Social engineering attacks have been around since Well, since before the internet. Now in this episode, what I want to do is go through a lot of social engineering attacks. And if you get on the internet, you've probably seen a number of these personally. Now for personal organization, I like to separate them into two types. First, what I call physical attacks, which basically means to real people being either face to face or very close to being face to face. And then we have another group, which I call virtual attacks, which is usually emails, websites, stuff like that.
So this is my own personal separation. Don't look for this on the exam. Now to show you physical attacks, we actually shot a wonderful video a couple years back that covers it absolutely perfectly. And they had a lot of fun too. So these are all the guys that total seminars, including my buddy Scott Jernigan, so they shot this wonderful video on what I'm going to call physical attacks. Hello, this is Utila tech, Dwight speaking.
I'd right this is Jim from the IT department. We're doing a company wide password reset. So we need to get everyone's old password in order to reset them. You'll get a password reset notification when you log in tomorrow. Sure thing, Jim. My old password is bears beats Battlestar Galactica.
That's all lowercase with no spaces. Thanks so much, Dwight. We'll get that change right away. Bears beats a man tells his password to his company's IT department seems harmless enough. They say that a trusting nature is a virtue. But they also say that a sucker is born every minute.
We'd all like to think that pale hackers typing away and dank basements pose the greatest threat to our networks. It's an evil we can understand. threat that feels contained. But we live in a world where evildoers prey on our virtues, turning them against us. Telephone scams like the one you just witnessed, or phishing attacks using email, pervert our willingness to be agreeable and trusting malicious elements pretend to be trusted authorities in the hopes that users will willingly hand over precious passwords and users do. It turns out that we are the greatest threat to our networks.
It's just the sort of twist you'd expect in the social engineering zone. No one likes to be cooped up indoors all day, but the unwary may fall victim to the predations of devious tailgaters. These malicious malcontents follow legitimate employees through locked doors, pretending that they belong to them. Make sure no one's following you through a locked door. If someone tries make them show you something form of ID or even produce a key for the door you're going through, you might feel comfortable leaving your office computer unattended and unlocked. After all your co workers are trustworthy, aren't they?
However, on gaining access to a secure building, all a tailgater has to do is wait for someone to take a bathroom break. To gain complete access to an otherwise impenetrable network. Consider it vital to lock your computer when you walk away from it, even if it's just for a short time. Also, make sure your user account is password protected. If you think that locking your computer is a sure protection against wrongdoers, think again, why wait for you to get up for a break when it's just as easy to stand behind you and watch over your shoulder. They'll watch you as you type passwords, access secure documents, and communicate with other employees.
Always make sure there's not a stranger shoulder surfing behind you. If the prospect of looking over your shoulder all day sounds onerous Invest in a screen filter which makes it impossible to see what's on your screen. Unless you're right in front of it. Even the most tightly controlled offices often have an Achilles heel. dumpster diving. Criminals are a shameless and stinky lot, not at all above digging through trash to find sensitive information.
Companies have toppled, individuals have had identity stolen, all by being careless with their refuse. Make sure to shred any trash that you don't want prying eyes to see. After all, one man's trash is another man's treasure. We often find it comforting to ignore the dangers that surround us on all sides. The world we live in, however, will Brook no such fictions. The unaware and the naive become victims of wily ruthless criminals who forever stalk the social engineering zone.
Those guys had a lot of fun shooting that. And did you notice I started a part of it too. Anyway, the other thing I want to talk about now is what I organize into virtual attacks. So virtual attacks generally mean that we're having some type of internet media, email websites or something like that, that come into play. So let's go ahead and march through the different types of what I call virtual social engineering attacks that you're going to see on the exam. First is phishing.
Phishing are emails that are used to steal personal information. They're incredibly common. So let's take a look at this example. First of all, notice that it's not addressed to me it's more generally addressed. Secondly, it's straight up asked for a username and password for me to type in right there. All legitimate sources now know that we never directly asked for usernames and passwords.
Next is spearfishing in spearfishing. What we're talking about is phishing that is directed towards a specific person or or organization. Here's an example that I recently got in my own personal email. whaling is spearfishing specifically directed towards senior management and executives. A good spear fish works hard to look like something important to these folks like a subpoena or maybe a critical memorandum. This Xing uses the telephone system to steal private information.
We've probably all got one of these types of calls. They often use automated systems. Have you ever got a phone call? That sounds something like this. And now we have an important message for you from the IRS. your tax return has been audited and you owe $2,317 and 74 cents in back taxes.
You need to make a payment immediately or your bank will receive a notice of levy on your account. Please enter the last four digits of your social security number to pay the full amount or speak with an IRS agent. Next is a hoax. a hoax attack warns that something bad is happening that really isn't most commonly virus warnings. Here's an example of a very common web based hoax. I bet you've seen this one before.
A watering hole attack looks for places usually websites that a group of specific people frequent. It exploits the website or tries to redirect them to another server to infect the visiting systems computers. From there, they can do just about anything they want. Make sure you're comfortable with the definition of each one of these social engineering attacks. The exam goes into great detail challenging you to make sure you can recognize them.