Extremely Easy Security — Learn Social Engineering in Plain English (1.1 Part 2)
One time I bought a jumbo carton of milk at the dollar store, and I had to drink it in the checkout line because I was too thirsty to wait, and everybody stared.
Sorry, that was supposed to be for my personal diary, not my technical blog, but my backspace button isn’t working right now, and I can’t stop typing this sentence or everything I write will delete itself, so just pretend you didn’t read that.
(If you haven’t started this ridiculous series yet on the CompTIA Security+ exam, head over to the beginning.)
We have a lot of stuff to cover, and you’re probably overwhelmed, which is why I’ll be posting every day to overwhelm you even further. (Just kidding. I’ll be releasing chapters pretty often, but from now on I’ll be notifying followers Mondays and Thursdays, so check in when you can.)
The Security+ SY0–601 objectives are a ton to go through. Although the certification is good for three years before SY0-701 comes out, it’ll probably take me seven unless I spam you just a little bit.
So, let’s get to it.
Last time we talked about social engineering, and today we’re continuing on the same subject. Here is one of my highly professional drawings for this chapter.
If you’re following along with the CompTIA objectives list, then you know we left off at spear phishing. I’m going to jump ahead really quickly so I can explain the difference between that and whaling, which will be on the exam.
Whaling is social engineering that targets highly ranked people, usually executives.
The “highly ranked people, usually executives” part is where it’s different than spear phishing.
These attacks are highly personalized. Whaling is carried out by using a lot of research about that executive’s business or personal life, and this way the attack email (or text, or interaction, or what have you) seems super realistic.
But spear phishing, as I mentioned, targets specific people at lower levels, like Martha from accounting.
(Disclaimer: If you are Martha from accounting, please do not message me. I do not think anything badly of you, and you are really very high level, not lower.)
So, if I’m whaling, I can pretend to be from the financial office inside of your company. I can send an email to your top executive with a with a fake bill telling her to pay me for something, and then hope that it slips by in the middle of the thousands of other bills that she receives from the actual, real financial office (also see: Invoice Scams). If she doesn’t notice it’s fake, then I’m rich, and I can go buy a Bugatti.
Okay, now you can cross whaling off of your list.
My dog used to steal my tossed journal entries out of my trash, but she can’t read, so I still felt safe.
With people, however …
“Dumpster diving” is when an attacker purposely tries to get sensitive information out of your corporate bin, or your $550 automatic trash can with odor control. Sometimes this is done by actually digging through food waste. (Believe it or not, despite being disgusting, this kind of thing actually happens.) It’s not even unheard of for people who are supposed to get rid of your company’s trash to be the ones actually digging through it and selling that information.
No offense to janitors though, you guys are underappreciated and awesome.
But that looming possibility is why you’ll find all these fun techniques that companies use to completely rid themselves of their hard drives and paperwork before people get their hands on it (shredding, burning, crushing, etc — all things you wouldn’t do to a Beanie Baby.)
One dude’s trash is another criminal’s treasure.
Ah yes, more paranoia.
Have you ever been interested in what someone is doing on their computer screen at the other side of a cafe? Did you know it was wrong, but you just had to look? Then you’ve engaged in shoulder surfing.
Congratulations, you are now a spy.
One day, you went online. You went to your banking website, typed in your username and password, and checked your account balance.
Uh oh. Then, suddenly, you got hacked. Now a criminal is spending $5000, your $5000, buying hundreds of boxes of sugar cereal for himself.
You’re not sure how because you think you typed the name of the website in correctly, Bank of Awesome, and you didn’t download any weird software recently or click on any strange ads.
This could have been a pharming attack. It’s when a hacker makes a version of your banking website that looks exactly like the real thing. Then, when you make a legitimate request to go there, the attacker redirects you to a different path and sends you to their evil clone website instead. There, they can read everything you typed into the username and password field.
Pharming uses something called “DNS redirects.” A DNS server is just a computer on the internet that your computer always reaches out to when it needs to go to a website. A DNS server understands the names of websites that you type in (like google.com) and then directs you on a pathway to the computer that has the actual webpage on it. An attacker can break into a DNS server and change it to send you anywhere they want.
Always check website certificates to make sure what you’re seeing is legitimate — check that little lock up there in the left corner of your browser, right next to where it says medium.com. We’ll talk more about certificates later.
This is when you physically follow a person into an area you’re not supposed to be in. Maybe there was a fire drill, and you followed all the employees back inside, even though you don’t work there.
Huh? Big words hurt small brain. This just means getting someone to talk about stuff they shouldn’t. It happens without the victim realizing it’s happening, because they’re busy enjoying the conversation, or they’re being manipulated or tricked, or they’re drunk. Or several combinations of the above.
This is what happened to me when I almost clicked on that phishing link in my inbox the other day. An attacker created their own website that was only one letter away from the actual website name. So even if I checked where they were sending me, there was a good chance I’d click it anyway.
See? Criminals are smart. That is why we must become smarter.
Prepending, specifically, refers to adding or subtracting a letter in the front of a website name. For example, google.com becomes ggoogle.com. Who hasn’t typed that in at least once in their lives? Then, when you go there, bad stuff ends up on your computer.
Honestly, though, I have no idea what it’s called when you do the same thing in the back of the website name. The CompTIA exam doesn’t cover this.
Also see: “Typosquatting” — these are similar.
We hear about this one a lot. Your “identity” is stolen, usually your picture, your address, birthday, your social security number, other stuff like that. Then a criminal pretends to be you and opens up five new credit cards, takes out a $10,000 loan, finds your address, raids your fridge, wears your favorite fluffy socks, travels to the Bahamas, and then signs up for government benefits in your name.
Ok, it feels like it’s time for a break.
Breathe in again.
Breathe in some more, you didn’t do it all the way.
That’s good. Now lower the volume on your headphones.
Contemplate the clouds and think about the sunrise.
Think about how you’re awesome and basically a genius.
Now open your eyes.
Alright, we’re back.
Just a few more things about social engineering, and then we’re done with part two, so bear with me.
This is like what we discussed earlier when we talked about whaling. It’s specifically when you send a fake bill for something to a company, hoping that they’ll believe you and actually pay you.
Wow, you know, this sounds like a great idea to get money. I should try it.
There are a lot of ways that attackers can steal your “credentials.” In other words, these are basically just usernames and passwords. But not always. A credential, in information technology, can also be a token of some kind, an email address, a bunch of scribbly movements that you make up on your phone to connect dots, or a picture of your eyeball.
It’s just anything you might use to tell a computer, person, or other system that you are who you really are.
Often times credential harvesting is done before a hacker even starts attacking your systems. You can use things like search engines to find them leaked around the internet. It can also happen during an attack, because there are ways that computers store credentials on them insecurely, and certain tools and software can force computers to spit them out.
You’ve probably heard this word before if you’ve ever been in the military, but in case you’re like me and are easily intimidated by yelling, it just means gathering information on your attack “target.”
Social engineering is a good way to do “recon” before you actually go in the field and hack someone. Maybe you engage in friendly chatter with your arch nemesis Herbert, and then learn he has a deep passion for clarinet. Then you can assume Herbert’s password might have something to do with clarinets.
Another way you can do recon would be flying a small drone around the outside of a building. Or going online and browsing your target’s website and seeing what kind of programming language they’re using to make their website work.
Congrats on almost finishing the entire article. Guess what? I just stole your password.
Not really, I’m nice. So that was a hoax.
Pretending to be someone you aren’t. This happens a lot with scams, and it usually results in bad dates.
See: “Identity Fraud” and “Catfish” the TV show.
Watering Hole Attack
Imagine you’re a lawyer. There’s a website you always go to, and it’s about, obviously, law. You go there because you can’t possibly remember all that legal stuff in your head, and you often have to re-read it.
Now, imagine there’s a hacker that hates lawyers. They think that lawyers are the evil arm of the government, and they want to ruin the lives of as many lawyers as possible by hacking them.
One way to do this is by hacking that law website, because they know that only lawyers will go there. (If you are not a lawyer and you frequently visit legal websites, I worry about you.)
The metaphor is that you have a common “watering hole” that a certain type of animal or human has the tendency to go to, so you digitally poison it.
A watering hole website can be held in common between employees in the same company, or people in the same social category.
So, if you want to hack grandpas, where would grandpas usually go? Trick question: the newspaper. Grandpas are invulnerable to watering hole attacks.