View Full Version : Social Engineering Continued....

10-22-2010, 01:05 PM
Computer Based Social Engineering:

Computer based social engineering is implemented by using software or programing applications like e-mails, Virus, trojan, Chatting, etc. Following are the ways to perform Computer based social engineering:

1. Pop-up Windows :
In this type of social engineering, a window appears on the screen informing the user that he/she has lost his/her network connection and needs to reenter his/her username and password. A program that the intruder had previously installed will then email the information to a remote site. This type of attack is mainly done by using virus and trojans. The spyware can aslo perform this type of attack. The spyware will pretend to be a antivirus and will pop up a message to user that his/her machine contains virus & in order to remove them , it needs username & password etc. When user enters those information it will then give a fake reply like virus removed and in backend it will send information to attacker.

2. Spam & e-Mail Attachments :
In this attack the user sends a email to victim in order to get information.for eg: The mail will declare that you have won a lottery of 20,000$ and then it will ask you to goto some link, where then it will ask you about your confidential information like bank account details so that delevery can be made. Attacker can aslo send an attachment along with email & that attachment can be virus or trojan.for eg:“Anna Kournikova” worm. Social engineers try to hide the file extension by giving the attachment a long file name. In this case, the attachment is named AnnaKournikova.jpg.vbs. If the name is truncated, it will look like a jpeg file and the user may not notice the .vbs extension.

3. Chatting/Instant Messaging :
Now a days it is quite popular medium of communication. People of almost all ages chat online. Usually it is very popular among the teenagers. Performing social engineering via chatting is quite easy.
Attacker just need to chat with someone and then try to elicit the information. As chatting is informal way of communication which means attacker is not directly communicating with the person. Now due to this attacker can even tell lie to other person about his/her identity etc. Because victim can't see attacker.(without webcam)
for instance:
Usually what attacker do is , he/she chats with boys by behaving as a girl & vice-versa. By using fascinating picture during chatting attacker can lure any one.
Display picture usually works like bait. Then slowly attacker will ask certain questions by which he/she can elicit information about the victim. And believe me this method is very dangerous because you would not even know when you got victim to social engineer.
Me and my friends tried this social engineering many times.
I tried this technique many times, & you may not believe me that I easily go the password of e-mail id, by simply asking the victim "What is ur password ?"
But for this you first need to create deep trust with victim then make ur final attack on victim. I'll call this Flirt & hack technique :p
Mainly it depend upon you how clever & smart you are and how good in communication & in manipulating the answers.

4. Malicious Websites :
This involves a trick to get an unwitting user to disclose potentially sensitive data, such as the password used at work. Some methods include using advertisements that promote and display messages offering free gifts and holiday trips, and then asking for a respondent’s contact email address, as well as asking the person to create a password. This password may be one that is similar, if not the same, as the one that the target user utilizes at work. Many employees enter the same password that they use at work, so the social engineer now has a valid username and password to enter into an organization’s network. Now a days I have ssen many websites ask you to
use your e-mail id as Username while registering a new account. Then it ask to create a new password.
Now some people(newbies) get fooled they enter the same password that they are using with that email account..!!
Beware about this, some attacker can fool you by phishing.

5. Insider Attack :
60% of attacks in organization are done by insiders. Insiders are employees of a company or person who has some trusted relation with that company. In this attack the attacker uses some other person to implement the attack. for eg:
A competitor can inflict damages to an organization by stealing sensitive data, and may eventually bring down an organization by gaining access to a company through a job opening by sending a malicious person as a candidate to be interviewed, and—with luck—hired.
Other attacks may come from unhappy employees or contract workers. It takes just one disgruntled person to take revenge on a company by compromising its computer system.

How to defend against social engineering ?
As I told you before that there is no software or hardware to halt social engineering.
The only one way to avoid it is by using your own brain. Try to think twice before you give any answer
or information to any person, because the word lie sits exactly between the word believe..!!

Hope u enjoyed this article.

10-24-2010, 02:59 AM