Social Engineering Attacks Preview

Dear readers,

2021 is finally here! To brighten this month up, we prepared something completely new! This issue is dedicated to Social Engineering Attacks. Let’s dive into the content!

We start off with A Practical Introduction to Social Engineering Attacks, in which the author is going to show you how hackers can take advantage of human error and what are the most popular social engineering attack techniques.  

Then we’re going to drift off to Social Engineering Attacks Techniques Using Malicious Documents and APT Tactics. The title speaks for itself – this article will guide you through various attack techniques with an APT scenario. Later we’re going to take a look at How Social Networks are Directly Connected With the Improper Application of Social Engineering that’ll help you understand how to use social engineering attacks in social networks, who may be the target of such attacks, and how to protect yourself against them. 

We also prepared two absolute gems for you! First is an interview with Christopher Hadnagy – the world’s leading social engineer and an author of Human Hacking, an amazing book about using social engineering techniques in everyday life. Second one is Login to Hell, a history of Alberto Daniel Hill – first hacker sent to Uruguay prison for a cybersecurity-related crime. Both articles are very different, but extremely interesting and we hope they’re gonna excite you as much as they excited us!

You may also want to take a look at Intricacies of Delivering Effective Social Engineering Attack Simulations, a detailed analysis of social engineering attack simulations. 

Later on we have Social Engineering – Frenemy or Foe, in which Syed Peer will introduce you to the topic of social engineering techniques in social media and will teach you how to stay safe during your activities in the depths of the internet. 

For those of you who haven’t had enough of malware, we prepared Analyze Malware Using Open Source Tools – a very detailed guide to malware analysis with examples and presentation of open source tools’ usage – and ARP Cache Poisoning with Ettercap. 

Last but not least we have Why do I Want to be a Blockchain Developer?, a Part 1 of the introduction to blockchain development with examples of useful apps.

Once again, we wish you all the best for the upcoming year. We hope that with this edition your start in 2021 will be more bright and enjoyable. We would also like to send gratitude to our contributors, reviewers and proofreaders. 

Thank you and see you next month!

Hakin9 Editorial Team

>>If you want to buy this magazine click here <<

>>If you are a subscriber, download your magazine here<<

TABLE OF CONTENTS

An Introduction to Social Engineering Attacks

Dr Varin Khera

Social engineering (SE), in the information security context, is a kind of cyber-attack that uses psychological tricks in person, over the phone, or via the internet (e.g., email messages, social media messages, internet messaging applications such as WhatsApp and Viber) to convince unaware users to reveal sensitive information about themselves (e.g., online accounts credentials, personal information, social security number, banking, and other financial information) or about the organization they work for (e.g., IT infrastructure, implemented security solutions such as antivirus and firewalls, types of access controls, key employees holding access to sensitive resources). Some SE attacks aim to deceive a victim into installing malicious programs on his device to gain full control over it and to use it to spread the infection to other places within the network.

Social Engineering Techniques Using Malicious Documents and APT Tactics

Joas Antonio dos Santos

Let's create a VBA Macro that will download our backdoor and execute it, we can use ready-made tools, because the objective is to demonstrate the way the attack is structured. But with good skills in C, C # or another higher-level language, you can develop your own attack vector as a backdoor, RAT, or even an exploit, and of course, using assembly to go to the lowest level to work in obfuscation and in the development of shellcodes that hinder detection by means of antivirus or EDR. In addition, your knowledge of VBA can be used to develop a Macro and decrease the chances of security control detecting abnormal behavior.

How Social Networks Are Directly Connected With The Improper Application of Social Engineering

Felipe Hifram

It is usually to be expected that people who hold important positions will be targeted by malicious social engineers more often, but nowadays, we even have cases of botnets responsible for sending tens of thousands of phishing emails – for the purpose of stealing personal data – and even if the email is not the best, victims always fall, yielding data that may be sold or used to carry out other crimes in the future.  With social networks it is also much easier to recognize the target. People usually post their entire personal lives on their networks, and even worse, they do not control who can access this information, a public profile in which intimate details of the information are stored about someone's life. It's a full plate for criminals.

"People are more aware of social engineering now, which is helping in security awareness."

An interview with Christopher Hadnagy, author of Human Hacking

Social Engineering is easier today due to how we take in and release information. Social media becomes the news source for many people and a main communication source to the outside world. This allows a malicious SE to get endless troves of information to use in their attacks.

Intricacies of Delivering Effective Social Engineering Attack Simulations

Terence Teo, Miguel Tan

Although organizations invest a large amount of resources implementing technical security defenses to protect their systems, they forget that their employees – who are the trusted users to access these systems – are just as important a link to protect within the cybersecurity chain. That is why it is important that organizations also invest in protecting this human link by implementing an effective cybersecurity training program. This usually entails conducting regular cybersecurity awareness training sessions and social engineering attack simulations.

Social Engineering - Frenemy or Foe

Syed Peer

The modern web and social platforms in particular provide the perfect window into our lives, but are only effective so far as we allow them to be. A fun weekend exercise for young and old alike is just to type your name into the Google Search field and watch all the references that come back to you in an instant. It can be an eye-opening experience that so much information about ourselves (both the good and the bad) is actually out there for the general public to see.

Analyze Malware Using Open Source Tools

Adrian Rodriguez Garcia

First we’re going to talk about the different methodologies that exist to analyze a malware sample and requirements or tools each one requires. Then, we will study the different kinds of tools that we can use to extract data about malware behaviour. The next stage will be to understand the analysis of malware processes with a real example to know all the details about a sample.

Login To HELL: The Nightmares of an Information Security Professional in South America

Alberto Daniel Hill

Until 2017, I kept an exceptionally low profile. I did not have any real account on social networks, I never talked about things related to hacking. I was trying to be completely unknown in the field and do my job totally keeping confidentiality of the information I had to handle. My name did not appear on Google except for information about the work contracts I had with the government, which were public for transparenc In 2017, I hacked one of the largest information security realizations in the world and I reported the problem they had to them. The names of those companies and organizations are irrelevant and I do not want to damage their image, so I have no intention to disclose that information.

ARP Cache Poisoning With Ettercap

Zakaria Brahimi 

An ARP Poisoning attack consists of flooding a router with ARP requests while making it believe that you are someone else. After a while, this will cause the ARP cache to be updated and you will then be placed in the Man In The Middle (MITM) position. All the traffic between the target machine and the router will then pass through you and you will be able to capture all the information in transit in this way. Some existing tools assist you in conducting such attacks as the well-known Ettercap. The latter is free software for computer network analysis. It is capable of intercepting traffic on a network segment, capturing passwords, and performing so - called Man In The Middle attacks against a number of common communication protocols such as HTTP, FTP and some encrypted protocols. Ettercap is available in command line and GUI (with graphical interface).

Why Do I Want To Be a Blockchain Developer? Part 1

Richie Guzman

With blockchain networks we have an alternative. Peer-to-peer networks are very hard to stop. Blockchain ledgers are immutable. Smart contracts are highly trustable sources of computation. Blockchain returns power to the people. The power of free speech. Free, unstoppable, global and decentralized apps. Are you a developer? Do you wanna be one? Ethereum needs developers. I will show you two examples of dApps. I'm a software developer and I prepared two dapps to show you how this works. Are you ready? I warn you, you are gonna learn a lot about cryptocurrencies today.