Humans are, have been, and will always be the weakest link in any security implementation. Any hardware or software implementation of security can easily be undone extremely quickly by a gullible or naive human.

Social engineering is an art and science that is used by cybercriminals to convince people to grant the attackers’ requests—often things they normally wouldn’t and shouldn’t do. Social engineering cybercriminals use psychological tricks to get people to reveal information the criminals need regarding systems, networks, and infrastructures. It’s much easier to ask someone for a password than it is to break into a system and get it.

You can patch a computer, but you can’t patch people. You can teach them to be vigilant, but they forget and make mistakes. As computer vulnerabilities get more difficult for criminals to exploit, people become their most obvious targets. Skilled social engineers fool victims with body language, body posture, gestures, facial expressions, eye movements, voice sounds, inflection, size, word choices, context, and framework.

The digital form of social engineering is phishing. Phishing involves sending out “bait,” mostly through e-mail but also through smishing via SMS (Short Message Service) text messages, over live phone calls, and via recorded messages; or through vishing via voicemail to a large number of people, in hopes that some users will take the bait by revealing usernames, passwords, and other items, such as credit card information. When a user clicks a link in a phishing e-mail, for example, a web page opens that looks and feels like a real banking site, the real PayPal site, the real eBay site, the real Facebook site, the real LinkedIn site, and much more. Therefore, the user feels safe and secure in entering sensitive information, which goes directly to the attacker.

Furthermore, simply visiting these sites could install malware on a victim’s machine. After the user clicks the link to open the site, the page could use a drive-by download exploit kit, which collects information from a victim’s machine; finds vulnerabilities in operating systems, browsers, and other software such as video players; determines the appropriate exploit; delivers the exploit; and executes malware. All of this happens automatically, just by a victim visiting the attacker’s site.

In addition, if you fail to apply operating system or software security updates, you’re very vulnerable to exploit kits. These are usually hosted on a legitimate website that’s been hacked or are delivered through a legitimate website’s third-party advertisements.

In another scenario, users could be asked to click a link to view content or install a program that will enable them to view content. Clicking these links, however, installs malware. This could include scareware, pop-up windows from the visited site asking users to click to remove a virus or to scan for a virus. Clicking these links actually installs the malware. The pop-ups could include phone numbers for users to call to continue the social engineering attack over the phone. Victims then give the attackers their credit card numbers and enable the attackers to control their machines remotely to “fix” the supposed problems.

Phishing also involves e-mail attachments that users are asked to open, such as a ZIP file. This offers the attacker three advantages: it bundles multiple files into one, compresses them, and can bypass malware scanners. Alternatively, an e-mail attachment may be a Microsoft Word document or an Excel spreadsheet with a macro. Users are convinced to believe that the file is secure, and they can only view it by enabling macros. Of course, when a user clicks the button to enable macros, that triggers the installation of malware. In fact, that’s exactly how the 2015 Ukraine power grid cyberattack started.

Phishing often involves sending e-mails to random e-mail addresses that may or may not be valid—for example, [email protected], [email protected], [email protected], and so on. Spear phishing takes phishing to a whole new level by targeting specific users in a specific company—for example, [email protected], [email protected], [email protected], and so on. When attackers go after the “big fish” of a company, such as a senior executive, they’re taking spear phishing to an even higher level; this is called whaling— for example, [email protected], [email protected], [email protected], and so on.

A 2016 study by PhishMe (acquired by and incorporated into Cofense in 2018) found that 97 percent of phishing e-mails were specifically designed to deliver ransomware, which locks and encrypts a device until a user pays a ransom fee. Scare tactics include threatening the user or company: if they don’t pay by a certain amount of time, files will start to be deleted. The general recommendation is not to pay ransom because paying ransom encourages the adversaries to continue this type of extortion. It also funds their future activities and doesn’t guarantee that you will get a decryption key or even that a decryption key you might get will actually work. The best way for users to be safe is to refrain from clicking any unknown links and to keep a good set of backups that can be used to restore a damaged system—much better than paying a ransom fee.

There are many ways to spot phishing e-mails and fake sites. When you hover over a link, before you click it, you can see the real web address you’ll be sent to. This is impossible on mobile devices, however, so make it a practice never to click these links, but instead to open up a new browser window or tab and go to the site manually. A generic greeting instead of your actual name is another sign of something amiss. The e-mail address can be spoofed to appear legitimate, or it can be noticeably off. URLs that have the domain name, but are in the wrong location, are also malicious. Seeing “http” instead of “https” in the URL can be another indicator, and so is the fact that you’re asked to fill in way too much information that should not be required.

Phishing e-mails often include a desperate story that asks the user to act urgently, and in some cases, they actually threaten the user. The formatting and appearance of the e-mail or website, including the quality of images, is another giveaway. Users should look for poor spelling and grammar. A phishing e-mail often includes a generic signature without contact information. Attachments and mentions of scripts are the icing on the cake.

45 MINUTES

Lab Exercise 4.01: The Social-Engineer Toolkit

The following information comes from the Social-Engineer Toolkit (SET) website at www.trustedsec.com/tools/the-social-engineer-toolkit-set/:

The Social-Engineer Toolkit (SET) was created and written by Dave Kennedy, the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering.

It has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, it is the standard for social-engineering penetration tests and supported heavily within the security community.

It has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, Metasploit: The Penetrations Tester’s Guide, written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.

Learning Objectives

In this lab exercise, you’ll use an open-source penetration testing framework designed for social engineering. At the end of this lab exercise, you’ll be able to

•   Use a number of custom attack vectors that enable you to create a believable attack in a short amount of time

•   Understand phishing from the attacker’s side

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   A web browser with an Internet connection

•   A Gmail account

•   The Kali Linux VM you installed in Chapter 1

Let’s Do This!

This lab exercise requires you to use a Gmail account. Even if you have an existing Gmail account, you should create a new, disposable account at https://google.com/gmail because you’re going to need to decrease the account’s security to perform this lab activity. Create and sign in to your Gmail account now.

To configure the account without 2-Step Verification enabled (this setting is close to the top of the screen), go to https://myaccount.google.com/security. Scroll down to Less Secure App Access, click Turn On Access (Not Recommended), and change the Allow Less Secure Apps setting from OFF to ON.

To configure the account with 2-Step Verification enabled, click App Passwords and verify your password. Click the Select App dropdown, select Other (Custom Name), type SET in the textbox, and click the blue GENERATE button. You’ll see a 16-character password (the spaces don’t count and are there for display purposes). Keep that password in a handy spot because you’re going to need it later in this lab exercise.

Kali Linux comes with SET already installed. However, there could be issues with the version installed. To ensure stability of this lab exercise, open a terminal and enter the following:

sudo apt install python3-pip
sudo git clone https://github.com/trustedsec/social-engineer-toolkit/setoolkit/
cd setoolkit
sudo pip3 install -r requirements.txt
sudo python setup.py

Step 1 Launch SET.

a.   Type sudo setoolkit to launch the program. Provide your password if prompted.

b.   Agree to the terms of service by pressing Y and then ENTER.

2a–2p

Step 2 Configure the options for the phishing e-mail. Construct the e-mail with a “malicious” link, send it, and play the victim role by clicking on the link.

a.   From the SET menu at the bottom of the screen, shown in Figure 4-1, select option 1) Social-Engineering Attacks and press ENTER.

FIGURE 4-1 The SET screen and menu

b.   For Mass Mailer Attack, type 5 and press ENTER.

c.   For E-Mail Attack Single Email Address, type 1 and press ENTER.

d.   At the Send Email To prompt, type an e-mail address for the phishing attempt to be sent to (this should be another account of yours so you can play the victim role as well). Then press ENTER.

e.   For Use a Gmail Account For Your Email Attack, type 1 and press ENTER.

f.   Enter your Gmail address and press ENTER.

g.   At the FROM NAME The User Will See prompt, enter a pseudonym.

h.   If you don’t have 2-Step Verification enables, enter the Gmail password you used in Step 2f. If you have 2-Step Verification enables, enter the 16-character app password you configured earlier in the “Let’s Do This” section.

i.   At the prompt Flag This Message/S As High Priority?, type yes.

j.   At the prompt Do You Want To Attach A File, type n and press ENTER.

k.   At the prompt Do You Want To Attach An Inline File, type n and press ENTER.

l.   Provide an e-mail subject and press ENTER.

m.   To send the e-mail as HTML, type h and then press ENTER.

n.   Enter the following for the body of the e-mail, including the HTML tags. When you’re done, press ENTER:
My name is Bob Smith, and I have some <strong> secret </strong> information you need. Click <a href=”https://www.flcc.edu”> here </a> to get the juicy info!”

o.   Type END, using uppercase letters, and then press ENTER.

p.   Check your e-mail. Click the phishing link.

3a–3g

Step 3 Clone a website and construct an e-mail with a “malicious” link to this fake site.

a.   From the initial SET menu shown in Figure 4-1, select option 1) Social-Engineering Attacks and press ENTER.

b.   For Website Attack Vectors, type 2 and press ENTER.

c.   For Credential Harvester Attack Method, type 3 and press ENTER.

d.   For Site Cloner, type 2 and press ENTER.

e.   Press ENTER to accept the default IP address for the POST back, which is the IP address of your Kali Linux VM.

f.   At the Enter The URL To Clone prompt, type https://www.facebook.com (enter this exactly as shown).

You’ll see the following:

[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...

Then you’ll see this:

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

g.   Keep this terminal open, as is. Open a new terminal tab by choosing File from the top menu. Then select New Tab (or press CTRL-SHIFT-T). Then run another instance of SET in the new tab.

Using what you learned in Step 2, craft a “believable” e-mail with the IP address of your Kali Linux box hyperlinked to https://www.facebook.com.
For example, the body of the e-mail could be (using the address of your Kali Linux VM, not the one shown here): Your Facebook account has been <strong> suspended </strong>! Go to <a href="http://192.168.1.129"> https://www.facebook.com </a> to log in and restore access!

4a–4h

Step 4 Now play the victim role again to see what can come from clicking on a link in an e-mail and providing information at a fake site.

a.   From the e-mail account you sent this phishing attempt to, click the phishing link.

b.   In your original terminal tab in Kali Linux, you’ll notice immediate output, including this:

[*] WE GOT A HIT! Printing the output:

c.   Provide fake credentials and log in to the fake Facebook site.
In Kali Linux you’ll see the following, in red type:

POSSIBLE USERNAME FIELD FOUND: email=
POSSIBLE PASSWORD FIELD FOUND: pass=

This will include the username and password you provided. There will be some false positives, but keep looking until you find the credentials you entered. Then screenshot the captured credentials that you entered.

d.   You’ll realize, in the browser, that you are automatically redirected to the legitimate Facebook site, where you are once again asked for your credentials. Do you think someone who clicked the phishing link would think twice at this point? Would they think that “something just happened,” and when they successfully log in now, not realize that the damage is already done and that the attackers have stolen their credentials?

e.   For future reference, follow this advice:

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

Press CTRL-C, and you’ll see something like the following message (this was generated on my machine at the specified date/time):

^C[*] File in XML format exported to /root/.set/reports/2020-07-05 14:58:12.124254.xml for your reading pleasure...

f.   Keep the terminal with SET as is, and open up a new terminal. Then type the following:
sudo cp '/root/.set/reports/2020-07-05 14:58:12.124254.xml' .
Make sure that you specify the path to your file as the first argument, and not the path as I have listed here. The single quotes are necessary because of the whitespace in the path. The dot at the end of the command (preceded by whitespace), as you’ll remember from Chapter 2, means to copy that file into the current directory.

g.   To see the XML file, type (using your filename instead of the filename listed here) the following:
cat '2020-07-05 14:58:12.124254.xml'

h.   To get right to the credential information, type the following two commands (using your filename):
cat '2020-07-05 14:58:12.124254.xml' | grep email=
cat '2020-07-05 14:58:12.124254.xml' | grep pass=

As you’ll remember from a lab exercise in Chapter 2, grep filters the output to match just the string specified. The first command shows the login e-mail and the second command shows the password.

30 MINUTES

Lab Exercise 4.02: Phishing Tests

Now it’s time to turn the tables and put you in the position of e-mail recipient! Will you be able to tell the good from bad? The real from fake? The legitimate e-mails from the phishing attempts?

Learning Objectives

In this lab exercise, you’ll take a few phishing tests. After this lab exercise, you’ll be able to

•   Know where you stand in terms of identifying phishing e-mails

•   Better identify phishing e-mails in the future

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   A web browser with an Internet connection

Let’s Do This!

Have you ever fallen for a phishing attempt? Have you ever seen right through one? Now’s the chance to see where you currently stand.

1a–1d

Step 1 Take the following phishing tests and submit screenshots showing your results for each.

a.   www.greathorn.com/to-catch-a-phish/ (At the end, you can just click the Done button without submitting any information.)

b.   www.sonicwall.com/phishing-iq-test/

c.   www.opendns.com/phishing-quiz/

d.   www.komando.com/tips/361345/can-you-spot-a-fake-email-take-our-phishing-iq-test

2

Step 2 Write a report, detailing how you did. Did you do better or worse than you expected? What tricked you? What did you see right through?

60 MINUTES

Lab Exercise 4.03: Reconnaissance Through Open-Source Intelligence

Before any social engineering attack comes reconnaissance, when an attacker gathers intelligence on potential targets. With this intel, the attacker can instill confidence in the target, which will make the target trust the attacker. The data you collect from several open and publicly available sources is collectively known as open-source intelligence (OSINT).

Information gathering can be as simple as using Google to learn information about a company or individual. On a company’s website, searching the employee directory is usually a good place to start. Then you can Google individuals to learn more about them. With each search, you learn about interests, hobbies, and keywords that you can use in subsequent searches. Small pieces of information acquired from different sources can come together to form a great picture of a potential target.

Open, publicly available, and legal sources, such as Google, are often the best repositories to start with. Social media sites such as LinkedIn, Twitter, and Facebook can also be treasure troves of information about individuals or companies. With the Wayback Machine at https://archive.org/, you can even “go back in time” and learn about former employees, corporate structure, and changes that can be used in a social engineering attack. Job searching sites can even be used to see current hardware and software used by a company, and more information. The knowledge gained from OSINT can be used by an attacker to make someone believe that their request is legitimate.

Perhaps an attacker may continue with nontraditional sources, such as rifling through garbage. Dumpster diving involves a potential attacker looking through discarded trash. It can yield great rewards, including company memos, directories, invoices that show relationships with other companies, and more, to help create a social engineering attack. Malware, theft, and impersonation are some examples of illegal ways to collect information for a social engineering attack.

Learning Objectives

In this lab exercise, you’ll use OSINT to collect information on a target. After this lab exercise, you’ll be able to

•   Search open, publicly available, and legal sources for a wealth of information

•   Understand how public-facing information can seem innocent but can prove very damaging

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   A web browser with an Internet connection

Let’s Do This!

Did you ever think innocent Google searches would give you information to perform a social engineering attack? You’re about to see what attackers are doing before each social engineering attack is performed. You’re also going to use Paterva’s Maltego tool for OSINT that can be visualized with graphs of relationships. This tool is heavily used by security researchers, private investigators, and law enforcement.

1

Step 1 Using Google searches and the techniques described in this lab exercise’s introduction, gather a sequence of information that, when put together, could be used in a social engineering attack. Document each piece of information with a screenshot.

2k

Step 2 Searching what’s out there in cyberspace and collecting information can be rewarding and eye-opening. It can also be very scary. You just saw it with Google, and now you’ll see it with Maltego.

a.   From Kali Linux, type maltego to launch the program. You may see a pop-up message: “Memory settings were optimized, but will require a restart to take effect.” If you see this, click the Restart Now button.

b.   On the Product Selection screen, click the maroon Run button in the Maltego CE (Free) section, as shown in Figure 4-2.

FIGURE 4-2 Click the maroon Run button on the Maltego Product Selection screen.

c.   Select the Terms and Conditions Accept checkbox and click Next.

d.   On the next screen, click Register Here.

e.   Fill out the information, prove that you’re not a robot, and click the REGISTER button. Feel free to use a disposable account, including the one you may have created earlier in this chapter.

f.   Check your e-mail for a link to confirm your account. Click the link. (Yeah, I know, after what you’ve learned so far in this chapter, something inside of you is not wanting to click it.)

g.   Back in Maltego in Kali Linux, enter your e-mail address and password, solve the CAPTCHA, and click Next.

h.   You’ll see a welcome message with your name, e-mail address, and validity period for your API key. Note: It could take a couple minutes for your account to be recognized after activation. Click Next three times—this takes you through this screen, the Install Transforms screen, and the Help Improve Maltego screen.

i.   Select Normal Privacy Mode and click Next.

j.   Select the radio button Open A Blank Graph And Let Me Play Around. Then click Finish.

k.   At the bottom of the Privacy Policy Change Notice screen, click the Acknowledge button. A new graph will open, as shown in Figure 4-3.

FIGURE 4-3 Maltego new graph

3a–3h

Step 3 Now it’s time for some action. Let’s see what we can do using an e-mail address to populate the Maltego blank graph with publicly available information that could be used in a social engineering attack.

a.   Scroll on the left side of the Maltego screen until you see Email Address. Drag-and-drop the heading to the New Graph tab, and you will see a circle with the @ symbol along with the e-mail address [email protected].

b.   Change that e-mail address to yours by double-clicking the paterva address and clicking OK.

c.   Right-click anywhere on the e-mail item (the circle with the @ symbol) to open the Run Transform(s) window.

d.   Click anywhere on the green All Transforms row to see a list of the transforms, and then click the orange back arrow in the pane on the left.

e.   Click anywhere on the gray Related Email Addresses row to see that list, and then click the orange back arrow in the pane on the left.

f.   On the green row, click the Run All Arrows on the right, and then click the Run! button at the bottom of the next window. Keep the default selection of FL. Click No on the Twitter OAuth pop-up, if it appears.

g.   If you don’t see a tree graph forming, enter a different e-mail address, which doesn’t have to be yours. When you see a tree graph forming, start right-clicking each of those items and run all transforms for each.

h.   You can use the toolbar at the top of the screen to create a new graph, save a graph, and perform other management tasks. The Investigate tab has a Clear Graph icon that can be helpful, too.

4a–4e

Step 4 In addition to pivoting from an e-mail address, you can use many other criteria to start the intelligence gathering in Maltego.

a.   In the pane on the left, start a new tree by performing all transforms originating from a domain instead of an e-mail address.

Note

Some trees created with a domain can be massive. Maltego will create color-coded categories of the subsequent items, with categories including website, e-mail address, phone number, company, netblock, MX record, domain, location, NS record, person, and DNS name.

b.   Perform a transform from a DNS Name.

c.   Perform a transform from a URL.

d.   Perform a transform from a website.

e.   Perform a final transform from a category of your choice that hasn’t yet been used.

Lab Analysis

1.   Why would a security specialist use a tool like SET?

2.   What are some ways you can identify a phishing e-mail?

3.   Why would a security specialist use a tool like Maltego?

Key Term Quiz

Use the terms from this list to complete the sentences that follow.

open-source intelligence (OSINT)

phishing

social engineering

1.   The digital form of ____________ is ____________.

2.   ____________ is used for reconnaissance.