Network Intelligence India Pvt. Ltd. is an ISO 27001-certified company that provides IT governance, risk management, and compliance services. Wasim Halani of Network Intelligence gave a presentation on exploiting human weakness through social engineering. Social engineering manipulates people into divulging confidential information rather than using technical hacking methods. Halani described conducting a social engineering penetration test against a client company that involved gaining physical access to their office by posing as a security auditor and convincing employees to disclose sensitive information under false pretenses. The test revealed vulnerabilities that could be exploited through social engineering attacks like phishing and fake profiles on social media.
Dev Dives: Streamline document processing with UiPath Studio Web
Exploiting human weakness: Social Engineering techniques
1. Exploiting the human weakness
www.niiconsulting.com
Presentation by: Wasim ‘washal’ Halani
Network Intelligence India Pvt. Ltd.
2. Network Intelligence, incorporated in 2001, is a
committed and well-recognized provider of services,
solutions and products in the IT Governance, Risk
Management, and Compliance space. Our
professionals have made a mark for themselves with
highly satisfied clients all across the globe supported
by our offices in India and the Middle East. As an ISO
27001-certified company ourselves, we are strongly
positioned to understand your needs and deliver the
right answers to your security and compliance
requirements. We have won accolades at numerous
national and international forums and conferences.
Our work truly speaks for itself and our clients are
the strongest testimony to the quality of our services!
3. Information security
at every organization
is one of the most
important aspects!
It is people who
handle this
information
Social Engineering is
exploiting the
weakness link – the
employees
www.niiconsulting.com
4. “Social Engineering is the act of manipulating
people into performing actions or divulging
confidential information, rather than by
breaking in or using technical hacking
techniques; essentially a fancier, more
technical way of lying.”
[Source: Wikipedia]
www.niiconsulting.com
9. Wordpress vulnerability on the blogs of their
websites
Kevin ‘don’t call me a security expert’ Mitnick
Dan ‘I smile when I am hacked’ Kaminsky
www.niiconsulting.com
10.
11. Phishing
Baiting
Identity Theft
Dumpster Diving
Email Scams
Use of Authority
Request for Help
Indulging Curiosity
Exploiting Greed
=Abuse of Trust
www.niiconsulting.com
12. IT/ITES Company
Two offices
About 400 – 500 employees
We had previously conducted other security
projects for them
Guards were familiar with us
We also knew a few people from our previous
projects
www.niiconsulting.com
13.
14. Only 3 people in the organization aware of
the exercise
Obtain ‘get-out-of-jail-free’ card!
Bought a spy pen-cam
Create fake authorization letters
◦ Fake letterhead (thank-you Photoshop)
◦ Fake signatures
◦ Fake content
Understand the organization’s process flow
Obtain employee list
Define ‘targets’
15. Security Auditor
◦ Surprise audit on behalf of Government Agency
◦ Chinese attacks on Indian institution (same-day
newspaper headlines )
College Student
◦ Research project
Customer
◦ Call-center
Phishing
Social Networking
17. Visit the office
Convince the guard to let me in for the
surprise security audit
◦ “It won’t be a surprise if you tell anyone”
Once again we interviewed people
◦ Some suspicious
◦ Reading is not verifying
Dumpster diving
www.niiconsulting.com
18. Gain unauthorized access
Stay back late, after almost all employees left
◦ Photograph the office
‘Steal’ sensitive documents
◦ From open drawers
Check personal folders kept on desks
19.
20. Sensitive information on technologies used
Network architecture revealed
Lot of technical information revealed to
“college student” doing a project, as well as
journalist
Found bundle of official letter heads in store-
room
Gained access to the Server Rooms
www.niiconsulting.com
21.
22. We registered a domain with a single letter
difference
◦ Registered email accounts
Prepared a ‘Employee Complaint/Feedback
Form’
◦ Company header, styling etc.
Sent out mails to on behalf of HR person
Employees are asked to enter their
‘credentials’ to log in to the system
The final page has a PDF that is to be
downloaded as a ‘unique token number’
www.niiconsulting.com
24. About 10 users entered their credentials
which we captured
No one downloaded the PDF
Took about 10-15 mins. for HR dept. to be
alerted
◦ They sent out an email denying the fake email
One employee had a discussion with HR and
responded back to our email address
www.niiconsulting.com
25. Linkedin
◦ Fake employee profile
Searched for people not listed in the network
◦ Joined the company ‘network’
◦ Sent out invites
Facebook
◦ Multiple fake profiles
Added each other as friends
www.niiconsulting.com
28. Turns out they had a new employee
Everyone thought his was the ‘fake’ profile
Very difficult to identify the real profile
‘Attractive’ profiles receive friend requests
www.niiconsulting.com