Social Engineering and

Physical Security

გიორგი
ახალაია
კავკასიის ტექნოლოგიების სკოლა

თბილისი, 2022
 Overview

• Concept of Social-Engineering

• Types of SE

• Examples

• Tools for SE

• Intro to Physical Security

 What is Social
Engineering?

• It is the art of manipulating a person, or a group of people, into

providing information or a service they otherwise would never
have given.

• Social engineering is a nontechnical method of attacking

systems.

• All social-engineering attacks fall into one of three categories:

Human-based or Computer-based or Mobile-based.
 Human-Based
Social Engineering

Dumpster diving
It requires you to get down and dirty, digging through the trash for useful
information. Rifling through the dumpsters, paper-recycling bins, and office
trashcans can provide a wealth of information.

Impersonation
In this attack, a social engineer pretends to be an employee, a valid user, or even an
executive (or other VIP). an attacker can gain physical access to restricted areas,
thus providing further opportunities for attacks.

Technical support
A form of impersonation, this attack is aimed at the technical support staff
themselves. an attacker can call up posing as a user and request a password reset.
The help desk person, believing they’re helping a stranded customer, unwittingly
resets a password to something the attacker knows, thus granting him access the
easy way.
 Human Based Social
Engineering

Shoulder surfing
An attacker taking part in shoulder surfing simply looks over the shoulder of a user
and watches them log in, access sensitive data, or provide valuable steps in
authentication. Shoulder surfing can also be done “long distance,”

Tailgating and piggybacking

Tailgating occurs when an attacker has a fake badge and simply follows an
authorized person through the opened security door. Piggybacking is a little
different in that the attacker doesn’t have a badge but asks for someone to let her in
anyway. She may say she’s left her badge on her desk or at home.

Reverse social engineering

First, the attacker advertises or markets his position as “technical support”. In the
second step, the attacker performs some sort of sabotage - whether a sophisticated
DoS attack or simply pulling cables. The attacker attempts to “help” by asking for
login credentials, thus completing the third step and gaining access to the system.
 Social-Engineering Phases

1.Use Footprinting and gather details about a target through

research and observation.

2.Select a specific individual or group who may have the access or

information you need to get closer to the desired target.

3.Forge a relationship with the intended victim through

conversations, discussions, emails, or other means.

4.Exploit the relationship with the victim, and extract the desired
information.
 Common Targets of Social
Engineering
Receptionists
Receptionists are meant to be helpful and therefore are not security focused

Help desk personnel

Filing fake support requests or asking these personnel leading questions can
yield valuable information.

System administrators
can also be valuable targets of opportunity, again because of the
information they possess

Executives
individuals in these types of positions are not focused on security. In fact,
many of the people in these positions focus on business processes, sales,
finance, and other areas.

Users
are probably one of the biggest sources of leaks because they are the ones
who handle, process, and manage information day to day.
 Email
Phishing
• Phishing uses a legitimate-looking email that entices you to
click a link or visit a website where your information will be
collected.

• This is a common attack and is very effective, even though

this technique has been around for more than a decade.

• The e-mail can appear to come from a bank, credit card

company, utility company, or any number of legitimate
business interests a person might work with.

• The best way to defend against phishing is to educate users

on methods to spot a bad e-mail.
 Anatomy of a Phishing Email

- What are phishers doing differently?

- Everything - from the sender’s address to the footer.

Sender’s address
Phishers use email spoofing to create fake email addresses that look like they were sent
from legitimate ones. With email address spoofing, the sender’s name is visible, but
the email address is sometimes hidden. 

Subject line and tone

To get users to open the emails, subject lines often raise alarms or pique curiosity, such
as “New sign-on to your account,” “Suspicious activity detected,” or “Invitation
waiting.”

Attachments
Most email filters scan for known phishing URLs only in the body of the email. To get
around this, phishers often bury the URL in an attachment. 
 Anatomy of a Phishing Email

Phishing links
It is a URL that directs a user to a phishing page that impersonates a popular brand.
Phishing links are hidden behind anchor text with calls to action such as “ Sign in,”
“View here,” “Click here,” “Preview document,” and “Update account settings.”

To avoid detection, phishers obfuscate the URL using

these techniques:
- URL shorteners;
- URL redirects;
- Text-based image obfuscation
 Anatomy of a Phishing Email

Legitimate links
The more links the email includes, the less likely the user is to check
each and every link. Additionally, when an email includes links to
helpful resources, such as a support email address, the email appears
even more legitimate in the eyes of a user.
Email Phishing
Fa
ke
https://emkei.cz Em
ail

ლექციაში განხილული თემები განსაზღვრულია მხოლოდ საგანმანათლებლო მიზნებისთვის და მისი გამოყენება დაშვებულია მხოლოდ
საკუთარ კომპიუტერულ სისტემაზე
 Email Phishing –”Show Original”
Fa
ke
Em
ai
l
 Detecting Phishing Web Pages

NetCraft Extension for Internet

Browsers

https://phishtank.com/
Phishing Tools

Phishing Tool for Facebook, Instagram, Google,

Microsoft, Netflix, PayPal, Steam, Twitter,
PlayStation, GitHub, Twitch, Pinterest, Snapchat,
Linkedin, Ebay, Dropbox, Protonmail, Spotify, Reddit,
Adobe, DeviantArt, Badoo, Origin, CryptoCoin,
Yahoo, Wordpress, Yandex, StachoverFlow & VK.

Installation:
$sudo apt update
$sudo apt upgrade -y
$sudo apt install git wget php unzip curl -y
$git clone https://github.com/AbirHasan2005/ShellPhish
$cd ShellPhish
$sudo chmod +x *.sh
$bash ./shellphish.sh

phish ShellPhish
Shell
Download Link

Link for Video

Link issue for External Connections
Zphisher

$ git clone git://github.com/htr-tech/zphisher.git

$ cd zphisher
$ bash zphisher.sh
 SET
Open a terminal and type:
$sudo setoolkit

SET

ვიდეოს ბმული

ლექციაში განხილული თემები განსაზღვრულია მხოლოდ საგანმანათლებლო მიზნებისთვის და მისი გამოყენება დაშვებულია მხოლოდ
საკუთარ კომპიუტერულ სისტემაზე
Scareware Trojans
“There is no patch for human stupidity.”
 To stay protected against social
engineering attacks, it’s important to
recognize the power of ego.
 Physical Security

• Physical security involves the protection of such assets as

personnel, hardware, applications, data, and facilities from fire,
natural disasters, robbery, theft, and insider threats.

• In many cases, if an attacker does not have a clear or easy way of

using technology to breach a target, they may move over to a
physical attack to gain information or access.

• Furthermore, physical security measures come down to three

major components: physical, technical, and operational.
 Physical security measures come down to
three major components:

Physical measures
Include all the things you can touch, taste, smell, or get shocked by. For example,
lighting, locks, fences, and guards with Tasers are all physical measures.

Technical measures
For example, authentication and permissions may not come across as physical
measures, but if you think about them within the context of smart cards and
biometrics, it’s easy to see how they should become technical measures for
physical security.

Operational measures
are the policies and procedures you set up to enforce a security-minded
operation. For example, background checks on employees, risk assessments on
devices, and policies regarding key management and storage would all be
considered operational measures.
გმადლობ
ყურადღებისთვის!

საკონტაქტო: email: gakhalaia@cu.edu.ge

mob: 598 590158