Social Engineering

AbdElraouf Sabri (@abd3lraouf)

Who am I?

Android Developer & penTester

Objectives

What does social engineering mean?
Attack vectors
Demo
How to stop it

You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.

— Kevin Mitnick

Sociology and Psychology

Human action can be predicted
Actions can be influenced quite easily

Simple Human Behaviour

Two types of responses: Natural vs Learned

Hackers will craft a scenario for you to enter, in order to elicit a secret you tried hard to keep it.

Attack vectors

Common attack methods

Pretexting
Phishing
Baiting
Quid Pro Quo

Pretexting

What happens

Fraudulent phone calls
Used to extract information
Also used to setup other attacks such as facility entry or phishing

Phishing

What happens

Attempts to get users to provide information or perform an action

Baiting

Quid Pro Quo

Demo

Think before you click

Attackers employ a sense of urgency
Make you act first and think later
Remember: Better be safe than sorry

Research the sources

Check domains
Typos?
Link hover!

Sample : Click here to join our group Facebook.com

Download now & Prize

Don’t download files you don’t know
- Always check files (hashes md5 sha1 etc..)
Offers and prizes are fake

Five Ways to Protect Yourself

Delete any request for personal information or passwords
Reject requests for help or offers of help.
Set your spam filters to high.
Secure your devices.
Always be mindful of risks.

Nobody should be contacting you for your personal information via email unsolicitedly.
Social engineers can and will either request your help with information or offer to help you (i.e posing as tech support). If you did not request any assistance from the sender, consider any requests or offers a scam. Do your own research about the sender before committing to sending them anything.
Your email software has spam filters. Check your settings, and set them to high to avoid risky messages flooding into your inbox. Just remember to check them periodically as it is possible legitimate messages could be trapped there from time to time.
Install, maintain and update regularly your anti-virus software, firewalls, and email filters. Set your automatic updates on if you can, and only access secured websites. Consider VPN.
Double check, triple check any request you get for the correct information. Look out for cybersecurity news to take swift actions if you are affected by a recent breach. I recommend subscribing to a couple of morning newsletter to keep you up to date with the latest in InfoSec like Cyware or BetterCloud Monitor. If you are a podcast person, Decrypted by Bloomberg, DIY Cyber Guy and Reply All offer easy to digest information and news that’s very user-friendly.

Social Engineering

Who am I?

Objectives

What is Social Engineering?

Social Engineering

Sociology and Psychology

Simple Human Behaviour

Attack vectors

Common attack methods

Pretexting

What happens

Phishing

What happens

Baiting

Quid Pro Quo

Demo

Anti social engineering

Think before you click

Research the sources

Download now & Prize

Five Ways to Protect Yourself