Lecture Objectives:

• Understand what social engineering is and its role in cyberattacks.
• Identify common social engineering tactics and techniques.
• Analyse case studies of successful social engineering attacks.
• Discuss countermeasures and organisational strategies to mitigate social engineering risks.
• Lab

Introduction to Social Engineering

Social engineering is the art of manipulation of human behaviour to breach security systems.

• Significance in Cybersecurity
  • Over of cyberattacks involve a social engineering element.
  • Exploiting trust vs. exploiting technology.
• Why It Works
  • Cognitive biases.
  • Limited cybersecurity awareness.
  • Over-reliance on technology.

1

SE Lifecycle

1. Research:
   • Open-source intelligence (OSINT) gathering.
   • Identifying vulnerabilities (e.g., social media oversharing).
   • Dumpster Diving (Collecting discarded sensitive materials)
   • Technical Research (vendors)

SE Lifecycle

1. Research:
   • Examples
     • Identifying a target’s email format to craft phishing emails.
     • Discovering personal hobbies or interests to build rapport during pretexting.

SE Lifecycle

2. Hook:
   • Establishing initial contact.
   • Phishing Emails
   • Vishing (Voice Phishing)
   • Smishing (SMS Phishing)
   • Baiting

SE Lifecycle

2. Hook:
   • Example:
     • A phishing email disguised as an urgent IT notice requesting password resets.
     • A phone call claiming to be from HR asking for verification of sensitive information.

SE Lifecycle

3. Play:Extract the desired information or achieve the attack's goal.
   • Execution of the attack to achieve the goal (e.g., obtaining credentials)
   • Credential Theft
   • Privilege Escalation
   • Data Extraction
   • Planting Malware

SE Lifecycle

3. Play
   • Example
     • Convincing an employee to wire money to a fraudulent account in a Business Email Compromise (BEC) attack.
     • Installing spyware via an email attachment.

SE Lifecycle

4. Exit: Avoid detection and either sustain access or sever the connection.
   • Covering Tracks:Deleting logs or hiding malware
   • Sustaining Access: backdoors; long-term infiltration.

SE Lifecycle

4. Exit
   • Examples
     • After exfiltrating sensitive data, the attacker destroys evidence of the intrusion.
     • In phishing attacks, attackers often disable fake login pages immediately after collecting credentials.

Common Social Engineering Techniques

1. Phishing: is one of the most popular Social Engineering Attacks. The attacker sends a fake email to steal from victims. Personal Data

Common Social Engineering Techniques

2. Pretexting:

• Creating a convincing identity or scenario to extract information.
• Creates a fictional backstory

Common Social Engineering Techniques

3. Baiting:

• Offering something enticing to lure victims (e.g., USB drops).
• Tactic tricks the victim into:
  • unintentionally downloading malware into their system
  • revealing confidential personal organisational information.

Common Social Engineering Techniques

4. Tailgating/Piggybacking: Gaining physical access to restricted areas by exploiting trust.

Common Social Engineering Techniques

5. Impersonation: Acting as a trusted individual or authority figure.
   1. Pretending to Be Trusted
   2. Exploiting Authority and Trust
   3. Using Fake Credentials and Contextual Knowledge:
      

Psychological Principles of Social Engineering

Psychological Principles of Social Engineering

Authority

• People tend to comply with instructions from perceived authority figures.

Example:

• "I’m from IT support; I need your password to fix an issue"

Urgency

• Creating a sense of immediate action to bypass critical thin`king.

Example:

• "Your account will be locked unless you reset your password now!"

Scarcity

• Fear of losing a rare opportunity or resource.

Example:

• "Limited-time offer! Click here to claim your reward."

  

Trust

• Building rapport to gain confidence and cooperation.

Example:

• "We’ve worked together before, right? Can you help me with this file?"

Fear and Reciprocity

Fear:

• Using threats or fear to compel action.
• Example: "Your data has been breached; pay to recover it."

Reciprocity:

• Exploiting the human tendency to return favours.
• Example: "I’ve helped you before; can you send me this file?"

Real-World Applications of Social Engineering

Case Studies

1. Target Data Breach (2013):
   • Phishing an HVAC vendor to gain access.
2. Twitter Hack (2020):
   • Social engineering employees for privileged access.
3. Google & Facebook (2013–2015):
   • Invoice fraud through email impersonation.

• Discussion
  • What enabled these attacks?
  • Could they have been prevented?

How can the algorithms that personalise social media content unintentionally make users more vulnerable to social engineering attacks? Can you think of any examples where personalisation could be exploited in this way?

6. Prevention and Mitigation Strategies

Technical Countermeasures

• Spam filters and email verification tools.
• Endpoint protection (e.g., USB restrictions).

Human Countermeasures

• Security awareness training.
• Regular phishing simulations.
• Policies for verifying requests (e.g., verbal confirmation).

Organisational Measures

• Clear incident response plans.
• Zero Trust approach to access control.

Checklist

Steps individuals and organisations can take to minimise risks.

Lab

1. Attacks Mapping and Exploring the Social Engineering Toolkit (SET), see lab here