
Penetration Testing mailing list archives
Re: Social Engineering Data set
From: "Frynge Customer Support" <frynge () frynge com>
Date: Thu, 12 Oct 2006 00:19:27 -0600
Social Engineering Attack examplesSocial engineering attacks are usually done to exploit the laziness of people, or people with good manners, or even people that want to help you. This is what makes it very hard to guard against a SE attack because the people involved may not realize that they are being fooled and will never admit this to anyone. The SE attempts to persuade someone to provide information that will allow them to use your system or resources as if they were his own. This is most commonly referred to as the "confidence trick".
These are the 5 main attacks that I know of 1: Personal approaches including the confidence trick 2: Online attacks (includes all the email phishing attacks) 3: Telephone 4: Waste management 5: Reverse Social engineering 1: Online Attacks They include: A) Email threats like phishing B) Confidence tricks and attacks C) Online pop up attacks D) Instant messaging Here is one example Pop ups or dialog boxesOne of the most popular goals is to embed a mail engine within your computer environment through which the hacker can launch phishing or other e-mail attacks on other companies or individuals. The phishing attack will show a hyperlink that appears to link to a secure account management site, while the status bar shows that it takes the user to, is the hacker's site. Hackers can suppress or reformat the status bar information to whatever they want. Most people will not look or know to look. This way, the hacker is given the information via a neat form they have created. All this was done from a simple email, that the hacker sends impersonating the company.
2: Telephone Attacks on AOLAol was attacked and approximately 200 accounts were compromised. It was a simple human SE attack in which the hacker would talk to tech support for a long time. It seemed the longer the hacker talked, the more confident and friendly the employee became.
At the point of most confidence the hacker mentions that he had a car for sale at a great price. The employee had shown interest and then it was as simple as sending an email. The hacker then sent an email with an executable trojan backdoor instead of the picture of the car. Upon viewing the email it executed. The email basically said, that he may have did something wrong by sending the picture, did you get it? At this point the damage has already been done and the system compromised.
This trojan backdoor then opens a port from AOL through the firewall. It was then an open door for the hacker to come back at a later date in order to check out the system, gather passwords and hide the evidence. This is a common way to gain entrance to a secure system. Why go through all the defences created, when they let you in the backdoor :)
This next example below includes these techniques 1: confidence attack 2: reverse engineering 3: waste management 4: telephone SE attacksReverse social engineering describes a situation where the TARGET will offer the hacker the information. This may seem unlikely, but people of authority, often receive vital personal information, such as user IDs and passwords, because they are above suspicion.
Example 2:A group of hackers walk in to a large shipping firm and walked out with the entire companies corporate network.
What did they do?This technique is called the syphon. Small amounts of information, can be useless, but to a hacker, bit by bit, you can collect a large portion of the puzzle. The key is to gather this from different employees.
You will see as in the last example, its not through the bars of the prison they come, but through its weakness, which is its employees.
First, there was a small period of data collecting on the company. Calling, going through trash that is set outside. (waste management) They also need to get familiar with the roles, they must know who they are dealing with. It is very important to become the person or become your role. They had learned key employees' names by simply calling the company and inquiring about shipping and receiving (telephone SE attacks). Next, they pretend to lose their key to the front door and as simple as that, they are in the front door :) (confidence SE attacks)
Then they lost their identity badges when entering a very secure area, they just smiled, were very calm and a friendly employee let them right in. Most will not assume you shouldnt be there or your not who you say you are. (again confidence or personal SE attacks)
The hackers already had known previously, that the CFO was out of town, so they knew which offices to enter before hand. They went in to obtain financial data off his computer. The went through the trash which is a very common practise and you would be surprised what you can find in the trash, the people do not shred. (waste and trash management) After getting all types of useful documents, they asked a janitor for a garbage pail and then placed all the data in this and carried it straight out of the building with permission.
The hackers had talked previously to the CFO and knew his voice and mannerisms. So they then called up, pretending they were the CFO in a hurry, and desperately needed the network password. From there, they used regular hacking techniques and tools to gain super user access to the system, with not one person the wiser. (telephone reverse engineering attacks)
In this case, the "hackers" were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)
Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word, leaves many of us vulnerable to attack.
Kelly Sigethy http://www.frynge.com----- Original Message ----- From: "xun dong" <xundong () cs york ac uk>
To: <pen-test () securityfocus com>; <security-basics () securityfocus com> Sent: Wednesday, October 11, 2006 4:31 AM Subject: Social Engineering Data set
Hello list;I am currently doing research on Social Engineering Attacks. Unlike the technical hack, I found that there is few useful and well documented SE attack examples on the Internet. So I decided to create a data set for SE attacks, and I am willing to publish it for free on the Internet.However, I think only my own experience would not be able to make this dataset as comprehensive as possible. So I would like to ask for help on this list. If you think you have SE attack examples, you can email me. Of course for confidential reason you should not use the real name in your example. If you don't mind I will also publish your name along with the example you provided. Thanks a lot in advance. I hope this could be a step forwards in protecting against SE attacks.-- Xun Dong Research Associate Department of Computer Science University of York --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Social Engineering Data set xun dong (Oct 11)
- RE: Social Engineering Data set Mustafa Yücelgen (Oct 12)
- Re[2]: Social Engineering Data set Matthew Leeds (Oct 12)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re[2]: Social Engineering Data set Matthew Leeds (Oct 12)
- Re: Social Engineering Data set Lee Lawson (Oct 12)
- Re: Social Engineering Data set Frynge Customer Support (Oct 12)
- <Possible follow-ups>
- RE: Social Engineering Data set Thomas W Shinder (Oct 12)
- RE: Social Engineering Data set Craig Wright (Oct 12)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re: Social Engineering Data set Magdelin Tey (Oct 13)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re: Social Engineering Data set qxlr (Oct 20)
- RE: Social Engineering Data set Mustafa Yücelgen (Oct 12)