Social engineering
CS 3710: Intro to Cybersecurity
Credit to Alex Curtiss, from whom I lovingly stole some of these slides ❤️
Intro to social engineering
Intro to social engineering
Intro to social engineering
Intro to social engineering
Social engineering: mean ways of tricking people into doing things they probably don't want to do.
Phishing
Phishing
From: elf12rzv@virginia.network <elf12rzv@virginia.network>
To: wss2ec@virginia.edu
Cc:
Bcc:
Subject: In case you missed it...
Reply-To:
Good morning!
Last week I sent you 3 files, 2.9 MB in total. Did you get them? If not,
you can access them by clicking here.
If you can look them over and get back to me as soon as possible that
would be great!
Best,
Evelyn L. FishbournePictured above: a very normal-looking email 🤔
Phishing
Phishing
Phishing: a social engineering attack where you receive a malicious message that tries to trick you into giving away your credentials.
Spear phishing
Spear phishing
Spear phishing
Spear phishing
Spear phishing: a more advanced version of phishing where you try to gather information about your target and use it to craft a more convincing story.
Attackers will usually try to gain specific information about the target:
- Names and emails of friends or coworkers
- Projects, tools, vendors
- Recent events
- Logos and formatting
Spear phishing
Spear phishing often features a much more extensive reconnaissance stage where an attacker will try to gather OSINT and other information to inform their attempts.
Defending against phishing
Easy! You just have to make sure that you only go to websites you know for sure are legit.
Defending against phishing
We'll look at this handy UVA phishing training page for help!
Defending against phishing
Defending against phishing
Defending against phishing
Defending against phishing
Defending against phishing
Defending against phishing
You can craft a link that looks like it links to a good website, but which actually links elsewhere:
Phishing + CSRF
As we saw during our discussion on CSRF, just clicking on a link can lead to security issues.
<!-- https://evil.com -->
<form id="evil-form" action="http://www.example.com/logout" method="POST">
<input type="submit" name="logout" value="Logout">
</form>
<script>
document.getElementById("evil-form").submit();
</script>Defending against phishing
Try to figure out if domain is legitimate, I guess.
Use (strong and phishing-resistant) multi-factor authentication (e.g. WebAuthn, FIDO2)
Password managers
Separation of privilege
Source: O'Reilly, "Secure Programming Cookbook"
- Try to figure out if domain is legitimate (?)
- MFA
- Password managers
- Separation of privilege
In general, it's safer to assume that you (or a friend or coworker) will be phished, and work from there.
Uber breach
The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far 👉 1/N
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
2020 Twitter data breach
Other social engineering vectors
Vishing
Writeup from DC30 vishing competition's second-place winner
Physical entry
Physical entry
