Social Engineering is the art of obtaining confidential information through the manipulation of the people with this knowledge. This technique is based on the fact that human beings represent the weakest link in a secure system, as somebody usually knows how to access it. The idea being that it is easier to manipulate a person than the system itself. Online banking is no exception. In this case, the most vulnerable people are the users themselves, the end clients of the banks, and the objective is to access their accounts. Cybercriminals use Social Engineering through HTML Injections to cheat on users and obtain their credentials. In this presentation a demo was performed to detect HTML Injections in web browsers.
5. Social Engineering??
• …to Achieve an Objective
– Information gathering
– Buildings / Rooms access
– Power
– Material possessions
– Others: flirting, favors…
6. Social Engineering??
• …to Achieve an Objective
– Information gathering
– Buildings / Rooms access
– Power
– Material possessions
– Others: flirting, favors (sexual or not)…
7. • How?
– Face to face
– Phone / SMS
– Mail
– …
• Used by
– Politicians
– Salesmen
– Delinquents / Fraudsters
– You and me
Social Engineering??
9. Social Engineering??
• Take advantage of human nature
– Feelings / emotions / state of mind
– Behavior / personality
10. Social Engineering??
• Take advantage of human nature
– Feelings / emotions / state of mind
• Sadness
• Fear
• Rancor
• Embarrassment
• Happiness
• Love
• Hope
– Behavior / personality
11. Social Engineering??
• Take advantage of human nature
– Feelings / emotions / state of mind
– Behavior / personality
• Curiosity
• Inocence
• Honesty
• Generosity
• Gratitude
• Avarice
12. Social Engineering??
• Take advantage of human nature
– Feelings / emotions / state of mind
– Behavior / personality
• Tendency to trust
30. Injections – How they work (I)
• Trojan
– Binary
• Generic
– Keylogging, form-grabbing, etc.
– Stealing data silently
– Configuration file
• Specific affectation
– Custom attack to entities
– User interaction
31. Injections - How they work (II)
• Configuration
– Injecting where?
– Injecting what?
– Injecting when?
• Flags: G,P,L
32. Injections - How they work (III)
1. URI found?
2. Obtain webpage
3. Find starting mark
4. Injection
5. Copy from the ending mark
6. Obtain data thanks to formgrabbing
38. Bypassing Authentication
• 2FA: SMS
– Cheat on the user to infect his mobile phone
• Always after login
• Security Software simulation
• Activation simulation
• Profit from the ignorance of the threat
67. • Detection / Prevention
• Information / Trainings
• Common sense
Solutions??
68. • Detection / Prevention
• Information / Trainings
• Common sense
Solutions??
69. • Detection / Prevention
• Information / Trainings
• Common sense…is not so common
Solutions??
70. Conclusions
• If the user can make a transfer you will always
be able to cheat on him and change the
destination of the money
• How would you cheat on the user by phone?
Do it after the login, use a fake webpage, or
even call him!