In our Wednesday Evening Trainings, we regularly pay attention to security, a very important topic in ICT. This evening, one of our security champions, Philipp Blaas, took us on an excellent and inspiring dive into Social Engineering.
Why are individuals and organisations still tricked by such tactics that led to massive scandals such as the Sony Hack, The U.S. Democrats Email Server Breach or the Petya Ransomware Attack?
Social Engineering is still highly effective because it takes advantage of human psychology. The methods used are as old as civilization. Why they still work we were shown this Wednesday Evening Training.
As an exercise, we were asked to review Out of Office replies (often used in companies) to establish which information an attacker can easily gather as a first step. In further steps, trusted social platforms like LinkedIn can be used to gather additional information to be used in the attack.
An attacker often tries to ensure that the victim clicks on a hyperlink to malware without thinking. The attacker does this, for example, by making the victim believe that he has an acute problem. Examples of this are emails in which a strange payment, a security problem, a request from a so-called colleague or manager is reported. You can easily see through such attacks by following a few simple rules. One of them is simply taking time before responding to email; think first before you respond. In addition: determine whether the sender is reliable (take a close look at the e-mail address of the sender), or in the e-mail personal details that the attacker can not know, but also whether the relevant e-mail has been drawn up amateurish (layout, spelling). And: did you know that if you use your cell phone for reading and replying to your e-mail, you are more likely to click on links? Food for thoughts!
We were also shown a nice example of Vishing (Voice phishing), using social engineering over the telephone system to gain access to private personal and financial information. See the links below for this video.
Finally, we did a joint quiz in which we were shown several emails and had to determine whether it was a phishing email or a real mail.
A real eye opener, proving that taking time for reading your emails is crucial!
As usual, there was plenty opportunity for Q&A and discussion. We discussed using tools like Password Managers and other methods to secure your work environment. We also discussed tools that may be used by attackers. See the links below for further reading on these.
Thanks Philipp, for sharing your knowledge with us!
This is how hackers hack you using simple social engineering: https://youtu.be/lc7scxvKQOo
OSINT tool:
Open-source intelligence: https://en.wikipedia.org/wiki/Open-source_intelligence
Curb Your Enthusiasm: A.I. Will Not Save Us From Phishing: https://www.linkedin.com/pulse/curb-your-enthusiasm-ai-save-us-from-phishing-philipp-blaas/
About Social Engineering
Many security experts agree that Social Engineering continues to be the biggest security threat by a big margin. And this is even though Email scams such as “The Nigerian Prince” or “Fake PayPal invoices” have been around for decades!Why are individuals and organisations still tricked by such tactics that led to massive scandals such as the Sony Hack, The U.S. Democrats Email Server Breach or the Petya Ransomware Attack?
Social Engineering is still highly effective because it takes advantage of human psychology. The methods used are as old as civilization. Why they still work we were shown this Wednesday Evening Training.
What we did during this session
In our session, we have covered common tactics of Social engineering and Phishing based on practical examples. Philipp showed us the steps in which attackers operate. After collecting (mostly automatically) information about a potential target, the attacker develops a relationship with the victim to attain a trusting affiliation in order to take advantage of the target, then executes the attack and leverages the information gained to plan more attacks.As an exercise, we were asked to review Out of Office replies (often used in companies) to establish which information an attacker can easily gather as a first step. In further steps, trusted social platforms like LinkedIn can be used to gather additional information to be used in the attack.
An attacker often tries to ensure that the victim clicks on a hyperlink to malware without thinking. The attacker does this, for example, by making the victim believe that he has an acute problem. Examples of this are emails in which a strange payment, a security problem, a request from a so-called colleague or manager is reported. You can easily see through such attacks by following a few simple rules. One of them is simply taking time before responding to email; think first before you respond. In addition: determine whether the sender is reliable (take a close look at the e-mail address of the sender), or in the e-mail personal details that the attacker can not know, but also whether the relevant e-mail has been drawn up amateurish (layout, spelling). And: did you know that if you use your cell phone for reading and replying to your e-mail, you are more likely to click on links? Food for thoughts!
We were also shown a nice example of Vishing (Voice phishing), using social engineering over the telephone system to gain access to private personal and financial information. See the links below for this video.
Finally, we did a joint quiz in which we were shown several emails and had to determine whether it was a phishing email or a real mail.
A real eye opener, proving that taking time for reading your emails is crucial!
As usual, there was plenty opportunity for Q&A and discussion. We discussed using tools like Password Managers and other methods to secure your work environment. We also discussed tools that may be used by attackers. See the links below for further reading on these.
Thanks Philipp, for sharing your knowledge with us!
Further reading
Do you want to read more on the topics in this post? Here are some resources...This is how hackers hack you using simple social engineering: https://youtu.be/lc7scxvKQOo
OSINT tool:
Open-source intelligence: https://en.wikipedia.org/wiki/Open-source_intelligence
OSINT tools: https://inteltechniques.com/menu.html
KeePass Cross-Platform Community Edition (Password manager): https://keepassxc.orgCurb Your Enthusiasm: A.I. Will Not Save Us From Phishing: https://www.linkedin.com/pulse/curb-your-enthusiasm-ai-save-us-from-phishing-philipp-blaas/
Onderzoek: master password van wachtwoordmanagers is te achterhalen via geheugen (Dutch): https://tweakers.net/nieuws/149368/onderzoek-master-password-van-wachtwoordmanagers-is-te-achterhalen-via-geheugen.html
Voice phishing (video): https://en.wikipedia.org/wiki/Voice_phishing
Video's on ICT security (e.g. types of attack) on my YouTube Channel: https://www.youtube.com/playlist?list=PLSiMhBs48YvViQFNwqLZFE8GU5baI2f-g
Past Wednesday Evening Trainings on all topics
You 'll find post of previous sessions on my blog and on LinkedIn: https://www.linkedin.com/search/results/content/?keywords=%23wednesdayeveningtraining
Work @Capgemini?
Do you want to join us? We're always looking for and well-motivated young professionals. Do you have a bachelor or master degree or extensive practical experience? Or do you have a relevant ICT / Informatics training and you have become curious about us? Please send me an email. Working for us gives you access to all Wednesday Evening Trainings!
very interesting!
ReplyDelete