Social Engineering Research Paper

Pages: 18 (5828 words)  ·  Bibliography Sources: 12  ·  Level: College Junior  ·  Topic: Engineering  ·  Buy This Paper

SAMPLE EXCERPT:

[. . .] In terms of actual examples of social engineering, these are numerous and include acts from the smallest of scale to increasingly difficult and with most serious effects that are still ongoing and even spreading (Francophoned case study presented below). As an example, in a day-to-day situation, a social engineering process can be identified in a communication from an individual advising he or she represents, for the sake of argument, a telephone company and would want to offer a new subscription model. Without any type of confirmation from the caller, the person being called is requested to provide details. In such a situation, it is important to consider that it is the caller who needs to identify himself in order to confirm that he or she represents the telephone company. In such situations policies provide that the identification be done immediately or that contact be interrupted and assistance required. In such cases, in day-to-day, people cannot be fully aware of these aspects and rely on the goodwill of people. At the same time though, social engineers rely on the same gullible nature of individuals.

Case study: Francoohoned

An administrative assistant of a vice president receive a phone call, from another VP in the company, in regards to an invoice to be processed. This scenario, as common as might be, became the 'signature' for what became one of the most sophisticated cybercriminal attacks that combines phone-based social engineering with spear phishing and malware aiming to steal money from organizations, particularly from French speaking nationals.

The unusual attack, later called ' Francophoned', has been initially reported in April 2013, traces of its presence leading to February 2011. The investigation, conducted by Symantec, company specialized in such investigations, showed a thoroughly prepared document with usage of previously obtained names, e-mail addresses and phone numbers of the victims and their peers. With purely financial motivations, the attackers targeted employees with authority to facilitate transactions on behalf of their organization, aiming to gain access to confidential information such as bank accounts, invoices and contract agreements or secure certificates.

As "modus operandi" the VP was impersonated by an attacker which with authority requested a swift process of an invoice received minutes earlier via e-mail. The supposed invoice, initially stored on a popular file sharing service was a remote access trojan (RAT) configured to connect to a control server located in Ukraine. Once installed, the RAT provided a way in that facilitated keystrokes logging, access to documents as disaster recovery plans, the organization's bank accounts and telecom providers with points of contacts. Using this data the attackers further impersonated the company representative and contacted the telecom provider with a request to redirect all the organization's phone numbers to attacker-controlled phones, claiming a physical disaster. With the phone redirection in place, the attacker faxed a request to organization's bank, requesting multiple, large-sum wire transfers to numerous off-shore accounts. Facing an unusual transaction, bank representatives obtained phone confirmation from the attackers by the means of redirected phones. Once successfully transferred the money was subsequently laundered further through other off-shore accounts and monetary instruments.

The information obtained in previous attacks was used to plan the next ones, with increased rate of success. As example, the attackers run over a proprietary in-house system to transfer funds that employed a two-factor hardware dongle. Impersonating an IT staff, the attackers called the victim and under the reason of fund transfer maintenance, convinced the victim (using customer privacy reasons), to turn off the monitor during the maintenance task. With the monitor off, the attacker used the victims' credentials to access to the in-house transfer system and transfer large sums of money to offshore accounts.

By examining the traffic, Symantec was able to determine that the attacker was located in, or routing the attack through an Israeli mobile telecom company's IP address. Further investigations determined that the attacks were indeed originating from a mobile network and that the attacker used a mobile Wi-Fi hotspot with a prepaid data plan, as results the investigation not being able to lead to an individual. "Even more surprising, the traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace. The use of such a technique for cybercrime illustrates the increasingly sophisticated techniques that attackers employ. Finding a moving mobile Wi-Fi hotspot requires active on-the-ground on-call personnel with special equipment and the telecom provider's assistance to triangulate its location." (Symantec, August 2013)

If the initial 2013 RAT used in the attacks, identified by Symantec as W32.Shadesrat (Blackshade) remote access Trojan was limited as operational power the February 2014 phishing campaign took a new turn. The new version, identified by Symantec as Trojan.Rokamal, despite using the same command-and-control server, is now obfuscated with a DotNet packer and allows to be configured to perform a series of compiled tasks as downloading and executing potentially malicious files; performing distributed denial-of-service (DDoS) attacks; stealing information; mining crypto currency and opening a back door to the system. Technical Details can be found in the Appendix 1.

The operation Francophoned was specifically targeting French-speaking victims. French is the second most widely spoken language in the world being official language in 29 countries. With 110 million speakers and 190 million as second language (according to Symantec) the large pool of potential victims are not as heavily targeted as English speakers. This swift conducted with the increased sophistication of the RAT tool, shows that 'those behind these attacks are eager to evolve their business and innovate new ways of making money'. (Symantec, April 2014)

Given that this case represents an ongoing investigation, there are few resources available to analyze further the case (Appendix 1 contains the full Security Response from Symantec). However, the magnitude of the case together with the fact that the process is rather complex and well planned, it will be rather difficult to find an end to it and secure the guilty parties. At the same time though, this example points out the fact that social engineering taken to an international level can cause severe repercussions from a financial point-of-view.

The next case study reviews the impact social engineering may have on the personal effects and belongings of an individual and places a size on the magnitude of social engineering from a perspective of an individual. In 2012, the technology journalist, Mat Honan, senior writer for Wired, witnessed his digital identity stripped and deleted by hackers who, using social engineering manage to takeover his iCloud account (Honan, 2012). Abusing the system, the hackers spared nothing: iPhone, iPad and even the hard drive of his Mac Book -- full of irreplaceable family photos -- which was completely erased, all in order to prevent any retaliation over the attempt to hack his Twitter profile, @mat.

Without using brute force or other password guessing technologies, hackers managed to gain access over his Gmail account and use it to compromise the twitter account and use it as a platform to broadcast racist and homophobic messages. The attack used social engineering techniques to trick the customer service representatives of Apple and Amazon. The mechanism, was striking on its simplicity: using the linkage between the twitter account and a personal webpage, the hackers identified the publicly available Gmail address and correctly guessed that is also used for twitter account. Using the account recovery options from Gmail the hackers managed to identify an existing Apple ID (@me.com email address). A simple Whois on the domain provided the valuable information regarding the billing address. Using the billing address, the name on the account and an associated e-mail address Amazon allows the hackers to input a new fake credit card to account. On a second support request, using the fake credit card information and the billing address, Amazon allows to add a new e-mail address to the account. Using Amazon's password reset system the hackers gain access to the account information stored as all the credit cards on file for the account -- not the complete numbers, just the last four digits. With the billing address and last four digits of a credit card, Apple customer services allowed an account reset for the iCloud services. With the iCloud account hijacked the connected devices were easily wiped using Find My iPhone, while the Gmail and Twitter credentials were easily accessible stored in the keychain, among bank and other sensitive credentials. A 19 years teenager, using a Mac Book and a phone, made the entire process possible.

Policies on social engineering

Policies on social engineering and means in which companies can train and prevent such attacks have been set in place by numerous entities; however, despite these actions, numerous cases have occurred that set employees at fault and in breach of company policies because trainings are not necessarily conducted properly or in a timely manner.

The phenomenon is widely spread and as mentioned… [END OF PREVIEW]

Four Different Ordering Options:

?
Which Option Should I Choose?

1.  Buy the full, 18-page paper:  $24.68

or

2.  Buy & remove for 30 days:  $38.47

or

3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)

or

4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Social Engineering Tactics Essay


Elites in Engineering Dissertation


Women with Children in Science / Engineering Fields Term Paper


Tissue Engineering Term Paper


Engineering Code of Ethics Asme. (2012) Annotated Bibliography


View 1,000+ other related papers  >>

Cite This Research Paper:

APA Format

Social Engineering.  (2014, April 30).  Retrieved February 16, 2019, from https://www.essaytown.com/subjects/paper/social-engineering/3760459

MLA Format

"Social Engineering."  30 April 2014.  Web.  16 February 2019. <https://www.essaytown.com/subjects/paper/social-engineering/3760459>.

Chicago Format

"Social Engineering."  Essaytown.com.  April 30, 2014.  Accessed February 16, 2019.
https://www.essaytown.com/subjects/paper/social-engineering/3760459.