Social Engineering is an attack tactics that targets human beings. In the following, we review social engineering attacks:
Phishing
In a phishing attack, the attacker sends emails to a wide number of users trying to trick them into revealing confidential information.
Spear phishing
Sometimes phishing attack does not work because, for instance, the email asks the user to enter credentials that the user simply does not own (for instance to access a bank account, but the user is not a client of such bank). A spear phishing is a highly targeted phishing email, which is created ad hoc for a specific group or users.
Whaling
Whaling is a phishing attacks that targets an organization's executives.
Vishing
Vishing is a phishing attack conducted over telephone system (either regular phone calls or VoIP). It may use spoofed telephone phone number to trick the victim.
Tailgating
Tailgating is a social engineering attack in which the attacker manages to physically enter a restricted area without having the authorization. It may do so by closely following a victim, which ould have opend a door by using its badge, or by persuading the victim to keep the door open and let her in. Countermeasure: mantrap.
Impersonation
In an impersonation attack, the attacker tries to impersonate another user to gain access to restricted areas or to steal data. Countermeasure: identity verification.
Dumpster diving
In a dumpster diving attack, the attacker looks for confidential information by searching the trash of an organization. Countermeasure: shred or burn the waste (most notably paper).
Shoulder surfing
In a shoulder surfing attack, the attacker looks at the victim's monitor to steal confidential information (like passwords). Countermeasure: place monitors in location where the can not be seen by attackers; use screen filters to reduce the viewing angle.
Hoax
In the context of security, a hoax is a false piece of information, often circulated as chain, that tells the user that her system has been infected by a virus and that some changes has to be done (like deleting files) to solve the issue. Obviously the message is fake news. Countermeasure: user security training.
Watering hole attack
In a watering hole attack, the attacker gathers information on which websites a group of users are used to visit, and then infects such websites. This way, next time the users will visit such websites, they will download the malware.
Principles (reasons for effectiveness)
Following principles are at the foundation of social engineering :
Authority: an attacker using authority tries to trick the victim by impersonating an authoritative figure, like a superior of the victim or a law officer.
Intimidation: an attacker using intimidation tries to force the victim to satisfy its requests.
Consensus: an attacker using consensus tries to induce the victim to satisfy its requests by reaching a consensus about some topic.
Scarcity: an attacker may induce the victim to perform an action quickly, not thinking about consequences, telling her that otherwise a product will be sold out. Example: click on a malicious link to buy a TV at half price but only the first 10 buyers can get the discount.
Familiarity: an attacker using consensus tries to induce the victim to satisfy its requests by empathizing with her.
Trust: an attacker using consensus tries to induce the victim to satisfy its requests by building a trust relationship with the victim.
Urgency: an attacker may induce the victim to perform an action quickly by persuading her that there she has to hurry up or there will be disastrous consequences. Example: pay a ransom before tomorrow or WannaCry ransomware will permanently delete all the files on the hard drive.
DoS(Denial of Service)
A DoS attack targets the availability of a system or a service. It is conducted by one attacker against one target and it aims to disrupt the service provided by the target. Example: Syn Flood Attack. In a Syn Flood Attack, the attacker sends a lot of TCP SYN packets to the server without completing the 3-way handshake. On the other hand, the server allocates resources for these half-opened connections. If the attacker manages to open a sufficient number of half-open connections, it could saturate the server memory, preventing it from accepting other legitimate connections.
DDoS (Distributed Denial of Service)
A DDoS attack is conceptually the same of a DoS attack, with the only difference that is carried out by many attackers. Example: the Mirai botnet was employed in 2016 to carry out a massive DNS DDoS attack.
Man-in-the-middle
In a Man in the Middle attack the attacker intercepts the traffic directed from the user to third-party. The attacker could just steal the data in transit or modify the data. Example: if the attacker and the user are in the same LAN, than the attacker could launch an ARP poisoning attack to trick the user it is the gateway. If the attack succeds, the user sends its traffic to the attacker instead of to the legitimate gateway.
Buffer overflow
In a buffer overflow the attacker sends either a different data type or a very big amount of data to the attacked application, that the application is not able to preperly handle. This leads to the exposure of memory areas that should not be accessible to the user/attacker. The attacker tipically inserts actual code in the delivered data, trying to force the attacked application to run its data instead of returning to the normal control flow of the program. Buffer overflow attacks may be mitigated with input validation and error handling procedures.
Injection
Injection attacks are attacks usually launched against web applications, that consist in delivering a malicious payload to the destination service or application. This payload is supposed to be run on the target device.
SQL Injection is a kind of attack targeted to database servers. The attackers inserts a malicious (portion of a) SQL statement in the input form provided by the web application. If the application does not take proper countermeasures,
the attacker's SQL statement modifies the semantic of the SQL statement sent to the database, thus allowing the attacker to perform actions it was not supposed to do(like reading unhautorized records of the database or deleting a table).
Example: inserting in a web application form asking for the user's username the SQL statement " OR '1'='1'; SELECT * FROM Users-- " to (hopefully) get the full content of the 'Users' table. Countermeasures: input validation and stored procedures (see 3.6).
Command Injection is a kind of attack where the attacker inserts OS commands into a form or a http/s request with the goal of making the target device execute the os command (for instance to list the folders structure or to delete files).
DLL injection is a kind of attack where the attacker inject into the target device malicious DLLs (Dynamic Link Library) with the goal of making the running processes use these malicious libraries at runtime instead of the legitimate ones.
LDAP injection: the injected data are LDAP commands, to get information about the directory database.
Cross-site scripting (XSS)
In a XSS attack, the attacker inserts malicious code (tipically Javascript) into the input forms of legitimate web sites. When the user visits the website, it downloads the page and the user's browser runs the malicious Javascript inserted by the attacker. This malicious code tipically steals sensitive data, like session cookies from the user's device. Countermeasures: input validation.
Cross-site request forgery
In a XSRF attack, the attacker crafts a malicious URL and sends it to the user, for example by email. This URL is generally built so that if clicked, it performs an action on a website. As an example, an attacker can craft a URL such that whoever clicks it accesses a bank account to make a money transfer to the attacker's account. Anyway, website tipically require authentication to do this kind of sensitive actions, but if a user wal already logged into a website and had its credential stored in a cookie, than the web site automatically logs the user and the malicious URL could actually perform the action is was created for. Countermeasures: The User should not click untrusted URLs. The web application could protect from XSRF attacks by employing tokens in the web forms.
Privilege escalation
Privilege Escalation is an attack tactics where the attacker accesses a system with few rights and through subsequent attacks it manages to gain more and more rights on the attacked system.
ARP poisoning
ARP poisoning is an attack that exploits the weakness of the ARP protocol and works in LANs. The ARP protocol is used from a sender device to discover the MAC address of the destination device given its IP address. Once the sender knows the destination MAC address, it is able to send it the data. The sender broadcast an ARP message inside the LAN asking all the devices in the LAN to tell who has the requested IP address. The device holding the requested IP address answers the sender by providing its MAC address. Unfortunately, an attacker may be faster at providing a false response, telling that it owns the requested IP address. If the sender accepts the attacker's response, the attacker will get the data addressed to the legitimate receiver. This is an example of a Man In The Middle attack
Amplification
An amplification attack is a DDoS attack where the attacker, instead of directly flooding the attacked system, floods third-party, legitimate services, impersonating the target of the attack. The requests made to these services are such that the responses are much bigger than the requests. Since the attacker spoofed the attacked system's address in the requests, the result is that that the spoofed system is overwhelmed with traffic by these services. Example: smurf attack, where the attacker sends a broadcast ping inserting as source address the target system's address; DNS Amplification, where the attacker triggers DNS servers to flood the attacked system with DNS data.
DNS poisoning
DNS is the protocol used to resolve hostnames to IP addresses. In a DNS poisoning attack, the DNS Server is attacked and its DNS entries are modified, so that now the same hostname (as an example www.bing.com) now resolves to an IP address associated with a malicious web site. Example: adding a malicious entry in the host file, present in both Windows and Linux system, is a basic example of cache poisoning. Countermeasures: DNSSEC (Domain Name System Security Extensions) uses digital signatures to prevent this kind of attack.
Domain hijacking
In a Domain hijacking attack, the attacker obtains the credential a domain name account (as an example, the credential of a user on GoDaddy) and uses them to change the registration of the domain name.
Man-in-the-browser
Man-in-the-browser is a Trojan horse that attacks web browsers and sends the collected browser data to the attacker.
Zero day
A Zero day vulnerability is a vulnerability which is present in a system but has not been yet disclosed to the public. In general, even the vendor is unaware of it. Its impact is high because an attacker may discover and exploit it while it is still unpatched. Countermeasures: defense in depth.
Replay
In a replay attack the attacker captures data in a communication session and uses it later on to impersonate the legitimate sender. Countermeasures: timestamps and sequence numbers. Example: Kerberos uses timestamps to prevent replay attacks.
Pass the hash
In a Pass the Hash attack, the attacker discovers the hash of the user pasword and uses it to login to the authentication service. All authentication protocols that send hashes in unencrypted format are vulnerable to this attack. Example: Microsoft LAN Manager (LM) and NT LAN Manager (NTLM) are vulnerable to pass-the-hash attacks. Countermeasures: Use NTLMv2 (uses a combination of nonces and challenge/response schema) or Kerberos instead.
Hijacking and related attacks
In a Typo Squatting (or URL Hijacking) attack, the attacker creates a malicious website and registers it with a name which is close to a legitimate web site name. If the user types the wrong name in the address bar of the browser, it is directed to the malicious website, which could download malware on the user's device.
Clickjacking is an attack where the user is led to click to something different with respect to what it believes. It is an attach typical of websites, sometimes exploitinf the iframe HTML element. Example: the user clicks on the red 'X' to close an advertisement, but instead is redirected to the advertiser's web site.
In a session hijacking attack, the attacker manages to steal the user's cookie for a session on a given website, and then uses such cookie to impersonate the user on such website.
Driver manipulation
Shimming is the process through which a programmer writes an additional piece of code to extend the functionalities of an existing driver. The new software can be legitimate, like additional code written to make a new driver compatible with an older driver, or malicious.
Refactoring, in the context of drivers, is the process where the driver code is replaced with other code that changes the internal of the code but still accepts the same input and produces the same output. Refactoring may be legitimate, for instance to correct a bug, or malicious (in that case further, malicious output could be produced too). The latter case is made difficult by the fact that operative systems use driver signing. Note: in general, a shimming attack is more likely to succeed than a refactoring attack.
MAC spoofing
In a MAC spoofing attack, the attacker sends frames into the network using a false MAC address as MAC source address.
IP spoofing
In an IP spoofing attack, the attacker sends packets into the network using a false IP address as IP source address.
Replay
In a wireless Replay attack, the attacker captures the packets sent over the air afrom a user to the access point and then uses them to try to impersonate the user. Example: WPA with TKIP is vulnerable to replay attacks, while WPA2 with CCMP and AES is not.
IV
An IV (Inizialization Vector) is a number used in conjunction with a pre-shared key to encrypt data. An IV is used by some wireless protocols to avoid repetitions in the encryption process, thus twarting dictionary attacks. An IV attack is an attack where the protocol reuses the same IV more than once, allowing the attacker to crack the password. Example: WEP uses 24-bits long IVs. These IVs are too short and may be repeated during the same session.
Evil twin
An evil twin is a rogue access point setup by the attacker with the same SSID of a legitimate access point. Its goal is to induce users to connect to it instead of to the legitimate access point. Once the user is connected, the attacker can monitor the user's traffic, possibly stealing confidential information.
Rogue AP
A Rogue Access Point is an unauthorized access point.
Jamming
A Jamming attack is a DoS attack which consists in trasmitting high-power signal in the same wireless channel used by an access point to make it unavailable.
WPS (Wi-Fi Proteted Setup)
WPS is a fast way to connect new device to a wireless access point. Usually the user presses a button on the access point: this make the device enter a mode, which may last some minute or even less, in which the user can connect the new device by simply inserting an 8 digits numerical PIN (usually printed on the back of the access point) instead of the full passphrase. Unfortunately, this PIN is subject to brute force attacks. Example: Reaver is a tool able to crack WPS PINs in order to recover WPA/WPA2 passphrases.
Bluejacking
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the user's device via bluetooth.
Bluesnarfing
Bluejacking is a Bluetooth attack where the attacker manages to pair its device with the user's device via bluetooth to steal data.
RFID (Radio Frequency Identification)
RFID is a communication technology that uses electromagnetic fields to transmit information from a tag to a receiver. It may be vulnerable to eavesdropping, where an attacker uses a RFID receiver to trigger the information leakage from the user' tag (a tag may be a card, like the one used to enter hotels rooms); to replay attacks, where the attacker steals data from the user's tag and then programs another tag to provide the same, stealed information; to DoS attacks, through jamming on the frequence used by the RFID receiver.
NFC (Near Field Communication)
NFC is a communication technology that allows devices like smartphones to exchange data when they are close to each other. In a NFC attack, the attacker reads data from the user's device.
Disassociation
Disassociation is a wireless attack in which the attacker sends a deauthentication frame to the wireless access point using the user's MAC address as source address. When the access point receives the frame, it disconnects the user. If the user whishes to join the access point again, it has to authenticate again with the access point via the 4-way handshake. A Disassociation attack can simply twart a user to connect to an access point, resulting in a DoS attack, or it could be the way for the attacker to force a new handshake process, whose frames the attacker will capture to try to crack the password.
Birthday
In a birthday attack, also called collision attack, the attacker tries to find a string that produces the same hash of the user's password. Recall that generally systems are programmed to store the hashes of the passwords, and that a hash function is simply a function that takes a string in input and produces a fixed-size string of bytes in output. Since the number of possible output strings is limited, an attacker may perform several trials to discover a string whose hash is equal to the user's password hash. Anyway, hash functions are designed to have a very big number of possible outputs, and this implies that finding two equal hashes (a collision) is very unfeasible. The birthday paradox is the name given to a statistical analysis that shows that on average for an attacker to discover a collision it takes a much smaller number of attempts than the total number of possible outputs.
Known plain text/cipher text
In a known plaintext attack, the attacker knows both a piece of encrypted text and the associated piece of plaintext, and uses this knowledge to derive the encrypting function;
in a known plaintext attack, the attacker knows only a piece of the plaintext;
in a cyphertext only attack, the attacker knows only the cyphertext;
Rainbow tables
A rainbow table is a big database table that stores a very big list of hashes together with the passwords that generated them. These hashes have been precomputed and then put into the database table, so if an attacker has stolen a hash and wants to recover the original password, it can look in the rainbow table. If it finds a matching entry, it has discovered the password! Countermeasures: add salt to the password before hashing, that is add random bits to the password before computing the hash. This makes unlikely that the precomputed rainbow table holds an entry for the salted password. Example: PBKDF2 and bcrypt use salt.
Dictionary
In a dictionary attack, the attacker tries to discover the victim's password by providing to the authentication system the words in a dictionary of words. This dictionary may contain all the words in a given language (for instance all English words) plus the most commonly used passwords. Countermeasures: use strong password.
Brute force
In a brute force attack, the attacker tries all possible combinations of characters (including lowercase and uppercase letters, numbers and symbols). A brute force attack may be either performed online, that is providing 'live' passwords to the authentication system, or offline, like trying to decrypt an encrypted text which is stored on file. Countermeasuers: lockout policies (for online attacks).
Online vs. offline
An online attack is an attack performed live on the working system, like guessing the Wi-Fi password of an access point and retrying if such password is wrong. An offline attack instead is not performed against a live system. An example of offline attack is capturing the WPA2 4-way handshake, store it on file, and then crack it using cowpatty or aircrack-ng. In general, offline attacks are much faster than online attacks.
Collision
We already talked about collisions in the birthday attacks section. The basc idea of this kind of attack is not to necessarily guess the password used by the user, but to discover a string that, onche hashed via a hash function, generates the same digest than the user's password. This is called a collision. If the two digests are the same, than the attacker can authenticate as the user, since in general authentication systems check the hash of the password.
Downgrade
In a downgrade attack, the attacker asks to a server to lower its security requirements and if the server accepts then the attacker uses the new, weaker security control to launch an attack. Example: TLS is the successor of SSL and it is used to send encrypted data between two parties. In general the server can negotiate with the client different cipher suites. Each cipher suite contains a list of supported protocols. The rationale is that not all clients may support all protocols, and older devices may only support older protocols. The server want to give the opportunity to older clients to connect too.TAnyway, an attacker could ask the server to use a old, vulnerable cipher suite, and exploit it to launch an attack. Countermeasures: deny old, vulnerable protocols on the server (for instance, disable SSL).
Replay
In a Replay attack, the attacker captures the packet sent by a client to a server and then sends such captured packets to the server with the aim of impersonating the victim. Countermeasures: sequence numbers and timestamps. Kerberos uses timestamped tickets to prevent replay attacks.
Weak implementations
Weak implementations attacks have been defined in the downgrade attack section. A weak implementation is an old, vulnerable version of a protocol that should be denied by the server.