1
00:00:13,950 --> 00:00:20,730
In the last lecture, we saw how social engineering is the art of convincing people to reveal confidential

2
00:00:20,730 --> 00:00:22,710
information in this lecture.

3
00:00:23,240 --> 00:00:27,520
We are going to see three main types of social engineering that we should be aware of.

4
00:00:28,110 --> 00:00:35,280
So there are three types of social engineering, human based, computer based and mobile risk, starting

5
00:00:35,280 --> 00:00:40,590
with the human based social engineering also called impersonation.

6
00:00:41,640 --> 00:00:47,610
It is the most common technique with the attacker pretends to be someone legitimate or an authorized

7
00:00:47,610 --> 00:00:48,120
person.

8
00:00:48,610 --> 00:00:55,230
Attackers impersonate a legitimate oppressed person, either personally or using a communication medium

9
00:00:55,230 --> 00:01:03,180
such as phone or email impersonation attackers and tricking a target to reveal sensitive information.

10
00:01:04,140 --> 00:01:11,880
Wishing or voice over IP is an impersonation technique or also called electronic fraud, in which the

11
00:01:11,880 --> 00:01:17,760
attacker tricks individuals to reveal personal and financial information using voice technology.

12
00:01:17,970 --> 00:01:21,730
The telephone system are also simply calling the targets.

13
00:01:22,020 --> 00:01:28,380
There are three main types of human based social engineering eavesdropping, shoulder surfing and dumpster

14
00:01:28,380 --> 00:01:28,710
diving.

15
00:01:29,430 --> 00:01:33,780
Eavesdropping is interception of audio video, a written communication.

16
00:01:34,420 --> 00:01:40,530
It can be done using communication channels such as telephone lines, emails or even instant messaging.

17
00:01:41,580 --> 00:01:48,120
Shoulder surfing uses direct observation techniques such as looking over someone's shoulder to get information

18
00:01:48,270 --> 00:01:54,330
such as password pin account numbers, shoulder surfing and also reading from a longer distance with

19
00:01:54,330 --> 00:02:00,930
the aid of vision enhancing devices, binoculars that are equipped with capability of optimizing long

20
00:02:00,930 --> 00:02:02,010
distance information.

21
00:02:03,210 --> 00:02:07,330
Dumpster diving is looking for treasure in someone else's trash.

22
00:02:08,100 --> 00:02:14,220
It involves collection of phone bills, contact information, financial information, operations, related

23
00:02:14,220 --> 00:02:20,670
information and many other computer based social engineering is information which is carried out with

24
00:02:20,670 --> 00:02:21,960
the help of computers.

25
00:02:22,320 --> 00:02:23,310
Pop-Up Windows.

26
00:02:23,820 --> 00:02:29,190
These are windows that suddenly pop up while surfing the Internet and asks for users information to

27
00:02:29,190 --> 00:02:30,380
log in or sign up.

28
00:02:30,720 --> 00:02:34,580
You might have encountered Pop-Up Windows Hoax Letters.

29
00:02:35,070 --> 00:02:41,640
Hoax letters are emails that issue warnings to the user on new viruses, Trojans, worms that may harm

30
00:02:41,640 --> 00:02:49,470
users to steam generators, generators or emails that offer free gifts such as money and software on

31
00:02:49,470 --> 00:02:53,580
the condition that the user has to forward the mail to certain number of persons.

32
00:02:54,240 --> 00:02:55,710
Instant Messenger.

33
00:02:56,490 --> 00:03:02,340
It is getting personal information by chatting with the selected online user to get information such

34
00:03:02,340 --> 00:03:10,110
as Burdette's and Maiden names, spam e-mails, irrelevant, unwanted and unsolicited email to collect

35
00:03:10,110 --> 00:03:16,890
the financial information, Social Security numbers and network information as some types of fraud emails.

36
00:03:17,670 --> 00:03:23,280
Phishing is the practice of sending an illegitimate email, falsely claiming to be a form of legitimate,

37
00:03:23,280 --> 00:03:27,390
said in an attempt to acquire users personal or account information.

38
00:03:28,650 --> 00:03:35,550
Phishing emails, pop redirect user to fake web pages of mimicking trustworthy sales and ask them to

39
00:03:35,550 --> 00:03:37,290
submit the personal information.

40
00:03:37,950 --> 00:03:40,050
In mobile based social engineering.

41
00:03:40,320 --> 00:03:43,410
Information is obtained with the help of mobile apps.

42
00:03:44,250 --> 00:03:50,670
Attackers create malicious apps with attractive features and similar names to that of popular apps and

43
00:03:50,670 --> 00:03:57,990
publish them on major app stores, unaware that users download these apps and get infected by the malware

44
00:03:58,140 --> 00:04:00,720
that sends credentials to the attackers.

45
00:04:00,990 --> 00:04:07,560
This is how mobile based social engineering takes place in first attack that infects the victim.

46
00:04:07,560 --> 00:04:12,780
Speci next attacker uploads a malicious application to an app store.

47
00:04:13,950 --> 00:04:20,310
The victim logged on to his or her bank account malware in the system with a proper misspelling.

48
00:04:20,310 --> 00:04:27,030
The victim download an application onto his cell phone to receive security measures, victim downloads,

49
00:04:27,030 --> 00:04:29,520
the malicious application on his or her phone.

50
00:04:29,880 --> 00:04:35,910
At this point, the attacker can access second authentication factor sent to the victim from the bank

51
00:04:35,910 --> 00:04:41,650
where all your money in the account is hence stolen by the attacker.

52
00:04:42,300 --> 00:04:46,380
Let us discuss countermeasures to other social engineering attacks.

53
00:04:46,960 --> 00:04:52,860
Good policies and procedures are ineffective if they are not taught and reinforced by the employees.

54
00:04:53,490 --> 00:04:58,900
After receiving training, employees should sign a statement acknowledging that they have understood

55
00:04:58,900 --> 00:04:59,580
the policies.

56
00:05:00,600 --> 00:05:06,570
The main objectives of social engineering, different strategies are to create user awareness, robust

57
00:05:06,570 --> 00:05:10,750
internal networks and secure policies, plans and policies.

58
00:05:11,370 --> 00:05:17,580
Therefore, the company should train individuals on security policies to generate awareness about such

59
00:05:17,580 --> 00:05:24,780
attacks, restrict access of outsiders in a tourist area, prepare a proper incident response team,

60
00:05:25,410 --> 00:05:34,620
scrutinize information, implement to effect the Atlantic Ocean, archive critical data, perform regular

61
00:05:34,620 --> 00:05:38,460
risk assessments and verify the background of the employees.

62
00:05:38,820 --> 00:05:39,570
What's next?

63
00:05:40,050 --> 00:05:42,930
We will have a practical on social engineering.