nii social engineering case study
DESCRIPTION
Case-study of a Social Engineering exercise conducted by the Network Intelligence India Pvt. Ltd. (http://www.niiconsulting.com/) team.TRANSCRIPT
![Page 1: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/1.jpg)
Exploiting the human weaknesswww.niiconsulting.com
Presentation by: Wasim ‘washal’ HalaniNetwork Intelligence India Pvt. Ltd.
![Page 2: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/2.jpg)
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services,
solutions and products in the IT Governance, Risk Management, and Compliance space. Our
professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the
right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are
the strongest testimony to the quality of our services!
![Page 3: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/3.jpg)
Information security at every organization is one of the most important aspects!
It is people who handle this information
Social Engineering is exploiting the weakness link – the employees
www.niiconsulting.com
![Page 4: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/4.jpg)
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.”
[Source: Wikipedia]
www.niiconsulting.com
![Page 5: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/5.jpg)
www.niiconsulting.com
![Page 6: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/6.jpg)
www.niiconsulting.com
![Page 7: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/7.jpg)
![Page 8: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/8.jpg)
![Page 9: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/9.jpg)
Wordpress vulnerability on the blogs of their websites
Kevin ‘don’t call me a security expert’ Mitnick
Dan ‘I smile when I am hacked’ Kaminsky
www.niiconsulting.com
![Page 10: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/10.jpg)
![Page 11: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/11.jpg)
Phishing Baiting Identity Theft Dumpster Diving Email Scams Use of Authority Request for Help Indulging Curiosity Exploiting Greed=Abuse of Trust
www.niiconsulting.com
![Page 12: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/12.jpg)
IT/ITES Company Two offices About 400 – 500 employees We had previously conducted other security
projects for them Guards were familiar with us We also knew a few people from our previous
projects
www.niiconsulting.com
![Page 13: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/13.jpg)
![Page 14: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/14.jpg)
Only 3 people in the organization aware of the exercise
Obtain ‘get-out-of-jail-free’ card! Bought a spy pen-cam Create fake authorization letters◦ Fake letterhead (thank-you Photoshop)◦ Fake signatures◦ Fake content
Understand the organization’s process flow Obtain employee list Define ‘targets’
![Page 15: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/15.jpg)
Security Auditor◦ Surprise audit on behalf of Government Agency◦ Chinese attacks on Indian institution (same-day
newspaper headlines ) College Student◦ Research project
Customer◦ Call-center
Phishing Social Networking
![Page 16: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/16.jpg)
www.niiconsulting.com
![Page 17: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/17.jpg)
Visit the office Convince the guard to let me in for the
surprise security audit◦ “It won’t be a surprise if you tell anyone”
Once again we interviewed people◦ Some suspicious◦ Reading is not verifying
Dumpster diving
www.niiconsulting.com
![Page 18: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/18.jpg)
Gain unauthorized access Stay back late, after almost all employees left◦ Photograph the office
‘Steal’ sensitive documents◦ From open drawers
Check personal folders kept on desks
![Page 19: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/19.jpg)
![Page 20: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/20.jpg)
Sensitive information on technologies used Network architecture revealed Lot of technical information revealed to
“college student” doing a project, as well as journalist
Found bundle of official letter heads in store-room
Gained access to the Server Rooms
www.niiconsulting.com
![Page 21: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/21.jpg)
![Page 22: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/22.jpg)
We registered a domain with a single letter difference◦ Registered email accounts
Prepared a ‘Employee Complaint/Feedback Form’◦ Company header, styling etc.
Sent out mails to on behalf of HR person Employees are asked to enter their
‘credentials’ to log in to the system The final page has a PDF that is to be
downloaded as a ‘unique token number’
www.niiconsulting.com
![Page 23: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/23.jpg)
www.niiconsulting.com
![Page 24: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/24.jpg)
About 10 users entered their credentials which we captured
No one downloaded the PDF Took about 10-15 mins. for HR dept. to be
alerted◦ They sent out an email denying the fake email
One employee had a discussion with HR and responded back to our email address
www.niiconsulting.com
![Page 25: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/25.jpg)
Linkedin◦ Fake employee profile Searched for people not listed in the network◦ Joined the company ‘network’◦ Sent out invites
Facebook◦ Multiple fake profiles Added each other as friends
www.niiconsulting.com
![Page 26: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/26.jpg)
www.niiconsulting.com
![Page 27: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/27.jpg)
![Page 28: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/28.jpg)
Turns out they had a new employee Everyone thought his was the ‘fake’ profile Very difficult to identify the real profile ‘Attractive’ profiles receive friend requests
www.niiconsulting.com
![Page 29: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/29.jpg)
www.niiconsulting.com
![Page 30: NII Social Engineering Case Study](https://reader037.vdocuments.net/reader037/viewer/2022103016/55625d3fd8b42a1b4b8b5897/html5/thumbnails/30.jpg)
Confidential…
www.niiconsulting.com