Got a tip? Let us know

                 


Social engineering attacks revealed

March 21,2017 9 comments

Phishing

Often accompanied by annoying high frequency beeps that the human ear designates to be unfriendly (more than 5000Hz), most for sure have received such messages while browsing.

“Alert!!Virus found!” or “JavaScript alert!! Your phone XYZ (model) have been infected with a virus. Click the ‘ok’ button to scan and remove the virus.”

 As a common case, most do not understand what JavaScript or just a ‘script’ is; so in fear and ramshackle, they often go for the bait (like a bull to a butchery). But behind the button?

                 Button.onclick (“execute/install /run x”);    //that had to be in layman.

X being, in most cases a ransomware or a remote administration tool (RAT) such as RootKit.

Rather, consider the one that stole the hearts of many unsuspecting 5,006 Kenyan Facebook users;

“The hacker created a website that looked aesthetically similar to Facebook and posted it on random users’ pages, inviting them to view their friends’ latest photos. Users who clicked on the link were asked to provide their log-in details afresh in order to proceed. Once they did this, their usernames and passwords were collected into a database that currently has 5,006 entries.” said William Makatiani, the managing director at Serianu. The captured log-in credentials were then used to take over a user’s social media page. They went on to solicit money from the account owner’s friends while masquerading as the real user (the victim). Owners of the compromised Facebook accounts were also contacted and informed that their accounts would be deleted if they declined to pay money — ranging between Sh5, 000 and Sh100, 000 — into different mobile money accounts. To ensure this succeeded the fraudsters posted malicious and alarming messages such as above on breached Facebook pages. Serianu estimates that victims of the attacks may have lost up to Sh50 million in the scam.

The examples above illustrates phishing in action. An attempt to acquire sensitive information or to make somebody act in desired way by masquerading as a trustworthy entity in an electronic communication medium. They are usually targeted at large groups of people. Phishing attacks can be performed over almost any channel, from physical presence of the attacker to websites, social networks or even cloud services

According to Verizon’s Data Breach Investigation Report [4] for 2016, phishing was involved in 9576 data breaches (916 of them having resulted in confirmed data disclosure) out of about 100000, or roughly 10% of the considered data breaches were caused by phishing. Phishing is often used as an initial attack vector and usually more elaborate technical methods are used once an initial PC inside the organization’s network has been infected by the attackers. Another interesting metric is open rate for phishing emails – per the same report, 13% of users clicked on the link or attachment in a phishing email. Combining a phishing campaign with a zero-day vulnerability (as is commonly the case with APTs, e.g. the Secure ID breach) means that all the aforementioned users will have their PCs infected. To put that in an even clearer perspective – any organization with at least 5 users with public email addresses is statistically expected (i.e. will happen with probability > 50%, assuming a Bernoulli distribution with success rate 13%) (Social engineering report by Yavor Papazov paper no. STO-EN-IST-143)

The two most common variants of phishing are below:

Spear phishing – The name is a wordplay on ‘spear fishing’, a fishing technique, where the fisherman targets the fish he wants to catch (with a spear), instead of waiting for it to catch the bait. Another possible analogy is sharpness – while standard phishing campaigns operate by using strength in numbers and sending millions of messages, spear phishing sends only a tiny fraction of the traffic and is, therefore, much harder to notice as a pattern on a large scale. A spear phishing attack is similar to normal phishing in its technical principles. The difference is, however, in the degree of information gathering done before the attack. Spear-phishing requires the attacker to first gather information on the intended victims (most probably you), but the success rate is higher than in conventional phishing. To be more precise, spear phishing is much more targeted – it involves selecting a target and tailoring the messages to the particular victim – e.g. using the actual names of employees in the “From:” field, following similar structure and tone to in-company communication, etc.

Check the below messages (trapping desperate Kenyans);

“CONGRATULATIONS! From LOTTO! You are the lucky winner of KSH100, 000. From LOTTO!! Contact (07xxxxxx947) calling hours 7:00AM to 7:00PM.DO NOT PAY ANY.”--/*poor English, full of unnecessary repetitions, were you supposed to pay ANY? But it bypassed many, in fact, I also received the same message and unsurprisingly it stole my heart-not to that extent anyway. */

“PLEASE nirudishie hiyo pesa kwa 07xxxxxxxx. I mistyped hiyo number ya mwisho.”  which translates to, "PLEASE refund me that sum to 07xxxxxxxx. I mistyped the last digits." /*very convincing especially if your numbers almost look similar.*/ 

“DEF Enterprises, We are advertising for vacant positions in bbbb (position)...Salary is KSH.20, 000 a month. Free training is available. For more information, call 07aaaaaaaa”

Or you receive a call from a very noisy (like SpongeBob) woman, with a weeping child, claiming-“Hebu tuma hiyo pesa! mtoto wako ni mgonjwa sana! Atanikufia kwenye mkono! ...” which translates to “can you send that money, your child is very sick! He will die poorly in my hands.” If you have ‘another’ kid, you might fall for it.

Soft targeting – this type of phishing attack sits somewhere between standard phishing and spear phishing: the email messages are targeted, but not towards a certain individual or an organization, but rather towards a profession or occupation. This allows the attackers to use the ‘strength in numbers’ paradigm by sending millions of messages, while still having a higher success rate than completely generic phishing messages. Soft targeting is particularly popular, as per this time, as it is used as the main distribution vector for ransomware – the malware ‘trend’ of 2016 [35].

Consider the sample email below;

From: Kenya Revenue Authority

[mailto:yourtaxrefund@KenyaRevenueAuthority.com ]
Sent: Tuesday, March 21, 2017 9:47 AM
Subject: [SPAM: #] Get your tax refund now
Importance: High

After the last annual calculations of your account activity we have determined that
you are eligible to receive a tax refund of Ksh.20, 000.
Please submit the tax refund request and allow us 2-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here http://e-gov.kenya.ra.co.ke:84/www.kbc.gov/

Note: Deliberate wrong inputs will be prosecuted by law.

Regards,
Kenya Revenue Authority.

A good citizen will surely tell this to be a fraudster. I mean, look at the link you are being sent to.  If you know not the website to Kenya Revenue Authority then you will be caught by the whirlwind.

If a phishing attack is aimed at high-profile targets in enterprises, the attack is referred to as whaling.

 

The social approach explained

This is still the perfect style. Phishing mostly goes for fear and necessity but this; for what I call ‘inbuilt responses in you’ all. Shall we discuss the ingredients in the recipe for this meal. Elicitation is the general name for all these ingredients. In the previous article, elicitation was defined, and so here we go forth ahead.

Appealing to someone’s ego

Attacker: “Ow! I have always wanted to be a developer, I hear you teach not only your colleagues but even the Boss. That’s cool men, can I be your student?….”

Target: “Really, that is nice of you to say, who might have told you that, here I only…”

 Take care of subjects of discussions with strangers. The above conversation may escalate to a point that the target shows, if not all, most of their skills. With the bring your own device (BYOD) scenarios in modern offices, the attacker will most surely get hold of the victims machine (all in the attempt to prove “knowledge is my brother, we walk together”) and use it as a free gate to the corporate’s system.

The method of appealing to someone’s ego is simplistic but effective. Take note! The engineers are usually trained not to overdo it; because they know; over-stroking someone’s ego or doing it without sincerity just turns people off. Hold that as a weapon (ensure they turn you off early enough; be a pond instead of the sea).

Expressing a Mutual Interest

Consider this mock scenario:

Attacker: “Wow, you have a background in ISO 9001 compliance databases? You should see the model we built for a reporting engine to assist with that certification. I can get you a copy.”

Target: “I would love to see that. We have been toying with the idea of adding a reporting engine to our system.”

Expressing mutual interest is an important aspect of elicitation. This particular scenario is even more powerful than appealing to someone’s ego because it extends the relationship beyond the initial conversation.

Making deliberate false statements

Delivering a false statement seems like it would backfire off the top, but it can prove to be a powerful force to be reckoned with.

 Attacker: “Everybody knows that XYZ Company produced the highest selling software for this widget on earth.”

Target: “Actually, that isn’t true. (Overstuffed with ego, the target may even stand up, if they were seated. Imagine their next gesture) our company started selling a similar product in 1998, five years before the wretched XYZ showed up, and our sales records have beaten them routinely by more than 26%.”

These statements, if used effectively, can elicit a response from the target with real facts. Most people must correct wrong statements when they hear them. It’s almost as if they are challenged to prove they are correct. The desire to inform others, appear knowledgeable, and be intolerant of misstatements seems to be built into human nature.

Volunteering information;

War is ninety percent information.—Napoleon Bonaparte.

“Did you hear about Ruth? I heard she just got laid off from work (why didn’t she just say ‘sacked’? they are after setting the mood) and is having serious problems finding more work.” Of course, most of the time you will get, “Wow, I didn’t hear that. That is terrible news. I heard that Lewis is getting divorced and they are going to lose the house, too.”

 As Hadnagy says it, the sad aspect of humanity is that we tend to live the saying “misery loves company”—how true it is in this case. People tend to want to share similar news. Social engineers can utilize this propensity to set the tone or mood of a conversation and build a sense of obligation. You will most surely fall for it. Study who you are talking to first.

 Another powerful manipulation tool is that of assumed knowledge. If someone has knowledge of a particular situation, it’s acceptable to discuss it with them. That’s what I would assume and so would most of you. An attacker can deliberately exploit this trait by presenting information as if he is in the know and then using elicitation to build a conversation around it. He then can regurgitate the information as if it were his own and continue to build the illusion that he has intimate knowledge of this topic.

Pretexting

Pretexting is better defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit. Pretexting encompasses everything you would imagine that person to be. It is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers can use pretexting to impersonate people in certain jobs and roles that they never themselves have done. Below, I give the story of Mark Rifkin.

Stanley Mark Rifkin is credited with one of the biggest bank heists in American history

In October 1978, he visited Security Pacific, where bank employees easily recognized him as a computer worker. He took an elevator to the D-level, where the bank’s wire transfer room was located. A pleasant and friendly young man, he managed to talk his way into the room where the bank’s secret code-of-the-day was posted on the wall. Rifkin memorized the code and left without arousing suspicion. Soon, bank employees in the transfer room received a phone call from a man who identified himself as Mike Hansen, an employee of the bank’s international division. The man ordered a routine transfer of funds into an account at the Irving Trust Company in New York—and he provided the secret code numbers to authorize the transaction. Nothing about the transfer appeared to be out of the ordinary, and Security Pacific transferred the money to the New York bank. What bank officials did not know was that the man who called himself Mike Hansen was in fact, Stanley Rifkin, and he had used the bank’s security code to rob the bank of USD $10.2 million.

The bank’s wire transfer policies seemed secure. They were authorized by a numerical code that changed daily and was only given out to authorized personnel. It was posted on a wall in a secure room that only “authorized personnel” had access to.

Shoulder surfing

Direct observation techniques to get information, such as looking over someone's shoulder at their screen or keyboard. Hard to succeed it may seem, but what if spying binoculars are involved. Tense not, but they do happen. Know how you sit in your space. Carefully applying geometry, an engineer can even reflect light on your desk (on your short absence), from far away. You know what is next. “Nothing happened in my absence,” back and running.

Baiting and dumpster diving had already been discussed in the previous article. Water holing mostly is effected during phishing but here, the attackers compromise a website that is likely to be of interest to the chosen victim. The attackers then wait at the waterhole for their victim. I hope the article gave you a starter in formation into the world of social engineering. Leave a comment if you feel educated.



Michael Jaroya

He is a technology enthusiast, a writer, and motivator.An individual with the love for humanity..


More in this category: Social Engineering-The art of human attack »


Comments

benard kosgei - Mar 22,2017 at 04:28 am
great thoughts bro just explore more.
bill - Mar 23,2017 at 02:43 pm
Good.
oluoch - Mar 26,2017 at 09:27 am
I once fell a victim of social fraud .Kenyans should get to know about these blackmail tricks.Thanks for the information.
NatashuMi48 - Dec 22,2020 at 07:03 am
Absolutely NEW update of captcha solving package "XRumer 19.0 + XEvil": Captcha breaking of Google (ReCaptcha-2 and ReCaptcha-3), Facebook, BitFinex, Hotmail, MailRu, SolveMedia, Steam, and more than 12000 another subtypes of captcha, with highest precision (80..100%) and highest speed (100 img per second). You can use XEvil 5.0 with any most popular SEO/SMM software: iMacros, XRumer, SERP Parser, GSA SER, RankerX, ZennoPoster, Scrapebox, Senuke, FaucetCollector and more than 100 of other software. Interested? You can find a lot of demo videos about XEvil in YouTube. FREE DEMO AVAILABLE! See you later ;) XEvil Net.
Lindatrony - Feb 01,2021 at 06:48 pm
Anybody home? :) This program can solve any CAPTCHA XEvil.Net .
WillieRom - Feb 23,2021 at 04:16 am
Wrdcxxmwu.
Donaldtwd - Feb 23,2021 at 07:21 am
Приветствую Вас господа Обустройство скважины с адаптером Рассмотрим пошаговый процесс монтажа адаптера Раскапывают траншею глубиной ниже уровня замерзания (1,5-2 метра) и шириной 0,5 метров для удобства монтажа.В обсадной трубе сверлят отверстие требуемого диаметра и обрабатывают его края.Подготавливают адаптер: сначала его очищают от технологической смазки, затем для надежной фиксации обрабатывают герметиком уплотнительные кольца.В обсадную трубу опускают адаптер , используя Т-образный ключ. Резьбовую часть заводят в подготовленное отверстие. Затем обе части конструкции соединяют между собой. К погружному насосу подключают питающий и греющий кабель. Верх обсадной трубы обрезают и закрывают крышкой.Монтируются вспомогательные приборы.Проверка работоспособности системы и ее герметичности.Засыпают траншею песком.Монтаж завершен. Обустройство скважины с помощью адаптера. В чем преимущества? Подходит для комфортного пользования скважиной круглый годОбустройство скважины с адаптером позволит использовать пространства на Вашем участке наиболее оптимально и сэкономит егоУстановка адаптера на глубине 1,5-2 метра препятствует замерзанию скважиныПростой монтаж и демонтаж в случае, владелец не пользуется домом зимой (насос с адаптером легко доставать и возвращать на место)Отсутствует необходимость проведения земельных работ при обустройстве скважиныСвоим качеством в работе не уступает другим видам обустройства скважинВыгодно и экономично для заказчика Как влияет материал адаптера на срок его службы при обустройстве скважины? Рассмотрим, из каких материалов может изготавливаться адаптер: Адаптер из латунных сплавов является самым дешевым вариантом и служит 5-7 летБронзовый адаптер может исправно эксплуатироваться до 25 лет. Но этот материал дорогой и редко встречается в продаже.Адаптер из нержавеющей стали наиболее популярный вариант ввиду своих свойств. Способен проработать исправно до 25 лет. Его отличительная особенность в том, что адаптер не склонен создавать с течением времени вредные примеси в питьевой воде, добываемой из скважины.Адаптер из сплавов DZR обладает устойчивостью к потере цинка, то есть к коррозии. Питьевая вода не портиться при использовании такого адаптера совершенно не портится. DZR-адаптер хорошо служит долгие годы..
Andreivzp - Mar 05,2021 at 03:30 pm
Установка кессона при оборудовании скважины в Минске и области Кессон – это камера с люком, выполненная из пластика или из железобетона, используемая для защиты скважины от грунтовой воды, а также для удобства обслуживания насосной системы. Кроме того, установка кессона в Минске позволяет предотвратить загрязнение артезианской воды, так как дно скважины будет идеально герметичным. Виды кессонов, стоимость монтажа В зависимости от материала, кессон может быть пластиковым или металлическим. Несмотря на то, что кессон для скважин из металла имеет большую цену, для обустройства скважины на воду кессонами в Минской области чаще выбирается пластик. Это можно объяснить тем, что пластиковые кессоны имеют больший срок службы. Кроме того кессоны могут отличаться по размеру, стандартные габариты: Высота – 1500 мм; Диаметр корпуса– 1000 мм; Диаметр горловины — не менее 650 мм; Высота горловины кессона –500 мм; При желании и, если позволяет высота, можно оборудовать кессон лестницей с внутренней стороны. Этапы установки кессона Важно знать не только, как правильно пробурить скважину для воды, но и то, как правильно устанавливать кессон. Первоначально, нужно выкопать яму вокруг основной обсадной трубы, ее диаметр должен быть больше емкости на 25-35 см. Важно не экономить на гидроизоляции, даже если это увеличит стоимость обустройства скважины с кессоном. Данный этап нужен для того чтобы продлить срок эксплуатации кессона. После оборудования ямы, конструкция опускается в землю и обрезается на нужной высоте.Стоит сказать, что полученную полую конструкцию можно использовать для установки насосного оборудования, помещения фильтров и прочих компонентов, поддерживающих нормальную работу водозаборной конструкции. Преимущества наличия кессона Скважина для воды на участке с кессоном имеет массу плюсов, среди которых такие: Защита от грунтовой воды, сточной и канализационной; Защита насосной системы и системы автоматики, благодаря тому, что обеспечивается полная герметизация; Скважина лучше защищена от промерзания, это позволит сохранить оборудование в работоспособном состоянии дольше; Вы получаете дополнительное место для хранения, этот факт приходится по душе в большей степени женщинам, к примеру, в камере можно выделить место для хранения консервации;К примеру, во время заказа услуги по бурению и оборудованию скважины на воду, вы можете заранее обсудить с подрядчиками вопрос об организации мини-погреба, оборудовать его стеллажами. Таким образом, кессон будет выполнять не только основную техническую функцию, но и станет дополнительным местом для хранения каких-либо продуктов.Лучшей компанией в Минске по бурению и обустройству скважин считается «БурАвтоГрупп», на сайте вы сможете ознакомиться с нашими работами, увидеть актуальный прайс и получить грамотную консультацию у специалиста..
Donaldxor - Mar 16,2021 at 09:45 am
Здравствуйте дамы и господа Обустройство скважины с пластиковым кессоном Пластиковый кессон – самое оптимальное решение только что обустроенной скважины. Помимо того что, он отлично защищает Вашу скважину, обеспечивает ей необходимую герметичность. Пластик, как известно, не подвержен коррозии. К тому же, ни в каком дополнительном обслуживании пластиковый кессон не нуждается. В результате Вы имеете чистую питьевую воду в доме и на своем участке, используя для полива огорода. И пользоваться пластиковой конструкцией Вы можете в течение 50 лет, не опасаясь за работу Вашей скважины. Монтаж пластикового кессона в только что обустроенную скважину состоит из этапов: Вокруг обсадной трубы выкапывают котлован с запасом на 20-30 см больше диаметра пластикового кессона. Выравнивают дно.Опускают кессон отверстием на обсадную трубу. Фиксируют трубу к корпусу кессона. Точность и аккуратность установки напрямую влияет на качество пользования и срок службы кессона.К кессону через боковые отверстия в его стенке подсоединяют трубы водопровода и вывода на внешний поливочный кран, подсоединяется питающий кабель, всё аккуратно закрепляется крепежными болтами.Обсадная труба должна быть обрезана до нужной высоты с учетом кессона. В скважину спускается насос через оголовок. Подключают все трубы, закрепляя болтами. на оголовке.Устанавливают в кессоне гидроаккумулятор и системы автоматики, розетка со шнуром для подключения электрического кабеля.Подводят трубы и электрический кабель к домуЗакрывают крышку кессона. Засыпают щели выкопанной землей. Литой пластиковый корпус кессона, а также его установка на глубине 2 м (это ниже промерзания грунта) защищает скважину и оборудование от замерзания в холодное время года.Монтаж пластикового кессона и обустройство скважины завешено и можно пользоваться скважиной..

Add Comment