1
00:00:02,570 --> 00:00:09,230
Social engineering attacks by phone is also called phishing with a word is a combination of voice and

2
00:00:09,230 --> 00:00:09,740
phishing.

3
00:00:10,490 --> 00:00:12,670
Vicious attacks are highly effective.

4
00:00:12,680 --> 00:00:18,380
If you've done your homework and have all the relevant information and you already know where you get

5
00:00:18,380 --> 00:00:20,310
the information in the first place.

6
00:00:20,720 --> 00:00:24,720
This is where the information gathering phase comes into play.

7
00:00:25,550 --> 00:00:30,050
You need to have a realistic scenario first before you call the victim.

8
00:00:30,060 --> 00:00:32,120
You have to be very well prepared.

9
00:00:32,840 --> 00:00:33,680
Who are you?

10
00:00:33,890 --> 00:00:35,410
Where are you calling from?

11
00:00:35,720 --> 00:00:37,160
What's your expertise?

12
00:00:37,370 --> 00:00:38,540
What's the subject?

13
00:00:38,780 --> 00:00:40,730
What do you want from the victim?

14
00:00:41,120 --> 00:00:44,670
The more you prepare, the more the victim will trust you.

15
00:00:45,560 --> 00:00:47,660
There are some tricks to being more realistic.

16
00:00:47,810 --> 00:00:53,840
For example, if you're in the role of a call center staff, it's better to have a background voices.

17
00:00:53,840 --> 00:01:01,340
If some other staff are talking with other customers or clients, it's a very effective way to frighten

18
00:01:01,340 --> 00:01:01,940
the victim.

19
00:01:02,640 --> 00:01:05,720
Your computer is blocking a million dollar transaction to the company.

20
00:01:05,870 --> 00:01:07,490
We have to fix it immediately.

21
00:01:08,300 --> 00:01:11,420
Have you recently visited websites that you should not have visited?

22
00:01:13,540 --> 00:01:19,990
Here, then, is the real world social engineering test that we performed in one of our tests, according

23
00:01:19,990 --> 00:01:26,860
to the scenario, we are an IT department staff and want to make sure if all the employees got the critical

24
00:01:26,860 --> 00:01:32,410
security update of the corporate email service, the critical points of the attack are as follows.

25
00:01:33,010 --> 00:01:40,000
First, introduce yourself as one of the personnel from the IT department, now an information gathering

26
00:01:40,000 --> 00:01:40,960
and reconnaissance phase.

27
00:01:41,080 --> 00:01:46,660
If you found the real names working in the IT department, use one of these names.

28
00:01:46,960 --> 00:01:48,130
But prepare yourself.

29
00:01:48,310 --> 00:01:51,610
The victim may know the person whose name you're using.

30
00:01:52,510 --> 00:01:55,900
If you don't know anyone in the IT department, choose a common name.

31
00:01:56,380 --> 00:01:59,100
What's the most common name in that country?

32
00:02:00,130 --> 00:02:05,020
Second, make the victim nervous about his or her mistake.

33
00:02:05,830 --> 00:02:08,920
Words critical and security are important.

34
00:02:10,210 --> 00:02:12,750
You should have got the update up to now, but you haven't.

35
00:02:14,470 --> 00:02:17,770
Third, gain the trust of the victim.

36
00:02:19,000 --> 00:02:21,450
Don't share any information with me or anyone else.

37
00:02:21,460 --> 00:02:22,720
Security is important.

38
00:02:24,310 --> 00:02:31,270
Give the IP address of your malicious website, because you share the you are on the phone, don't try

39
00:02:31,270 --> 00:02:34,720
to find a Eurail similar to the company's Web mail service.

40
00:02:35,230 --> 00:02:42,190
IP is good, but it's not understandable since the victim manages the steps, him or herself, he or

41
00:02:42,190 --> 00:02:44,680
she has no doubt that the operation is secure.

42
00:02:46,060 --> 00:02:52,990
The victim visits our Web site, which looks like the Web mail service of the company and downloads

43
00:02:52,990 --> 00:02:55,420
our back door as the security patch.

44
00:02:56,560 --> 00:02:58,810
The success rate of this test was.

45
00:03:00,490 --> 00:03:01,930
Ninety percent.

46
00:03:04,660 --> 00:03:06,130
In this course, you learned.

47
00:03:07,160 --> 00:03:09,830
The terminologies and definitions of social engineering.

48
00:03:10,920 --> 00:03:12,900
Basic social engineering techniques.

49
00:03:13,920 --> 00:03:17,610
Social engineering types in the steps of the social engineering tests.

50
00:03:18,790 --> 00:03:20,710
How to bypass security measures.

51
00:03:22,070 --> 00:03:23,450
How to create malware.

52
00:03:25,730 --> 00:03:32,590
How to create custom payloads to use inside the malware, how to embed the malicious code into the documents.

53
00:03:33,760 --> 00:03:35,410
The social engineering toolkit.

54
00:03:36,340 --> 00:03:39,760
And social engineering via phone, also known as phishing.