SlideShare une entreprise Scribd logo

The art of deceiving humans a.k.a social engineering

Télécharger en tant que PPTX, PDF
Suraj Khetani
Suraj Khetani

The most used attack vector by hackers: Social engineering

Technologie
1  sur  17
The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
#uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
Live Demo - OSINT
Case Study – Phishing Assessment
Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
Phishing page
Phishing mail
Creating a phishing page which logs user credentials – Live Demo
Creating a malicious office document to compromise an end user – Live Demo
Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL

Recommandé

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Introduction to hackers
Introduction to hackersIntroduction to hackers
Introduction to hackersHarsh Sharma
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsOllie Whitehouse
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber securityHagerstown Chamber Business Expo
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Social Engineering
Social Engineering Social Engineering
Social Engineering Mirna Hanna
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 

Recommandé

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Introduction to hackers
Introduction to hackersIntroduction to hackers
Introduction to hackersHarsh Sharma
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsOllie Whitehouse
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringJeremiah Tillman
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber securityHagerstown Chamber Business Expo
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Social Engineering
Social Engineering Social Engineering
Social Engineering Mirna Hanna
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Techsylvania
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all timePRESENTATIONSFORESL
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingsilambarasansam
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19NickHarris84
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tacticsFariha Khudzri
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19NickHarris84
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by RudyUdieh Moody
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinEslam Hussein
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringMuhanned Alaqili
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingarohan6
 
Ethical Hacking (basics)
Ethical Hacking (basics)Ethical Hacking (basics)
Ethical Hacking (basics)DeepHaria4
 
Types of Hacker
Types of Hacker Types of Hacker
Types of HackerMukund Kumar Bharti
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking PresentationAmbikaMalgatti
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hackingbaabtra.com - No. 1 supplier of quality freshers
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo
 
Hacking
HackingHacking
HackingShukla Aakash
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 
What is Hacking? AND Types of Hackers
What is Hacking? AND Types of HackersWhat is Hacking? AND Types of Hackers
What is Hacking? AND Types of Hackersinfosavvy
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkFlaskdata.io
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxanonymousanonymous428352
 
OWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfOWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfnetisBin
 

Contenu connexe

Tendances

Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Techsylvania
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all timePRESENTATIONSFORESL
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tacticsFariha Khudzri
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by RudyUdieh Moody
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinEslam Hussein
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingarohan6
 
Ethical Hacking (basics)
Ethical Hacking (basics)Ethical Hacking (basics)
Ethical Hacking (basics)DeepHaria4
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking PresentationAmbikaMalgatti
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 
What is Hacking? AND Types of Hackers
What is Hacking? AND Types of HackersWhat is Hacking? AND Types of Hackers
What is Hacking? AND Types of Hackersinfosavvy
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkFlaskdata.io
 

Tendances (20)

Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tactics
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by Rudy
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam hussein
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking (basics)
Ethical Hacking (basics)Ethical Hacking (basics)
Ethical Hacking (basics)
 
Types of Hacker
Types of Hacker Types of Hacker
Types of Hacker
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking Presentation
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
 
Hacking
HackingHacking
Hacking
 
Forensics intro
Forensics introForensics intro
Forensics intro
 
What is Hacking? AND Types of Hackers
What is Hacking? AND Types of HackersWhat is Hacking? AND Types of Hackers
What is Hacking? AND Types of Hackers
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest link
 

Similaire à The art of deceiving humans a.k.a social engineering

OWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfOWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfnetisBin
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
General Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & EthicalGeneral Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & Ethicaldiwakar sharma
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
Cyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaCyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaTheko Moima
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxBangHendroz1
 
osint - open source Intelligence
osint - open source Intelligenceosint - open source Intelligence
osint - open source IntelligenceOsama Ellahi
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 

Similaire à The art of deceiving humans a.k.a social engineering (20)

OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
OWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfOWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdf
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
General Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & EthicalGeneral Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & Ethical
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
 
Osint
OsintOsint
Osint
 
Cyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaCyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moima
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
osint - open source Intelligence
osint - open source Intelligenceosint - open source Intelligence
osint - open source Intelligence
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
internet
internetinternet
internet
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
 

Dernier

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Dernier (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

The art of deceiving humans a.k.a social engineering

  • 1. The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
  • 2. #uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
  • 3. Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
  • 4. What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
  • 5. Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
  • 6. What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
  • 7. Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
  • 8. Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
  • 9. OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
  • 10. Live Demo - OSINT
  • 11. Case Study – Phishing Assessment
  • 12. Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
  • 15. Creating a phishing page which logs user credentials – Live Demo
  • 16. Creating a malicious office document to compromise an end user – Live Demo
  • 17. Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL

Notes de l'éditeur

  1. Eg: Metadata collected from uploaded documents reveal information like users, third party software, hardware,