# Social engineering ## CS 3710: Intro to Cybersecurity *Credit to [Alex Curtiss](https://twitter.com/apccurtiss), from whom I lovingly stole some of these slides ❤️* === ## Intro to social engineering --- ## Intro to social engineering <div class="r-stack"> <div class="fragment fade-out" data-fragment-index=0> <figure> <img src="../../img/soceng/legit_hacker_1.drawio.webp"class="image-background"style="max-height: 50vh; padding: 20px;"> <figcaption> </figcaption> </figure> </div> <div class="fragment fade-in-then-out" data-fragment-index=0> <figure> <img src="../../img/soceng/legit_hacker_2.drawio.webp"class="image-background"style="max-height: 50vh; padding: 20px;"> <figcaption> </figcaption> </figure> </div> <div class="fragment fade-in-then-out" data-fragment-index=1> <figure> <img src="../../img/soceng/legit_hacker_3.drawio.webp"class="image-background"style="max-height: 50vh; padding: 20px;"> <figcaption> </figcaption> </figure> </div> <div class="fragment fade-in" data-fragment-index=2> <figure> <img src="../../img/soceng/legit_hacker_4.drawio.webp"class="image-background"style="max-height: 50vh; padding: 20px;"> <figcaption> </figcaption> </figure> </div> </div> --- ## Intro to social engineering <figure> <img src="../../img/soceng/neo.webp"style="max-height: 50vh;"> <figcaption> </figcaption> </figure> --- ## Intro to social engineering _**Social engineering:**_ mean ways of tricking people into doing things they probably don't want to do. === ## Phishing --- ## Phishing ```text From: elf12rzv@virginia.network <elf12rzv@virginia.network> To: wss2ec@virginia.edu Cc: Bcc: Subject: In case you missed it... Reply-To: Good morning! Last week I sent you 3 files, 2.9 MB in total. Did you get them? If not, you can access them by clicking here. If you can look them over and get back to me as soon as possible that would be great! Best, Evelyn L. Fishbourne ``` <div class="text-center"> Pictured above: a very normal-looking email 🤔 </div> notes: UVA "what is phishing" video: https://www.youtube.com/watch?v=zfWqzW2e1oY&t=48s --- ## Phishing <figure> <img src="../../img/soceng/uva_phishing_email.webp"style="max-height: 50vh;"> <figcaption> </figcaption> </figure> --- ## Phishing **Phishing:** a social engineering attack where you receive a malicious message that tries to trick you into giving away your credentials. --- ## Spear phishing <figure> <img src="../../img/soceng/sqli_hw_1.webp"style="max-height: 50vh;"> <figcaption> </figcaption> </figure> --- ## Spear phishing <figure> <img src="../../img/soceng/sqli_hw_2.webp"style="max-height: 50vh;"> <figcaption> </figcaption> </figure> --- ## Spear phishing <figure> <img src="../../img/soceng/fake_login_site.webp"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> <div class="text-center"> [NetBadge example](/examples/identity/NetBadge) </div> --- ## Spear phishing **Spear phishing:** a more advanced version of phishing where you try to gather information about your target and use it to craft a more convincing story. Attackers will usually try to gain specific information about the target: <div class="fragment"> - Names and emails of friends or coworkers </div> <div class="fragment"> - Projects, tools, vendors </div> <div class="fragment"> - Recent events </div> <div class="fragment"> - Logos and formatting </div> --- ## Spear phishing Spear phishing often features a much more extensive reconnaissance stage where an attacker will try to gather OSINT and other information to inform their attempts. <figure> <img src="../../img/misc/osint_chal.webp"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing Easy! You just have to make sure that you only go to websites you know for sure are legit. --- ## Defending against phishing We'll look at this handy UVA phishing training page for help! <figure> <img src="../../img/soceng/uva_phish_sim_1.webp"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> notes: Phishing simulation page is the page that would've shown up if you clicked on UVA's phishing email in November 2020. Page: https://security.virginia.edu/phishing-simulation-students-november-2020 --- ## Defending against phishing <figure> <img src="../../img/soceng/uva_phish_sim_2.webp"style="max-height: 60vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing <figure> <img src="../../img/soceng/uva_phish_sim_3.webp"style="max-height: 60vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing <figure> <img src="../../img/soceng/uva_phish_sim_4.webp"style="max-height: 60vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing <figure> <img src="../../img/soceng/uva_phish_sim_5.webp"style="max-height: 60vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing <figure> <img src="../../img/soceng/virginia_service_now.webp"style="max-height: 60vh;"> <figcaption> </figcaption> </figure> --- ## Defending against phishing You can craft a link that *looks* like it links to a good website, but which actually links elsewhere: <div class="r-stack"> <div class="fragment fade-out" data-fragment-index=0> <figure> <img src="../../img/soceng/fake_link_1.webp"> <figcaption> </figcaption> </figure> </div> <div class="fragment" data-fragment-index=0> <figure> <img src="../../img/soceng/fake_link_2.webp"> <figcaption> </figcaption> </figure> </div> </div> --- ## Phishing + CSRF As we saw during our discussion on CSRF, just clicking on a link can lead to security issues. ```html <!-- https://evil.com --> <form id="evil-form" action="http://www.example.com/logout" method="POST"> <input type="submit" name="logout" value="Logout"> </form> <script> document.getElementById("evil-form").submit(); </script> ``` notes: [CSRF example](/examples/soceng/csrf/login.html) --- ## Defending against phishing <div class="r-stack"> <div class="fragment fade-out" data-fragment-index=0> Try to figure out if domain is legitimate, I guess. </div> <div class="fragment fade-in-then-out" data-fragment-index=0> Use (strong and phishing-resistant) multi-factor authentication (e.g. WebAuthn, FIDO2) <div class="image-background"> <figure> <img src="../../img/soceng/webauthn.png"style="max-height:50vh;"> <figcaption> </figcaption> </figure> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=1> Password managers <figure> <img src="../../img/misc/1password.webp"style="max-height:50vh;"> <figcaption> </figcaption> </figure> </div> <div class="fragment fade-in-then-out" data-fragment-index=2> <div class="container"> <div class="col"> <div class="container" style="align-items: center; height: 100%;"> Separation of privilege </div> </div> <div class="col"> <figure> <img src="../../img/misc/priv_sep.png"style="height: 40vh;"> <figcaption> *Source: O'Reilly, "Secure Programming Cookbook"* </figcaption> </figure> </div> </div> </div> <div class="fragment" data-fragment-index=3> - Try to figure out if domain is legitimate (?) - MFA - Password managers - Separation of privilege In general, it's safer to assume that you (or a friend or coworker) *will* be phished, and work from there. </div> </div> notes: FIDO2 and WebAuthn as phishing-resistant forms of MFA: https://community.ibm.com/community/user/security/blogs/shane-weeden1/2021/12/08/what-makes-fido-and-webauthn-phishing-resistent --- ## Uber breach <blockquote class="twitter-tweet"><p lang="en" dir="ltr">The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far 👉 1/N</p>— Bill Demirkapi (@BillDemirkapi) <a href="https://twitter.com/BillDemirkapi/status/1570602097640607744?ref_src=twsrc%5Etfw">September 16, 2022</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> notes: https://www.uber.com/newsroom/security-update/ https://www.zdnet.com/article/uber-blames-security-breach-on-lapsus-says-they-bought-credentials-on-the-dark-web/ --- ## 2020 Twitter data breach <figure> <img src="../../img/soceng/twitter_security_incident.webp"> <figcaption> </figcaption> </figure> notes: Twitter blog post: https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident === ## Other social engineering vectors --- ## Vishing <figure> <img src="../../img/soceng/sevillage_logo.webp"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> <div class="text-center"> [Writeup](https://medium.com/@JasonPuglisi/vishing-competition-experiences-e4b72c738187) from DC30 vishing competition's second-place winner </div> notes: https://www.se.community/events/vishing-competition/ Blog post from DC30's second-place winner in the vishing competition: https://medium.com/@JasonPuglisi/vishing-competition-experiences-e4b72c738187 --- ## Physical entry <iframe width="560" height="315" src="https://www.youtube.com/embed/pL9q2lOZ1Fw" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> --- ## Physical entry <figure> <img src="../../img/soceng/physical_access.png"style="max-height: 40vh;"> <figcaption> </figcaption> </figure>