Question

Assignment; For this component, you will write a report or critique on the paper you chose from Assignment 1. Your report should be limited to approx. 1500 words (not including references).

Use 1.5 spacing with a 12 point Times New Roman font. Though your paper will largely be based on the chosen article, you should use other sources to support your discussion or the chosen papers premises.

Citation of sources is mandatory and must be in the IEEE style.

TOPIC: Social Engineering and phishing attacks

Your report or critique must include: Introduction: Identification of the paper you are critiquing/ reviewing, a statement of the purpose for your report and a brief outline of how you will discuss the selected article (one or two paragraphs).

Body of Report: Describe the intention and content of the article. If it is a research report, discuss the research method (survey, case study, observation, experiment, or other method) and findings. Comment on problems or issues highlighted by the authors. Report on results discussed and discuss the conclusions of the article and how they are relevant to the topics of this Unit of Study.

3 Conclusion: A summary of the points you have made in the body of the paper. The conclusion should not introduce any ‘new’ material that was not discussed in the body of the paper. (One or two paragraphs) References: A list of sources used in your text. They should be listed alphabetically by (first) author’s family name. Follow the IEEE style.

Answer 1

ABSTRACT:

As the digital era matures, cybersecurity evolves and software vulnerabilities diminish, people, however, as individuals are more exposed today than ever before. Presently, one of the most

practiced and effective penetration attacks is social rather than technical, so efficient in fact, that

these exploits play a crucial role to support the greatest majority of cyber assaults. Social Engineering

is the art of exploiting human flaws to achieve a malicious objective.

In the context of information

security, practitioners breach defenses to access sensitive data preying particularly upon the human

tendency towards trust. Cybercriminals induce their victims to break security protocol forfeiting

confidential information propitious for a more targeted attack.

INTRODUCTION:

Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data.Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

The basis of a social engineering attack is to avoid

cyber security systems through deceit, exploiting the weakest link, the people involved.

Throughout the interaction, victims are unaware of the destructive nature of their actions. The social

engineer exploits innocent instincts, not criminal. Explicit methods such as threats or bribery do not fall

within the scope of social engineering. A talented practitioner of this discipline understands and

perceives social interaction patterns to manipulate the psychological aspects of the human mind.

2.1 Categories

A social engineering attack can be classified by one of two possible categories, hunting and

farming.

2.1.1 Hunting

This approach seeks to execute the social engineering attack through minimal interaction with the

target. Once the specified objective is achieved and the security breach is established, communication

is likely to be terminated. This is the most frequently used methodology to support cyber attacks and

as a rule, the modus operandi involves a single encounter.

2.1.2 Farming

Social engineering farming is not often practiced, nevertheless, this technique may be used for

situational purposes. The attacker aims to establish a relationship with the victim in order to extract the

information for a longer period of time.

2.2 Phases

In order to achieve a specified objective, social engineering attacks can range from a single encounter

to a series of operations, possibly involving several threat actors, intended to gather fragments of

related information from different sources. Attacks of this nature, even if dependent on a sole

interaction, typically consist of four distinct phases: research, hook, play and exit.

2.2.1 Research

A well known

sentence from Sun Tzu in The Art of War is: "Know your enemy", knowledge is power and in the

context of cyber security, the investment on this stage can be invaluable to unveil possible

vulnerabilities. Nevertheless, rather than executing a targeted attack, an experienced social

engineering is capable of exploiting chance encounters, and thus opening further opportunities with no

research prior to that point.

2.2.2 Hook

In this phase, the threat actor initiates the communication with the potential victim. He engages

the target, spins the story, builds a level of intimacy and takes control of the interaction.

2.2.3 Play

The play aims to accomplish the purpose of the attack, which can be to extract information or to

manipulate the target in order to compromise the system.

2.2.4 Exit

Lastly, the social engineering finalizes the interaction with the victim, preferably without arousing any

suspicions. After this last phase, the attacker is typically very difficult to track down.

2.3 Attack Spiral Model

This model indicates that as the process develops, the risks, although present throughout the entire

operation, increase both to the target and threat actor. Consequently, so does the complexity of the

attack, social engineers often have a comprehensive consideration of risk assessment throughout

each phase.

3 ATTACK VECTORS

An attack vector is a path or means by which the attacker can gain access to exploit system

vulnerabilities, including the human element.

3.1 Social Approach

The attack vectors in social approach can be arise through different acts, tailgating, impersonating,

eavesdropping, shoulder surfing, dumpster diving, reverse social engineering and others.

3.1.1 Tailgating

Tailgating is the act of following an oblivious human target with legitimate access through a secure

door into a restricted space. The attacker may ask the victim to hold the door, or can simply reach for

it and enter before it closes.

3.1.2 Impersonating

As the name implies, the threat actor assumes a false identity to gain credibility as a basis to carry out

following malicious actions, like piggybacking, pretexting .

Piggybacking, similarly to tailgating, the attacker aims to gain physical entry to secured areas. In this

case however, acquires permission from the person with legitimate access by impersonating business

entities, like personnel that require temporary admittance.

3 Information Technology

3.1.3 Eavesdropping

Within a company, the personnel may simply discuss classified matters out loud if expecting only

authorized employees to be present. Just for being at the right place at the right time, threat actors can

exploit security breaches of this nature.

3.1.4 Shoulder surfing

Refers to the act of direct observation by surfing over the victim's shoulder to collect personal

information, typically used for extracting authentication data.

3.1.5 Dumpster diving

A classical practice for acquiring sensitive information among attackers is to simply look for it through

the garbage. Often, individuals and organizations, do not adequately dispose of documents, papers

and even hardware from which can be retrieved confidential data.

3.1.6 Reverse social engineering

The threat actor entices the target to be the one to initiate the interaction and lies in wait, reducing the

risk of arousing any suspicions. The attacker creates and plays a persona that appears to be trusted,

fabricates a problem for the victim and, indirectly, presents a viable solution.

3.1.7 A Recurrent Social Attack Example

A recurrent social attack example in six steps.

First step, an attacker extracts the target's email

address and phone number through research, often with ease.

Second step, the threat actor initiates

the attack by sending a message to the potential victim

Third step, the attacker, impersonating the victim, requests a legitimate

password reset from Google.

Fourth step, Google sends the password reset verification code to the

actual victim.

Fifth step, the victim, expecting the message from Google, follows the previous instructions and forwards the code to the attacker.

Sixth step, with the code, freely given by the victim,

the atacker simply resets the password and gains complete access to the account.

3.2 Socio-Technical Approach

The social-technical approach can be arise through different situations, phishing, baiting, watering

hole and others.

3.2.1 Phishing

Phishing attacks attempt to extract personal identifiable information through digital means, such as

malicious emails that appear to be from legitimate sources and websites.

3.2.2 Baiting

The attacker can use this physical attack vector by infecting a storage medium with malware, leaving it

to be found by the targeted victim, who may naively plug it into the system.

3.2.3 Watering hole

After researching, the attacker identifies one or more legitimate websites regularly visited

by the target. Searches for vulnerabilities, infects the most propitious website for the attack and lies in

wait.

3.2.4 A Socio-Technical Attack Example

Kali is a Debian Linux based operating system for penetration testing purposes, providing an arsenal

of tools designed for analysing and exploiting system vulnerabilities. Funded and maintained by

Offensive Security, Kali Linux is a renowned open source project used by cyber security professionals

and enthusiasts.

The Social-Engineer Toolkit (SET), with over two million downloads is heavily supported within the

cyber security community. Created by the founder of TrustedSec as an open source, menu driven,

penetration testing tool, SET is now the standard framework for assisting advanced technological

attacks in social engineering environments. To initiate the execution in Kali Linux all that is necessary,

is to simply type "setoolkit" on the terminal, also accessible through the applications menu.

Once the software executes, users are presented with a simple main menu that provides six options,

and another one to exit the program . Given the subject of this paper, this attack demonstration

is naturally focused on the first option, social engineering attacks. This attack example is a

rudimentary phishing attempt of the website vector nature, and thus, in the social engineering attacks

menu that follows, “Website Attack Vectors” is selected .

By applying social engineering techniques, induces the victim to commit the mistake of submitting

the targeted credentials. Once the victim visits the link and enters the username and password, the

login credentials are redirected to the Kali Linux server

CONCLUSION

The Information Age is maturing, complemented by an extremely increased usage of the Internet;

humanity evolves rapidly as the growth of public accessible knowledge has been greatly nurtured and

facilitated. Consequently, an unmistakable dependence on the World Wide Web has been established

in civilization. Recent

studies have shown that people are at the core of the infection chain in the greatest majority of cyber

attacks. Social engineering is increasing both in sophistication and ruthless efficiency, because

people, make the best exploits.

REFERENCES:

Cloudflare, 2019. cloudflare. [Online]

Available at: https://www.cloudflare.com/learning/security/threats/phishing-attack/

[Accessed 15 04 2019].

Fatima Salahdine, N. K., 2019. Social Engineering Attacks: A Surve. MDPI, 11(4), pp. 1-17.

Jaafar M. Alghazo, Z. K., 2013. Social Engineering in Phishing Attacks in The Eastern of Saudi Arabia.

Asian Journal of Information Technology, 12(3), pp. 91-98.

Moscaritolo, A., January 29, 2019. Beware: Phishing Attacks Are on the Rise, New York: PCMag.

Mosin Hasan, N. P. a. S. V., 2010. CASE STUDY ON SOCIAL ENGINEERING TECHNIQUES FOR

PERSUASION. International journal on applications of graph theory in wireless ad hoc networks and

sensor networks , 2(2), pp. 17-23.