CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [21]
Computer-Based Social Engineering
Computer-based social engineering attacks can include the following:
■ E-mail attachments
■ Fake websites
■ Popup windows
Understand Insider Attacks
If a hacker can't find any other way to hack an organization, the next best option is to infiltrate the organization by getting hired as an employee or finding a disgruntled employee to assist in the attack. Insider attacks can be powerful because employees have physical access and are able to move freely about the organization. An example might be posing as a delivery person by wearing a uniform and gaining access to a delivery room or loading dock. Another possibility to become an insider is posing as a member of the cleaning crew who has access to the inside or the building and are usually able to move about the offices. As a last resort a hacker might bribe or otherwise coerce an employee to participate in the attack by providing information such as passwords.
Understand Identity Theft
A hacker can pose as an employee or steal the employee's identity to perpetrate an attack. Information gathered in dumpster diving or shoulder surfing in combination with creating fake ID badges can gain the hacker entry into an organization. Creating a persona that can enter the building unchallenged is the goal of identity theft.
We'll look at each of these later in the chapter.
Describe Phishing Attacks
Phishing involves sending an e-mail, usually posing as a bank, credit-card company, or other financial organization. The e-mail requests that the recipient confirm banking information or reset passwords or PIN numbers. The user clicks the link in the e-mail and is redirected to a fake website. The hacker is then able to capture this information and use it for financial gain or to perpetrate other attacks. E-mails that claim the senders have a great amount of money but need your help getting it out of the country are examples of phishing attacks. These attacks prey on the common person and are aimed at getting them to provide bank account access codes or other confidential information to the hacker.
Understand Online Scams
Some websites that make free offers or other special deals can lure a victim to enter a username and password that may be the same as those they use to access their work system. The hacker can use this valid username and password once the user enters the information in the website form.
Mail attachments can be used to send malicious code to a victim's system, which could automatically execute something like a software keylogger to capture passwords. Viruses, Trojans and worms can be included in cleverly crafted e-mails to entice a victim to open the attachment. Mail attachments are considered a computer-based social engineering attack.
Here is an example of an e-mail scam which tries to convice the receiver to open an unsafe attachment:
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Pop-up windows can also be used in computer-based engineering attacks, in a similar manner to e-mail attachments. Pop-up windows with special offers or free stuff can encourage a user to unintentionally install malicious software.
Understand URL Obfuscation
URL is the Uniform Resource Locator and is commonly used in the address bar of a web browser to access a particular website. In lay terms it is the website address. URL obfuscation is