Social Engineering and Identity Theft Flashcards

Social Engineering Statistics and Scope

Email Volume and Security Risks
- Total annual email volume: $107 \text{ Trillion}$ .
- Daily email volume: $294 \text{ Billion}$ .
- Approximately $90\%$ of all email is classified as either spam or contains a virus.
Phishing Statistics
- Phishing represents $77\%$ of all socially based attacks.
- $88\%$ of individuals reported clicking links within phishing emails.
- Primary targets: Most common phishing attacks mimic financial institutions.
- In 2013, there were $13.3 \text{ Million}$ user-reported phishing attacks.
Vishing (Voice Phishing)
- In 2012, $2.4 \text{ Million}$ customers were targeted for phone fraud.
- In the first half of 2013, $2.3 \text{ Million}$ customers were targeted for phone fraud.
- Financial Impact: The average loss for a targeted business is $\$42,546$ per account.
Smishing (SMS Phishing)
- In 2012, $60\%$ of U.S. adults who send and receive text messages received mobile spam.
- Requests made by Smishers:
  - $60\%$ ask the victim to click on a link.
  - $26\%$ ask the victim to call a specific number.
  - $14\%$ ask the victim to reply to the text.
Impersonation Data
- Medical Theft: In 2013 alone, there were $1.8 \text{ Million}$ victims of medical theft caused by websites impersonating medical providers.
- Data Vulnerability: $88\%$ of reported stolen assets were personal data.
- Victim Demographics: Average age of an impersonation victim is $41.7 \text{ years old}$ .
- Financial Loss: The average loss per victim is $\$4,187$ .
- Common Theft Location: The top place for a thief to operate is the work area.

Social Engineering (SE) Concepts and Behavioral Basis

Definition: Social Engineering is the art of convincing people to reveal confidential information.
Primary Targets:
- Help desk personnel.
- Technical support executives.
- System administrators.
The Human Element
- Social engineers rely on the fact that people are often unaware of the value of the information they possess and are careless about protecting it.
- Behaviors Vulnerable to Attack:
  - Trust: The basic human nature of trust serves as the foundation for any SE attack.
  - Ignorance: A lack of knowledge about SE techniques and their potential effects among a workforce.
  - Fear: Victims may comply with requests out of fear of severe losses or repercussions for non-compliance.
  - Greed: Attackers lure targets by promising "something for nothing."
  - Moral Obligation: Targets are often asked for help and comply out of a desire to be helpful or a sense of duty.

Organizational Vulnerabilities and Attack Phases

Factors Making Companies Vulnerable:
- Insufficient security training for staff.
- Unregulated or unrestricted access to information.
- Complexity arising from having several distinct organizational units.
- A lack of formal security policies.
Efficacy of Social Engineering:
- Security policies are only as strong as their weakest link; humans are the most susceptible link in the chain.
- SE attempts are notoriously difficult to detect.
- There is no single method to ensure complete security from such attacks.
- No specific software or hardware exists that can fully defend against social engineering.
Phases in a Social Engineering Attack:
1. Research on Target Company: Utilizing methods like dumpster diving, searching websites, and observing employees.
2. Select Victim: Identifying vulnerable individuals, such as frustrated or disgruntled employees.
3. Develop Relationship: Establishing a rapport with the selected employees.
4. Exploit the Relationship: Collecting sensitive account details, financial information, and data regarding current technologies used by the firm.

Human-Based Social Engineering Techniques

Impersonation: The most common human-based technique. Attackers pretend to be legitimate or authorized individuals (e.g., technicians, executives). This can occur in person or via phone/email.
Eavesdropping: Unauthorized listening to conversations or reading of messages. This involves intercepting communication across telephone lines, email, or instant messaging.
Shoulder Surfing: Using direct observation to steal passwords, PINs, or card numbers. It can be done from a distance using vision-enhancing devices like binoculars.
Dumpster Diving: Searching through a target's trash for sensitive documents or information.
Reverse Social Engineering: An attacker sets themselves up as an authority. The victim, believing the attacker can help, seeks them out and voluntarily provides the requested information. This usually involves three steps:
1. Sabotage.
2. Marketing.
3. Tech Support.
Piggybacking: An authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door (e.g., "I forgot my ID badge.").
Tailgating: An unauthorized person (often wearing a fake ID) enters a secured area by closely following an authorized person through a key-access door.

Computer-Based and Mobile-Based Techniques

Computer-Based SE:
- Pop-up Windows: Windows that appear during web surfing asking for login or sign-in credentials.
- Hoax Letters: Emails warning users about non-existent viruses or worms to induce panic/action.
- Chain Letters: Emails offering gifts or money on the condition that the mail is forwarded to others.
- Instant Chat Messenger: Chatting with users to extract personal details like birth dates or maiden names.
- Spam Email: Unsolicited mail used to collect SSNs, financial data, and network information.
- Phishing: Illegitimate emails mimicking trustworthy sites to acquire account information.
- Spear Phishing: A targeted version of phishing aimed at specific individuals or small groups within an organization. It results in a much higher response rate than generic phishing.
Mobile-Based SE:
- Malicious Apps: Attackers publish apps with attractive features and names similar to popular apps on major stores to infect devices and steal credentials.
- Fake Security Applications (Workflow):
  1. Attacker infects the victim's PC.
  2. Victim logs into a bank account on the PC.
  3. Malware on the PC triggers a pop-up telling the victim to download a security app on their phone.
  4. Victim downloads the malicious mobile app.
  5. Attacker intercepts the second authentication factor (SMS) sent by the bank to the phone.
- SMS Fraud Case Study: A victim (Tracy) receives a "urgent" SMS from a bank's security department. She calls the number provided, which is a recording that asks for her credit or debit card numbers, leading her to reveal sensitive data.

Insider Threats and Organizational Defense

Insider Attacks:
- They are easy to launch and difficult to prevent because the attacker already has legitimate access.
- Motivations:
  - Spying: Competitors plant moles via job openings to steal secrets or damage the business.
  - Revenge: A single disgruntled person can compromise an entire company.
- Prevention Strategies:
  - Separation and rotation of duties.
  - Principle of Least Privilege.
  - Controlled access and strict logging/auditing.
  - Formal legal policies.
  - Archiving all critical data.
Targets and Specific Defense Strategies:
- Front Office/Help Desk: Threatened by eavesdropping/impersonation; defend by training staff NEVER to reveal passwords over the phone.
- Perimeter Security: Threatened by fake IDs/piggybacking; defend with strict badge, token, or biometric authentication.
- Office Area: Threatened by shoulder surfing/ingratiation; defend with best practices, checklists, and escorting all guests.
- Mail Room: Threatened by theft/forging; defend by locking and monitoring the room.
- Machine Room/Phone Closet: Threatened by equipment removal or protocol analyzers; defend by keeping rooms locked at all times and maintaining updated equipment inventories.

Social Networking Risks and Identity Theft

Social Networking Site (SNS) Risks:
- Impersonation: Attackers create accounts in others' names to extract information from friends and colleagues.
- Involuntary Data Leakage: Employees posting sensitive corporate data due to a lack of strong policy.
- Data Theft: SNS act as repositories of information vulnerable to exploitation.
- Network Vulnerability: Flaws/bugs in SNS platforms can expose the corporate network.
Identity Theft:
- Defined as the theft of personally identifiable information (Name, SSN, Credit Card Number, Driver's License) for fraudulent purposes.
- Attackers may use stolen identities to physically access facilities or impersonate employees.

Social Engineering Countermeasures

Policy and Procedure:
- Policies are only effective if taught and reinforced. Employees should sign acknowledgments of their understanding.
- Password Policies: Include periodic changes, complexity requirements, account blocking after failures, and strict secrecy.
- Physical Security Policies: ID cards, uniforms, visitor escorts, restricted access areas, and proper document shredding.
Training and Operations:
- Training: Comprehensive programs to increase awareness of SE techniques.
- Access Privileges: Clearly defined Guest, User, and Administrator accounts with appropriate authorizations.
- Information Classification: Categorize data (e.g., Top Secret, Proprietary, Internal Use, Public).
- Background Checks: Perform checks on new hires and implement proper termination processes for exiting employees.
- Technical Defenses: Use multi-layer Anti-Virus/Anti-Phishing at end-user and gateway levels. Use Two-Factor Authentication (2FA) for high-risk services like VPNs.
Detecting Phishing Emails (Red Flags):
- Generic greetings.
- Appears to be from a known contact or reputable company.
- Creates a sense of urgency or threats.
- Grammatical or spelling errors.
- Contains spoofed links or malicious attachments.
- Offers that seem "too good to be true."
Anti-Phishing Toolbars:
- Netcraft: Provides risk ratings and site reports.
- PhishTank: A collaborative clearinghouse for phishing data with an open API for developers.
Social Engineering Toolkit (SET):
- An open-source, Python-driven tool designed for penetration testing specifically around social engineering vectors.