The art of deceiving humans a.k.a social engineering
1. The Aart of decieving humans
humans a.k.a Social
Engineering
Suraj Khetani
Regional Asscoiate Security Consultant
Gulf Business Machines
2. #uname -a
• Security Consultant – 3.5 years experience
• Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA
• 3rd Place at Social Engineering CTF at Nullcon 2017
• Discovered 12 0-day’s on Oracle E-Business Suite
• Article: “How I used google dorks to find 0 days”
Hobbies
• Learner/Researcher
• Current research interests: Deserialization vulnerabilities, IoT stuff,
electronic security
• Former Hip-hop Dance instructor
• Fitness Enthusiast and cricket lover; Played for UAE under-14
3. Topics
• Social engineering and its different types
• Open Source Intelligence Gathering (OSINT) and how it
can be used in Social engineering
• Live demo - OSINT
• Case Study - Phishing assessment
• Live demo - Creating a phishing page
• Live demo - Creating a malicious Microsoft office
document
• Defenses
4. What is Social
Engineering
“Social engineering, in the context of information security,
refers to psychological manipulation of people into
performing actions or divulging confidential information. A
type of confidence trick for the purpose of information
gathering, fraud, or system access” – Source Wikipedia
5. Requirements for Social
Engineering
• Information about the person or about the organization
being targeted to create what is something called a
pretext.
• OSINT
• Pretext
6. What is OSINT
• Open Source Intelligence (OSINT) – data that can be
collected from publicly available sources.
• Media: newspapers, magazines, radio, television, and computer-
based information.
• Web-based communities and user-generated content: social-
networking sites, video sharing sites, wikis, blogs, and
folksonomies.
• Public data: government reports, official data such as budgets,
demographics, hearings, legislative debates, press conferences,
speeches, marine and aeronautical safety warnings, environmental
impact statements and contract awards.
7. Pretext
• It is an invented or fabricated scenario that uses the
gathered information to target the users in various form of
social engineering attacks.
8. Different types
• Phishing
• Baiting - uses physical media and relies on the curiosity or
greed of the victim. In this attack, attackers leave malware-
infected floppy disks, CD-ROMs, or USB flash drives in
locations people will find them (bathrooms, elevators,
sidewalks, parking lots, etc.)
• Vishing - It is described as the act of using the telephone in an
attempt to scam the user into surrendering private information
that will be used for identity theft.
• Tailgating - An attacker, seeking entry to a restricted area
secured by unattended, electronic access control, e.g. by RFID
card,
9. OSINT tools
• Google hacking database (GHDB) – used to find exploitable
targets and potentially sensitive data using google search
engine
• PassiveRecon – Firefox addon to automate google hacking
and perform dns recon
• Dnsdumpster – enumerating/mapping subdomains and
gathering IPs
• FOCA – meta data analyzer
• Datasploit – uses various search engine APIs to gather
information.
• Shodan - Search engine for Internet-connected devices.
12. Requirements
• Pretext
• Users email address
• Portal to be phished
• Phishing domain and hosting website
• Email Signatures
• Font and color of email
• Non assertive, non compelling email with no grammatical
mistakes
17. Defenses
• Run security awareness campaigns on a regular basis
• Always check the source if you find any thing fishy about
the phone call or email. Weakest point of a social
engineer is that the source does not exist
• Always update software and apply missing patches
• Always hover over links to check for the exact URL
Notes de l'éditeur
Eg: Metadata collected from uploaded documents reveal information like users, third party software, hardware,