Social Engineering & Network/Website Attack Vectors – Comprehensive Class Notes

Exam Logistics & Question Types

  • Possible presence of both multiple-choice and PBQ (Performance-Based Question) formats.
  • Students must be able to (1) recognize an attack vector from a short description and (2) perform short practical tasks in a PBQ.

Foundational Definition: Phishing Family

  • Plain Phishing
    • Mass-mailed email that pretends to originate from a trustworthy entity.
    • Leverages time-pressure or authority ("I’m your manager—do X immediately").
    • Goal: harvest confidential data through links/forms.
  • Spear-Phishing
    • Targeted at a specific person, role, or department.
    • Requires pre-texting & reconnaissance to craft believable context ("All Marketing staff—update survey").
  • Whaling
    • Sub-category of spear-phishing focused on C-Suite (“O’s”: CEO, CFO, CTO, etc.).
    • Motivation: executives usually possess broad administrative privileges.
  • Vishing
    • Voice-phishing conducted via telephone; same urgency/fear tactics ("Your package will be returned—call now").
  • Smishing
    • SMS/Text-based phishing (“Hello, wrong name? They want a response to validate number”).
  • Quishing
    • New vector using QR codes. Attacker prints or overlays malicious QR linking to:
    • Credential-harvest site mimicking a brand (e.g., fake Taco Bell promo asking for PII).
    • Malware dropper or drive-by download.
    • Safety tip: avoid scanning public QR codes unless they are affixed by a trusted source.

Wireless Impersonation

  • Evil Twin AP
    • Attacker sets up a rogue Wi-Fi with SSID similar to legitimate hotspot but stronger signal; victims connect unknowingly.
    • Often accompanied by a deauthentication attack that forces devices to re-associate → victims select stronger rogue signal.
  • Relation to Spoofing: Evil Twin is a subtype (spoofing legitimate SSID/BSSID).

Spoofing (Umbrella Term)

  • Definition: Pretending to be something/someone you are not.
  • Can target:
    • IP address
    • MAC address
    • SSID / Wi-Fi beacon frames
    • Email headers (“From:” field)
  • Building block for most social-engineering or network-level attacks.

Threat Actor Location

  • External: hackers, crime groups, former employees operating off-site.
  • Internal (Insider):
    • Employee/contractor with legitimate access.
    • May be disgruntled or planted with malicious intent.
    • Dangerous because they know controls, schedules, and network topology.

Reconnaissance & Footprinting

  • Dumpster-diving, shoulder-surfing, open-source intelligence (OSINT) to gather hours, jargon, badge formats, etc.
  • Used to craft believable pretexts or choose the best attack window.

On-Path Attack (formerly “Man-in-the-Middle”)

  • Steps
    1. Attacker spoofs server address (IP/MAC) and positions self between user and destination.
    2. Victim believes TLS session/host is legitimate, continues workflow.
    3. Attacker transparently forwards traffic, reading/modifying packets.
  • Preventive controls: mutual authentication, certificate pinning, encrypted protocols, HSTS.

Denial of Service Spectrum

  • DoS (single source)
    • Could be low-tech: attacker unplugs fibre, flips breaker → service outage.
  • DDoS (Distributed)
    • Botnet (“zombies”) under Command-and-Control (C2) floods target with traffic or requests.
    • Example anecdote: manager used botnet to influence video-game skin voting (thousands of votes).
  • Accidental DoS – “Hug of Death”
    • Legit traffic overwhelms small site after media exposure (e.g., Super-Bowl ad drives 20 000+ users).

Real-World Social-Engineering Case Study (Data-Center)

  1. Series of phone calls gathered names, ticket IDs, shift schedules.
  2. Final call: feigned PNC Bank outage → urged tech to "flip the breaker".
  3. Tech complied, powered off critical server; attacker hung up once goal met.
  4. Demonstrates multi-stage use of spear-phishing, footprinting, pretexting, fear/urgency.
  5. Lesson: never execute operational changes without formal verification, escalation chain, or change ticket.

Voice Scams Targeting Vulnerable Populations

  • Fraudster impersonates Sheriff, claims warrant for failure to register.
  • Demands payment via gift cards while keeping victim on phone.
  • Uses publicly available registry data for credibility.
  • Countermeasure: digital-literacy training; verification through official published channels.

Plain-Text vs Encrypted Credentials

  • Protocols like Telnet/FTP transmit username:password\text{username:password} in clear text.
  • A free packet sniffer (Wireshark) will reveal these instantly.
  • Secure alternatives: SSH, SFTP, HTTPS which wrap data in encryption (TLS/SSH) preventing sniffing.

Password-Cracking Techniques

  1. Dictionary Attack
    • Cycles through leaked/common passwords (e.g., "rockyou.txt" list: 1400000014\,000\,000 entries; RockYou 2024: 101010^{10} entries).
  2. Brute-Force Attack
    • Generates every character permutation up to length nn.
    • Complexity grows exponentially TknT \propto k^n where kk = charset size.
  3. Protective Measures
    • Account lockout after NN attempts.
    • Enforce password length & character diversity.
    • Salting + hashing to lengthen effective input.
    • MFA to render stolen password insufficient.
  4. Cracking Time Illustration (GPU-accelerated laboratory figures):
    • 8-char, lowercase only → “instant”.
    • 11-char, full charset (upper/lower/number/symbol) → ≈3 years.
    • 14-char, full charset → > 10^{6} years (impractical).

Web-Application Attacks

  • Cross-Site Scripting (XSS)
    • Inject JavaScript into web page via unsanitized input fields (comments, search box).
    • Runs in victim’s browser under trusted site context → steals cookies, hijacks session, forces unwanted clicks.
    • Mitigations: output encoding, Content-Security-Policy (CSP), input validation.
  • SQL Injection (SQLi)
    • Attacker appends SQL code to input fields that backend concatenates into SELECT/INSERT/DELETE/UPDATESELECT/INSERT/DELETE/UPDATE commands.
    • Gains unauthorized data access or destructive capability.
    • Lab demonstration: input permits >5 characters → attacker adds ' OR 1=1 -- to bypass authentication.
    • Mitigations: parameterized queries/prepared statements, least privilege DB accounts, input length restriction.

Ethical Hacking & Education Examples

  • “Hacker Frogs” program trains kids (10+) in shell commands & ethical usage.
  • White-hat/penetration testers use same tools as adversaries but with authorization.
  • Jobs flourishing in cloud-DBA, SQL, and penetration testing arenas.

Practical & Ethical Takeaways

  • Always verify contact via independent channel (company website, published number) before acting on email/phone urgency.
  • Limit scanning of public QR codes; treat them as untrusted hyperlinks.
  • Implement least privilege and logging to detect insiders.
  • Provide digital-literacy training for high-risk populations (job seekers, newly released individuals).
  • Utilize multi-layered controls: technical (encryption, MFA), administrative (policies, change-management), and user education.