book

Practical Social Engineering

Name: Practical Social Engineering
Author: Joe Gray
ISBN: 9781718500983

by Joe Gray

June 2022

Intermediate to advanced

430 pages

5h 46m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
Dedication
About the Author
Acknowledgments
Introduction
Who This Book Is ForWhat You’ll Find in This BookSummary
Part I: The Basics
Chapter 1: What Is Social Engineering?
Important Concepts in Social EngineeringPretextingOpen Source Intelligence PhishingSpear PhishingWhalingVishingBaitingDumpster DivingPsychological Concepts in Social EngineeringInfluenceManipulationRapportDr. Cialdini’s Six Principles of PersuasionSympathy vs. EmpathyConclusion
Chapter 2: Ethical Considerations in Social Engineering
Ethical Social EngineeringEstablishing BoundariesUnderstanding Legal ConsiderationsUnderstanding Service ConsiderationsDebriefing After the EngagementCase Study: Social Engineering Taken Too FarEthical OSINT Collection Protecting DataFollowing Laws and RegulationsCase Study: Ethical Limits of Social EngineeringConclusion
Part II: Offensive Social Engineering

Chapter 3: Preparing for an Attack
Coordinating with the ClientScopingDefining ObjectivesDefining MethodsBuilding Successful PretextsUsing Specialized Operating Systems for Social EngineeringFollowing the Attack PhasesCase Study: Why Scoping MattersConclusion
Chapter 4: Gathering Business OSINT
Case Study: Why OSINT MattersUnderstanding Types of OSINTBusiness OSINTGetting Basic Business Information from CrunchbaseIdentifying Website Owners with WHOISCollecting OSINT from the Command Line with Recon-ngUsing Other Tools: theHarvester and OSINT FrameworkFinding Email Addresses with HunterExploiting Mapping and Geolocation ToolsConclusion
Chapter 5: Social Media and Public Documents
Analyzing Social Media for OSINTLinkedInJob Boards and Career SitesFacebookInstagramLeveraging Shodan for OSINTUsing Shodan Search ParametersSearching IP Addresses Searching Domain Names Searching Hostnames and Subdomains Taking Automatic Screenshots with HunchlyPilfering SEC FormsConclusion
Chapter 6: Gathering OSINT About People
Using OSINT Tools for Analyzing Email AddressesFinding Out If a User Has Been Breached with Have I Been Pwned Enumerating Social Media Accounts with SherlockEnumerating Website Accounts with WhatsMyNameAnalyzing Passwords with PwdlogyAnalyzing a Target’s ImagesManually Analyzing EXIF DataAnalyzing Images by Using ExifToolAnalyzing Social Media Without ToolsLinkedInInstagramFacebookTwitterCase Study: The Dinner That Gave All the Gold AwayConclusion
Chapter 7: Phishing
Setting Up a Phishing AttackSetting Up a Secure VPS Instance for Phishing Landing PagesChoosing an Email Platform Purchasing Sending and Landing Page DomainsSetting Up the Phishing and Infrastructure Web ServerAdditional Steps for PhishingUsing Tracking Pixels to Measure How Often Your Email Is OpenedAutomating Phishing with GophishAdding HTTPS Support for Phishing Landing PagesUsing URL Shorteners in PhishingUsing SpoofCard for Call Spoofing Timing and Delivery ConsiderationsCase Study: The $25 Advanced Persistent PhishConclusion
Chapter 8: Cloning a Landing Page
An Example of a Cloned WebsiteThe Login PageThe Sensitive Questions PageThe Error PageHarvesting the InformationCloning a WebsiteFinding the Login and User Pages Cloning the Pages by Using HTTrackAltering the Login Field CodeAdding the Web Pages to the Apache ServerConclusion
Chapter 9: Detection, Measurement, and Reporting
DetectionMeasurementSelection of MetricsRatios, Medians, Means, and Standard DeviationsThe Number of Times an Email Is OpenedThe Number of ClicksInformation Input into FormsActions Taken by the VictimDetection TimeThe Timeliness of Corrective ActionsThe Success of Corrective ActionsRisk RatingsReportingKnowing When to Make a Phone CallWriting the ReportConclusion
Part III: Defending Against Social Engineering
Chapter 10: Proactive Defense Techniques
Awareness ProgramsHow and When to TrainNonpunitive PoliciesIncentives for Good BehaviorRunning Phishing CampaignsReputation and OSINT MonitoringImplementing a Monitoring ProgramOutsourcingIncident ResponseThe SANS Incident Response ProcessResponding to PhishingResponding to VishingResponding to OSINT CollectionHandling Media AttentionHow Users Should Report IncidentsTechnical Controls and ContainmentConclusion
Chapter 11: Technical Email Controls
Standards“From” FieldsDomain Keys Identified MailSender Policy FrameworkDomain-Based Message Authentication, Reporting, and ConformanceOpportunistic TLS MTA-STSTLS-RPTEmail Filtering TechnologiesOther ProtectionsConclusion
Chapter 12: Producing Threat Intelligence
Using Alien Labs OTXAnalyzing a Phishing Email in OTXCreating a PulseAnalyzing the Email SourceInputting IndicatorsTesting a Potentially Malicious Domain in BurpAnalyzing Downloadable FilesConducting OSINT for Threat IntelligenceSearching VirusTotalIdentifying Malicious Sites on WHOISDiscovering Phishes with PhishTankBrowsing ThreatCrowdConsolidating Information in ThreatMinerConclusion
Appendix A: Scoping Worksheet
Appendix B: Reporting Template
Appendix C: Information-Gathering Worksheet
Appendix D: Pretexting Sample
Confused EmployeeIT InventoryTransparency Survey
Appendix E: Exercises to Improve Your Social Engineering
Help a Random Stranger and Then Prompt for “Flags”ImprovStandup ComedyPublic Speaking/ToastmastersDo OSINT Operations on Family and FriendsCompete in Social Engineering and OSINT CTFs
Index

Content preview from Practical Social Engineering

Introduction

Social engineering is a lethal attack vector. It is often used as a means of delivering malware or other payloads, but sometimes it is the endgame, such as in attacks designed to trick victims into handing over their banking information. The beautiful disaster that comes from social engineering is that, aside from phishing, it is really hard to detect. Whether you’re just breaking into the information security industry, a seasoned penetration tester, or on the defensive side, you will likely be exposed to social engineering sooner rather than later.

Exploring the “why” before the “how” of social engineering can amplify your understanding, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098130213

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Social Engineering

by Joe Gray

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.