Social Engineering: There are Plenty of Phish in the Sea

cool 50 million dollars this is how much a group of attackers received in their offshore bank account after tricking a finance executive at toyota in 2019 how does this happen social engineering or human hacking is all about exploiting the flaws in humans building up trust with victims for manipulating them is giving you access to their confidential information and assets such as passwords credit card information money and even access to physical hardware like routers or computers this can lead to immense financial and reputational loss for an individual or organization throughout this talk you might be wondering how do people still fall for these things in 2021 and the truth is these types of attacks can get a lot

more advanced than your cliche nigerian prince scams if these companies can fall for it so can you in 2020 shark tank was victim to a spear phishing attack where one of their cast members lost 520 000 dollars twitter in 2020 as well this story was all throughout the media where a teenager socially engineered a twitter employee got access to their slack workspace and then their internal testing tools which allowed them to post on accounts like barack obama joe biden elon musk etc and they said if you send a thousand dollars to a certain bitcoin address that that doublet uh which i mean sounds great but unfortunately was not true and they took off with 165 000 worth of

bitcoin toyota in 2019 as i mentioned 50 million dollars this was the result of a business email compromise scam and finally in 2016 the democratic party this was a whole hillary clinton email scandal where a bunch of her private emails got leaked due to a phishing scam and a malicious excel spreadsheet which apparently was done by the russian intelligence agency but i'm not too sure how true those claims are perhaps the scariest thing about social engineering is that you need very technical knowledge in order to perform one and this is evident in that 98 percent of all cyber crimes involves social engineering to some extent 75 percent of organizations were hit by phishing scams in 2020 and on average

the cost of a social engineering attack is a hundred and thirty thousand dollars so what are the steps an attacker can take when trying to perform a social engineering attack on the scale of shark tank and toyota and there are three main phases the reconnaissance phase where an attacker gathers information on their target the pretext phase where the attacker crafts a credible narrative using that reconnaissance for finally the attack phase where the attacker would choose a vector to send that message to the victim starting off with reconnaissance now as i mentioned this is all about gathering information on the desired target and one way in which this can be done is through open source intelligence or

osint and this is all about collecting and analyzing information from publicly available sources so let's just say a random attacker has been given a task of performing a social engineering attack on a certain company every single company today will have a website which is a great place to start as it can serve information to attackers on a silver platter things such as emails phone numbers employee names suppliers what technology a company is using is all extremely valuable secondly platforms such as linkedin where people love to post about their work life is another great source of information what an attacker can do is go to a company's linkedin page see a list of all employees who have

said that they're working at that company and then if an attacker managed to even find one email on the company website they can apply that same format they found to every single other employee in the organization for example b.smith company.com applied to my name if an attacker saw me on the company's linkedin page could be something like a.demola company.com thirdly social media platforms are another great source of information so twitter facebook youtube instagram and this is where people like to post about what they do or what they're interested in so liked posts pages who someone is following again is all great information for an attacker for example if someone has been liking many different binance

related posts on twitter and is following binance as a page on twitter they're likely going to be using binance as a cryptocurrency exchange likewise if they've liked the hpf page on facebook they're likely going to be using hpf as an insurance provider so far all of these methods have been manual however there are a plethora of tools an attacker can use that can greatly automate this process and find even more information a site called spiderfoot you only require a single domain for have i been pwned only requires an email and sherlock only requires a username so looking at some examples of these here's a screenshot of have i been pwned from bob gmail.com and what this site

does is return a list of sites that that email has been registered on that have recently suffered a data breach and again it shows this breach sites as well as tells the attacker if there's any plaintext information regarding that email floating around on the internet somewhere secondly we have sherlock which is a command line program where you can enter in a username and it returns a list of sites where that username is registered on which again is a great source of information for further reconnaissance we can see here that bob123 is registered on duolingo fortnite tracker freelancer gitlab github a whole bunch of stuff and finally the perhaps the most craziest tool out of all of these is

something called spiderfoot now this particular example was a screenshot i found that returned 80 000 different data points on a single company domain name so they just entered in the website name and it returned 80 000 data points and this is information like ssl certificates usernames employee contact details telephone numbers emails anything you can think of that would be out there regarding a certain company spiderfoot will be able to find it and it does this through passive reconnaissance so querying publicly available tools as well as active reconnaissance such as network scanning and among other things so now that we've talked about how an attacker gathers this reconnaissance how can actually use this to fool the victim

and this is where they create a pretext or credible narrative the more reconnaissance an attack performs the more authentic and personal they can make an email which would have a better chance of fooling their victim one other thing that attackers like to do is create a sense of urgency in the victim's mind to make them not think properly and maybe miss things that might obviously look malicious when looking at them again some clever tactics that attackers may use are things like swapping out characters in domain names and emails as well as creating legitimate looking social media profiles which can be easily done through copying someone's profile picture their cover photo their biography then again swapping out those

characters in their username finally copying stats styles on legitimate emails and websites is extremely easy to do as well through just inspecting element and copying the html and css looking at an example of swapping out those characters this is a particularly obvious example where in google.com i've swapped out the o for a zero maybe in a sense of panic someone might not spot this but again is pretty obvious where it does get scary is when there is no visual difference between these two domain names so this particular attack is called an idn homograph attack or more broadly visual spoofing where an attacker will swap out an english character for a character in unicode that looks extremely similar

on the secondnetflix.com this is using the russian cyrillic character ha which looks identical to the english x and can be used to create some pretty legitimate looking sites and emails so we've talked about reconnaissance we've talked about how an attacker can use this reconnaissance now how do they actually choose to attack the victim firstly you have email phishing or just your general fishing and this is often referred to as a spray and pray type of method because an attacker doesn't really need to perform any reconnaissance beforehand in order to do this and although fairly primitive like your nigerian print scams or the you've won 100 dollar scams they can be devastating if someone does fall for them

for example links attached in these emails can lead to vulnerabilities on sites like reflected cross-site scripting or cross-site request forgery as well as just linked to websites that aim to steal a user's credit card information like fake ecommerce sites on top of that these types of emails can house malware which again can include things like word files or docs files which contain word macros or pngs and pdfs again contain malicious code in them cryptocurrency miners as well is a really big thing that's a bit more passive but is still exploiting the user's machine without their permission and can be hard to spot at times luckily for us these emails are generally filtered into spam by

platforms like gmail and outlook for example here is my 12 year old self's junk folder and i get about five different phishing emails a day from people like sarah with love heart emojis uh crazy south american doctors offering me weird medicinal remedies random casinos australia post i mean the list goes on if you were to click on these emails you'd see that the sender address is clearly malicious and gmail even flags this with a red insecure lock icon and the sender addresses as well is just complete garbage and not what you do what not what you'd expect the new balance email to look like next up we have spearfishing which is a much more specialized form of your email

phishing and this is where the reconnaissance the attacker performed in the past comes in handy so attackers know that organizations would have intrusion detection systems intrusion prevention systems and all types of block filters to try and block phishing emails so what an attacker does is they try to make the sender address look as legitimate as possible and this can be done through sending legitimate emails for a couple of months getting listed on sites etc an even more specialized form of spear phishing is something called whaling where instead of just targeting employees you're trying to target your c-suite executives and high-level employees like your ceos your ctos your cfo's et cetera and the pretext you'd see in this when compared to spear

phishing or general email phishing is that a bit more to do with the company so things like threatening to sue cut off client relations um and needing urgent bills to be paid and again these can contain malicious files maybe like malicious court case links and stuff like that and in the past five years whaling has actually cost organizations 5 billion 12 billion dollars which is nuts moving on from whaling we have business email compromise and this is what affected shark tank and toyota in those 2020 and 2019 attacks um respectively and the difference with whaling is that whaling is all about trying to trick the ceos and ctos whereas business email compromise is all about trying to

impersonate them and trick other employees so in the shark tank example someone impersonated a cast member's assistant and was able to get them to send them 520 000 this attack cost companies 851 million in 2020 alone which again is pretty crazy and here's an example of a whaling attack you might see where you've got a spoofed sender address saying that an urgent bill needs to be paid again with a malicious pdf file being attached at the bottom moving on from wailing and business email compromise you have phishing attacks that occur via the phone and this can be split into two main categories so you're smishing which is phishing through sms and wishing which is fishing through voice call

and smishing attacks are particularly lucrative as gartner reported that 98 of all texts are actually read and 45 percent are responded to which when compared to emails is nuts because only six percent of emails are responded to and this might be because people always have their phones in them and it's more instant form of communication the kova 19 pandemic covert 19 pandemic gave rise to a lot of different smishing attacks for example people were getting messages saying that they'd recently tested positive for covert which again creates that sense of panic in the user's mind as well as mandatory contract tracing smashing attacks where you get a text saying that you'd recently come in contact with someone

covered positive again that's enough to cause panic in anyone other types of scams you see with smishing are oz post ups and fedex scams and because more people were ordering things online from home during the covert 19 pandemic these again saw arise in popularity wishing attacks on the other hand often used to supplement other types of attacks like your general phishing scams as if a victim knows that there's a human on the other end of the phone they're much more likely to trust that person and here are some examples of those smishing attacks i was talking about in the top left hand corner that was a red cross mission attack where they were apparently offering free masks and

you'll see that the link is a dot ca and that's immediately a red flag because the red cross site is actually a dot org in the bottom left hand corner we can see that you've got a text saying someone had recently tested positive for covert 19 and gets you to click a link where i got you to fill out your details and on the far right is that oz post scam i was talking about and we can clearly see that that link is malicious as it's just complete garbage next we have search engine phishing where attackers abuse something called search engine optimization or seo and one way in which they can do this is they try to get their sites as listed as

highly as possible on indexes like google and bing and this can be done through making sure the website loads quick it works on phone and contains trendy and relevant topics for example during halloween an attacker might set up a halloween costume site make sure it's search engine optimized and get try to get victims to click on it as it appears higher up in search indexes and this can lead to things like credit card details being stolen on fake e-commerce sites the crazy thing about this attack is that google detected and reported 25 billion of these pages a day which is a insane number finally we have phishing through social media otherwise known as angler fishing

and this is where an attacker will try to mimic a customer support representative from a company and target disgruntled customers who might be unhappy with their product or service an example of this attack is the following where someone was impersonating paypal customer support on twitter a couple of red flags with this one is that paypal does not have a blue verified tick and there's grammar and spelling mistakes all over the place which is generally indicative of a social engineering attack in a scenario like this and you can see that that customer is very unhappy by the emojis they're using so we've talked about how an attacker can use reconnaissance how they make a credible narrative and then how they

choose to attack the victim so how do we defend against these types of attacks one method in which you can use is to always check the domain names your sender addresses of links you sent as these again can contain those unicode character attacks and just look clearly malicious you know if you see that red cross website with a ca the red cross website is actually a dot org which would clearly be a case of a phishing attack secondly always stepping back and putting the situation in context and not panicking because that's what the attacker wants you to do in order to overlook details that again would look malicious otherwise you can also always just contact the

legitimate company and confirm so for example if you're given an email from netflix saying that you owe them like a thousand dollars you can just call them up and confirm if that's the case because they'll be able to tell you that that's actually not the case and you can dismiss the social engineering attack entirely and finally in the context of organizations implementing administrative controls such as security training and drills so sending out fake phishing emails and then educating people who clicked on them on the different types of social engineering attacks again is another effective strategy and finally just stepping back and putting the situation in context is extremely important would michael jackson realistically be messaging you for six

hundred dollars saying that is back from the dead to make more music uh the answer is probably not thank you [Applause]