangers connect to your primary Wi-Fi network. At home or in the workplace, access to a guest Wi-Fi connection should be made available. This allows your main encrypted, password-secured connection to remain secure and interception-free. Should someone decide to “eavesdrop” for information, they won’t be able to access the activity you and others would like to keep private.

Use a VPN . In case someone on your main network — wired, wireless, or even cellular — finds a way to intercept traffic, a virtual private network (VPN) can keep them out. VPNs are services that give you a private, encrypted “tunnel” on any internet connection you use. Your connection is not only guarded from unwanted eyes, but your data is anonymized so it cannot be traced back to you via cookies or other means.

Keep all network-connected devices and services secure. Many people are aware of internet security practices for mobile and traditional computer devices. However, securing your network itself, in addition to all your smart devices and cloud services is just as important. Be sure to protect commonly overlooked devices like car infotainment systems and home network routers. Data breaches on these devices could fuel personalization for a social engineering scam.

How to Prevent (4) - Safe Device Use Habits

Use comprehensive internet security software.
Don’t ever leave your devices unsecured in public.
Keep all your software updated as soon as available.
Check for known data breaches of your online accounts.

Keeping your devices themselves is just as important as all your other digital behaviors. Protect your mobile phone, tablet, and other computer devices with the tips below:

Use comprehensive internet security software. In the event that social tactics are successful, malware infections are a common outcome. To combat rootkits, Trojans and other bots, it’s critical to employ a high-quality internet security solution that can both eliminate infections and help track their source.

Don’t ever leave your devices unsecured in public. Always lock your computer and mobile devices, especially at work. When using your devices in public spaces like airports and coffee shops, always keep them in your possession.

Keep all your software updated as soon as available. Immediate updates give your software essential security fixes. When you skip or delay updates to your operating system or apps, you are leaving known security holes exposed for hackers to target. Since they know this is a behavior of many computer and mobile users, you become a prime target for socially engineered malware attacks.

Check for known data breaches of your online accounts. Services like Kaspersky Security Cloud actively monitor new and existing data breaches for your email addresses. If your accounts are included in compromised data, you’ll receive a notification along with advice on how to take action.

Summary

Protection against social engineering starts with education.
- If all users are aware of the threats, our safety as a collective society will improve.
- Be sure to increase awareness of these risks by sharing what you’ve learned with your coworkers, family, and friends.