Cyberwarfare & Social Engineering
Explore Social Engineering
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
InfoSec and Compliance
Apr 08 2024
Feb 20 2023
The increasing use of videoconferencing platforms and the various forms of remote work also adopted in the post-emergency covid make interpersonal collaborations increasingly virtual. This scenario must undoubtedly force organizations to prepare adequately to be able to recognize impersonation attempts based on social engineering attacks, which are also proving increasingly sophisticated due to the rapid advancement of deepfake technology.
Deepfake technology, what’s it?
The word deepfake, which originates from a combination of the terms “deep learning” and “fake,” refers to digital audio/video products created through artificial intelligence (AI) that could allow one to impersonate an individual with likeness and voice during a video conversation. This is done through deep learning methodologies such as the Generative Adversarial Network (GAN) i.e., a group of neural network models for machine learning, deputed to teach computers how to process information by emulating the human brain.
Deepfake and phishing
The accessibility and effectiveness of deepfake technology have led cybercrime to use it for sophisticated social engineering attacks for the purpose of extortion, fraud, or to cause reputational damage. Consider the impact of a voice phishing attack that replicates the voices of a company’s stakeholders to persuade employees to take a series of actions that could harm security and privacy, or the effectiveness of a phone call with simulated voices for the purpose of convincing an employee to send funds to an offshore bank account.
Aggravating factors
Further aggravating the situation is also the availability of both deepfake tools, made available as a service on clandestine web forums, which make it easier and more convenient for criminal actors with limited technical skills to set up these fraud schemes, and a large number of images and videos posted by users of social media platforms that can be processed by deep learning algorithms to generate precisely deepfake content.
Mitigation
Although there is still no simple and secure way to detect deepfakes, there are still some best practices that can be adopted:
Outlook
Although technology will continue to evolve and it will become increasingly difficult to detect deepfakes, fortunately detection technologies will also improve. But the task for insiders to better protect themselves and their organizations from a variety of cyberattacks will have to be not only to keep abreast of evolving counter techniques and implement them in a timely manner, but also, and most importantly, to raise awareness in their organizations by focusing on training employees of all ranks.
The human factor must always be considered as the first bastion of defense, even and especially against the most sophisticated cyber attacks.
About the author: Salvatore Lombardo
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Twitter @Slvlombardo
Previous posts on Social Engineering
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Tags: deception, social engineering
Feb 09 2023
Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.
Threat actors rely especially on Social Engineering in order to easily gain sensitive information from victims. Social engineering attack depends on building trust with the victim so that he never suspects in giving out his/her personal information such as phone numbers, passwords, social security number, etc.,
This technique is proved to have been the most successful one when it comes to hacking into an organization’s network. Hackers can disguise themselves as an IT audit person or an external network administrator and easily gain access inside a building without suspicion. Once they are inside an organization, they follow various other social engineering techniques to compromise their network.
One of the greatest weaknesses, an organization can possess is the lack of information security knowledge with its employees. This lack of knowledge in cybersecurity gives a great advantage for hackers to perform attacks causing data breaches in the organization.
There are lots of social engineering attacks that can be used by threat actors. Some of them are,
1. Phishing
2. Vishing
3. Spoofing
4. Tailgating
5. Quid pro quo
6. Baiting
Phishing is the most simple and effective attack a hacker can use to steal credentials like username, password, social security number, organization secrets, or credit card details. Sometimes phishing is also used to spread malware inside a network. In general, Phishing involves Social engineering as well as Spoofing
Vishing is similar to phishing, which involves calling the victim and pretending as a legitimate caller. Once the victim believes without suspicion, it will be easy for the hacker to gain sensitive information such as network structure, employee details, company account details etc.,
Spoofing is a type of attack where, “what we see will look like it, but it is not”.In terms of Cyber Security, Spoofing is nothing but disguising as a legitimate source in order to gain sensitive information or to gain access to something. An attacker can trick us into believing that he is from the original source by spoofing.
Tailgating or piggybacking is a technique followed by threat actors to enter an organization building. During this attack, the threat actors wait for an employee/ a person to enter inside a place where the access for outsiders is restricted and follow them inside the building once they use their access cards or access key to open the door.
Quid pro quo in Latin means “a favor for a favor”. In this case, the hacker communicates with an employee of a company and offer them a deal. Either money in exchange for information or anything the employee would wish.
In most cases, money is the main motto. Hackers communicate with a present employee or an ex-employee and ask to give away sensitive information such as administrator privilege, administrator password, network structure, or any other data they require in exchange of the employee’s wish.
Hackers convince the employees to give away the information by making a personal deal with them. This is considered one of the serious threats in an organization because the information is given away intentionally by an employee.
As the word describes, hackers create baits such as USB flash drives, CD-ROM’s, Floppy disk or Card readers.
They create folders inside the devices such as Projects, revised Payrolls of the organization and drop them in sensitive areas(Elevators, Rest Rooms, Cafeterias or Parking lots) where employees would keep it usually.
Once an employee picks up and inserts the USB in their computer, the script inside the device runs and gives full control to the hackers. This method of Social Engineering is called as Baiting.
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Tags: Baiting, phishing, Quid pro quo, spoofing, tailgating, vishing
Dec 05 2022
Nov 14 2022
Social engineering – also known as human hacking – is an expression that encompasses a number of methods and vectors attackers use to manipulate targets into giving away or providing access to sensitive information, or generally performing actions that are against their best interest.
To effectively perform social engineering attacks, attackers exploit vulnerabilities in how humans react to specific situations.
The most important thing to keep in mind is that the overwhelming majority of humans have exploitable traits (to a lesser or higher degree), which means that anybody and everybody can be manipulated by social engineers.
This Help Net Security video talks about what social engineering is, how can it be performed, and how can you fight against it.
If you’re interested in getting more information about how can you protect your organization, watch our recently published video 3 ways enterprises can mitigate social engineering risks.
Tags: social engineering
Feb 21 2022
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
Below are recommendations provided by the FBI:
Tags: CEO, scammers impersonate
Feb 02 2022
A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.
In short, criminal groups are targeting victims’ from different countries to collect their homebanking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.
Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.
The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.
According to the analysis, the malicious campaign consists of a redirector system, capable of performing an initial screening to verify that the users’ requests are valid and expected. The system is equipped with a blacklisting mechanism and a logging feature that notifies criminals of new infections.
When the victim matches all the rules, several pathways are possible, with different landing-pages. Some of them only collect raw data, including the homebanking credentials, SMS tokens and bank codes. On the other hand, a well-structured C2 server can be used to orchestrate all the processes in real-time, simulating a flow extremely similar to the legitimate service.
As phishing and malware campaigns make headlines every day, monitoring these types of behaviors and IoCs is crucial to fighting this emerging segment, which has grown in both volume and sophistication.
Additional details about the investigation can be found here:
Social Engineering: The Science of Human Hacking
Tags: social engineering, Social Engineering: The Science of Human Hacking
Dec 08 2021
Kevin Mitnick – Pretexting – “Fake IT” Password Break-In
Breaking into a Bank – Kevin Mitnick demonstrates the Access Card Attack
Best of Kevin Mitnick: My Favorite Hack
The Art of Deception: Controlling the Human Element of Security
Tags: 22 Red Flags of Social Engineering, Kevin Mitnick, The Art of Deception
Aug 30 2021
When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.
Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from men’s and women’s online behaviors.
According to SecurityAdvisor’s data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.
SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.
“Our partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,” SecurityAdvisor CEO Sai Venkataraman said. “Also, society tends to tolerate failures by dominant groups better, hence men don’t fear the consequences or fear consequences less.”
He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.
C-Level Executives are Prime Targets
Jul 06 2021
During COVID-19, threat actors used fear of the virus and hope of a vaccine to trick unwitting victims into downloading malware or giving up their credentials. It was a master class in social engineering, one that put an organization’s security posture at risk. Social engineering attacks like phishing take advantage of an employee’s awareness of basic cybersecurity best practices (or lack thereof), and the harder an employee falls for the scams, the greater the skepticism about the entire organization’s cybersecurity culture.
Although no one has come up with an industry standard definition of cybersecurity culture yet, Infosec explains that “a strong cybersecurity culture is based on employees willingly embracing and proactively using security best practices both professionally and personally.” And Infosec developed a framework, and fielded a survey, to help organizations quantify their cybersecurity culture, track changes over time and systematically measure results.
The study polled 1,000 working individuals to examine the collective approach of an organization’s security awareness and behaviors toward cybersecurity. “The results show employee beliefs toward cybersecurity vary widely, which can have a major impact on an organization’s security posture,” said Jack Koziol, CEO and founder at Infosec, in a formal statement.
Tags: Cybersecurity Culture
May 22 2021
Harden the human firewall against the most current threats
Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire―why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. The way that we make decisions as humans affects everything from our emotions to our security. Hackers, since the beginning of time, have figured out ways to exploit that decision making process and get you to take an action not in your best interest. This new Second Edition has been updated with the most current methods used by sharing stories, examples, and scientific study behind how those decisions are exploited.
Networks and systems can be hacked, but they can also be protected; when the “system” in question is a human being, there is no software to fall back on, no hardware upgrade, no code that can lock information down indefinitely. Human nature and emotion is the secret weapon of the malicious social engineering, and this book shows you how to recognize, predict, and prevent this type of manipulation by taking you inside the social engineer’s bag of tricks.
By working from the social engineer’s playbook, you gain the advantage of foresight that can help you protect yourself and others from even their best efforts. Social Engineering gives you the inside information you need to mount an unshakeable defense.
Feb 05 2021
Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees
Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”.
On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote chat and video app.
The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering.
As a result, it is possible to spoof links, file names, file sizes, and shared contacts on thick clients, web sessions, and on mobile.
According to the researcher, tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions.
When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient.
The researcher also accidentally uncovered a means to crash a conversation on thick and web clients. If “too many” tags are added to the content value, this will render a chat session unresponsive and “fully inaccessible” for both an attacker and victim.
Jul 16 2020
You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions [Winkler Ira, Celaya Brown, Dr. Tracy] You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions. The Twitter Hack and their “explanation” definitely showed why Ira’s next book with Tracy Celaya Brown is so critical. The fact an admin was “Social Engineered” should be expected with the results controlled.
Twitter: High-profile hacks were part of a ‘Coordinated Social Engineering Attack’
httpv://www.youtube.com/watch?v=Kp86OAYDw0Y
Explore more on “Social Engineering”
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Tags: social engineering, Twitter Hack
Apr 24 2019
Social Engineering Red Flags
We recommend EVERYONE to review the 22 social engineering red flags to watch out for in any email. It might be a good idea to print out this PDF and pass it along to family, friends, and coworkers. Remember to always think before you click!
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/04/22RedFlags.pdf”]
May 27 2012
Chris Hadnagy has a website on the topic of Social Engineering and assisted in developing Social Engineering Toolkit (SET). This topic and knowledge apply to every person who keep sensitive information and organization who want to protect private information leakage into public domain via people. If you are interested in knowing the art of social engineering, this is an outstanding book.
Hadnagy recommends tools to store information you obtain during target investigation. He covers Google hacks in this book and mentioned Johnny Long as a source. He covers pretexting (disguise) or “creating an invented scenario to persuade a target victim to release information or perform some action.” He provides preparation tools for social engineer for the situation at hand and also warns you about legality if you are crossing the line. There is an important section on “Building Instant Rapport” which is an essential read. Hadnagy describe the powers of persuasion to take over the target and provides eight tactics for influencing people.
“Social Engineering: The Art of Human Hacking“, by Chris Hadnagy is a must have book.”
Discover the secrets of expert con men and human hackers
No matter how sophisticated your security equipment and procedures may be, their most easily exploitable aspect is, and has always been, the human infrastructure. The skilled, malicious social engineer is a weapon, nearly impossible to defend against.
This book covers, in detail, the world’s first framework for social engineering. It defines, explains, and dissects each principle, then illustrates it with true stories and case studies from masters such as Kevin Mitnick, renowned author of The Art of Deception. You will discover just what it takes to excel as a social engineer. Then you will know your enemy.
Learn the psychological principles employed by social engineers and how they’re used
Discover persuasion secrets that social engineers know well
See how the crafty crook takes advantage of cameras, GPS devices, and caller ID
Find out what information is, unbelievably, available online
Study real-world social engineering exploits step by step
Get your copy today Social Engineering: The Art of Human Hacking
Nov 01 2011
“MK-ULTRA” PSYCHOLOGICAL WARFARE
CIA Mind Control Operation MK-ULTRA PSYCHOLOGICAL WARFARE . Mirrored. Documentary: The Most Dangerous Game. Interesting documentary on brainwashing and psychological warfare. CIA.
http://www.youtube.com/watch?v=5ATYYqIrSI8
Psychological Warfare (WWII Era Reprint)
Mind Control: The Ancient Art of Psychological Warfare
Ideas as Weapons: Influence and Perception in Modern Warfare
Psychological Warfare and the New World Order: The Secret War Against the American People
Mar 03 2011
by Sandy Sidhu
Social media is hot. 140 characters is the way to communicate these days and it’s not unusual to hear someone say, “I have 3000 friends.”
We often hear about the success stories, but what about the unsuccessful ones?
Take Jonathan Emile, a Montreal-based hip-hop artist, who has made his living building a fan base online and uses Facebook to communicate with his 80,000 fans. Yeah, you read that right: 80,000.
You can imagine his frustration when last week he was unable to login to his account, leading him to believe his account had been hijacked, likely by a spammer, or a robot software program designed by a spammer. His suspicions were reinforced when he saw someone had used his name to post a link on his fan page site, that Emile said appeared to be malicious: either a virus or spam.
Despite contacting Facebook, he still has not been able to access his account.
So what can you learn from this ?
•Make sure you have other ways to contact and connect with your fans/customers/subscribers, and so on
•Use strong passwords and regularly change them
•Don’t rely on a third party platform to run the bulk of your business!
Facebook and other sites constantly change their Privacy Policies and access rules, not to mention the fact that they may not always be around (remember MySpace?).
Social networking is a great way to reach a new audience, but you have to make sure that you can still communicate with that audience through other means should anything go wrong. It is a good place to get people to interact with you/your company/brand, but you should also encourage your “fans” to either sign up for a newsletter, eBook, and so on, as a way to capture their information and ultimately drive them back to your site, which (hopefully) you own.
Dec 23 2010
“Social engineering” as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick
Social Engineering: The Art of Human Hacking
Christopher Hadnagy, Author
The first book to reveal and dissect the technical aspect of many social engineering maneuvers
From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unraveled the mystery in social engineering.
Kevin Mitnick—one of the most famous social engineers in the world—popularized the term “social engineering.” He explained that it is much easier to trick someone into revealing a password for a system than to exert the effort of hacking into the system. Mitnick claims that this social engineering tactic was the single-most effective method in his arsenal. This indispensable book examines a variety of maneuvers that are aimed at deceiving unsuspecting victims, while it also addresses ways to prevent social engineering threats.
“Most malware and client-side attacks have a social engineering component to deceive the user into letting the bad guys in. You can patch technical vulnerabilities as they evolve, but there is no patch for stupidity, or rather gullibility. Chris will show you how it’s done by revealing the social engineering vectors used by today’s intruders. His book will help you gain better insight on how to recognize these types of attacks,” said Kevin Mitnick, about the book.
Order this book today to know more about present and emerging social engineering threats to your business Social Engineering: The Art of Human Hacking
Examines social engineering, the science of influencing a target to perform a desired task or divulge information
Arms you with invaluable information about the many methods of trickery that hackers use in order to gather information with the intent of executing identity theft, fraud, or gaining computer system access
Reveals vital steps for preventing social engineering threats
Social Engineering: The Art of Human Hacking does its part to prepare you against nefarious hackers—now you can do your part by putting to good use the critical information within its pages.
From the Inside Flap
Forward written by Paul Wilson from The Real Hustle UK.
rpaulwilson.com/