Social Engineering: Greed, Fear, Phishing
Key Points
- Humans are the weakest link in security, so attackers often use social engineering—exploiting greed or fear—to compromise targets.
- Successful attacks start with extensive intelligence gathering from sources like social media, LinkedIn, and company websites to personalize the lure.
- In a spear‑phishing scenario, attackers fabricate a targeted email (e.g., promising a laptop upgrade) that appears to come from a trusted domain and uses tricks such as typo‑squatting to deceive the victim.
- By tailoring the message to the victim’s role, desires, and known contacts, attackers increase the likelihood of credential theft, system takeover, or theft of intellectual property.
- The presentation outlines three attack goals—stealing credentials, gaining system control, and exfiltrating intellectual property—demonstrating how each can be achieved through tailored social‑engineering tactics.
Sections
- Social Engineering: Exploiting Human Weakness - The speaker explains how attackers target humans via social engineering—using greed or fear—to compromise credentials, system control, and intellectual property, beginning with a spear‑phishing scenario.
- Typo Squatting Phishing Prevention - The speaker explains how typo‑squatting attacks lure users to a fake login page to steal credentials and recommends using a secure DNS service such as Quad9 (9.9.9.9) to block access to known malicious sites.
- Phishing Leads to Remote Access Trojan - The speaker explains how a deceptive “free disinfection tool” download tricks users into installing a Remote Access Trojan, giving attackers full control, and stresses prevention through secure DNS filtering and user education.
- Deepfake Voice Scam Preparation - The speaker details extracting a conference video of a target, training a deep‑fake voice model from it, and using the resulting synthetic audio to call the target’s administrative assistant while impersonating the victim.
- Voice Deepfake Leads to $35M Loss - The passage recounts a real bank breach where AI‑generated voice impersonation fooled an employee into sending confidential data, and it outlines preventive steps such as user education, multi‑factor verification, and strict policies against sharing sensitive information via personal channels.
Full Transcript
# Social Engineering: Greed, Fear, Phishing **Source:** [https://www.youtube.com/watch?v=uMkOphesrqI](https://www.youtube.com/watch?v=uMkOphesrqI) **Duration:** 00:14:53 ## Summary - Humans are the weakest link in security, so attackers often use social engineering—exploiting greed or fear—to compromise targets. - Successful attacks start with extensive intelligence gathering from sources like social media, LinkedIn, and company websites to personalize the lure. - In a spear‑phishing scenario, attackers fabricate a targeted email (e.g., promising a laptop upgrade) that appears to come from a trusted domain and uses tricks such as typo‑squatting to deceive the victim. - By tailoring the message to the victim’s role, desires, and known contacts, attackers increase the likelihood of credential theft, system takeover, or theft of intellectual property. - The presentation outlines three attack goals—stealing credentials, gaining system control, and exfiltrating intellectual property—demonstrating how each can be achieved through tailored social‑engineering tactics. ## Sections - [00:00:00](https://www.youtube.com/watch?v=uMkOphesrqI&t=0s) **Social Engineering: Exploiting Human Weakness** - The speaker explains how attackers target humans via social engineering—using greed or fear—to compromise credentials, system control, and intellectual property, beginning with a spear‑phishing scenario. - [00:03:07](https://www.youtube.com/watch?v=uMkOphesrqI&t=187s) **Typo Squatting Phishing Prevention** - The speaker explains how typo‑squatting attacks lure users to a fake login page to steal credentials and recommends using a secure DNS service such as Quad9 (9.9.9.9) to block access to known malicious sites. - [00:06:16](https://www.youtube.com/watch?v=uMkOphesrqI&t=376s) **Phishing Leads to Remote Access Trojan** - The speaker explains how a deceptive “free disinfection tool” download tricks users into installing a Remote Access Trojan, giving attackers full control, and stresses prevention through secure DNS filtering and user education. - [00:09:21](https://www.youtube.com/watch?v=uMkOphesrqI&t=561s) **Deepfake Voice Scam Preparation** - The speaker details extracting a conference video of a target, training a deep‑fake voice model from it, and using the resulting synthetic audio to call the target’s administrative assistant while impersonating the victim. - [00:12:27](https://www.youtube.com/watch?v=uMkOphesrqI&t=747s) **Voice Deepfake Leads to $35M Loss** - The passage recounts a real bank breach where AI‑generated voice impersonation fooled an employee into sending confidential data, and it outlines preventive steps such as user education, multi‑factor verification, and strict policies against sharing sensitive information via personal channels. ## Full Transcript
Humans are the weakest link in any security system.
So if I'm a bad guy, why wouldn't I go ahead and hack the human instead of trying to figure out some technically complex way of breaking in?
Well, in fact, we call that social engineering, this hacking of humans.
And it many times relies on two different underlying motivations that we're going to exploit in human psychology.
And that is that people are largely driven by greed or the desire to get something, or they're motivated by fear.
And in some of these cases, we'll use both, but in some cases only one or the other.
I'm going to take you through three different scenarios where we are going to compromise credentials.
We're going to compromise control of the system, and we're going to compromise intellectual property of an organization.
Three different social engineering attacks.
Let's get into the details.
Okay, in our first scenario, we're going to compromise credentials.
That is the user ID and password you use to log into a system.
And something that makes for a successful human hack-- or social engineering attack
--is if you've done your homework in advance. That is, you've gathered intelligence and done research on your victim.
So where would you do that?
Well, you might look at places like social media-- Facebook, like LinkedIn, like Google
--and things like that to find out as much as you can about your intended victim.
In this example, we're going to do what's known as a spear phishing attack
where we're going to send a phishing email, but it's very, very targeted because I've done this intel.
And that's why it's more successful, because the generic stuff, people will kind of ignore.
So I go to these sources and out of that I'm able to ascertain the organization that my victim works for,
their email address. I'm going to get the title that they have within the organization.
I might find out other things like who their administrative assistant is--other things like that.
A lot of information is online and it's all going to come in useful.
Now, what I'm going to do from that, is harvest some of that information and take advantage of it.
So let's say our victim has had a laptop issued to them by the company.
That's really old and they're really looking forward to an upgrade.
So they're looking for it.
Maybe not greed, but something they're hoping to get out of this.
They want a laptop upgrade.
So what I'm going to do is if I'm the attacker, I'm going to craft an email to them.
And in the email I'm going to send it to this information that I got.
I'm going to make it from an address based upon the organization's domain name, and I might even address it to their title and so forth.
I'm going to put it in here as a subject that it's for your new laptop.
And all you have to do is click on the link in here for some website; let's say this is the website, example.com.
But notice I left the "e" out.
This is typo squatting.
This is where I get something that close and maybe no one notices a difference.
But it's close enough.
And I tell the victim, click on this link to log in and confirm your order.
And when they do that, they click on the link and they end up at the hacker's website.
And there it asks for their user ID and their password and click "Yes" to confirm your order.
They enter the information.
They think they're getting a new laptop.
What in fact happened was, we just stole their user ID and password
and added it to the hacker's database, where then they can come back in and log in and export all kinds of information from them.
Now, what could we have done to prevent this?
What would be a solution?
So you're going to find that there are some common solutions in these cases when we're talking about social engineering.
In this case, one of the things that would have helped is if we could have blocked him going to that website in the first place.
And the solution we have for that is a secure DNS.
And the capability I'm going to refer to is called Quad9.
Quad9 is a capability that's free.
All you have to do is change your DNS, that is your domain name setting in your browser,
or in your IP stack on your system and set it to four 9 [9.9.9.9].
And when you do that, it has a blacklist, and it looks for some of these known bad sites and will keep you from going there in the first place.
So that could have prevented the person from getting there in the first place.
What's something else we could do?
Well, we really need to, if you think about this, this is an attack on the human, on their psychology, on their mind.
So there's where we need to put a lot of our defenses.
We need to do better user education.
We need to let them know that this kind of scenario can happen so that they're expecting it.
And ultimately, we've got to enforce these critical thinking skills.
Make people think, not just act.
In the first attack, we took advantage of the notion of greed or trying to offer them something.
And this next one, we're going to go with fear.
And sometimes fear is an even more powerful motivator.
In this case,
I'm going to ultimately try to get control over the user system.
So the bad guy over here is going to again do his research.
Again, gather the intel, find out the person's phone number, the victim's phone number.
And here's our victim here.
And he's going to get all of this information.
The more he has on the individual, the more convincing he will be when he calls them up.
And that's what he's going to do next.
He's going to call the victim and say, "I'm from a particular computer software company.
And we have detected that there is malware on your system and it's going to do great damage to you.
It's going to wipe out all your files.
It's going to, you know, do harm to generations yet unborn." And this is the motivation.
And there's a sense of urgency that we also add to this. Urgency with fear or greed becomes a multiplier.
So we want to put that urgency in if we're a social engineer.
So he's going to say, "What I want you to do is I need you to go to your computer."
So here's the guy's computer and he's going to go in here and this guy is telling him--
the attacker is telling the victim --you need to go download special software.
"I've got some software from your system.
Come over here to my site.
Download this free disinfection tool.
This will get rid of all your problems and it won't cost you anything.
Life will get better for you."
He downloads the software and puts it on his system.
Now what happens is it turns out what he was downloading was not making things better, it was making it worse.
In fact, what he downloaded is what we refer to as a RAT: a Remote Access Trojan.
Now, the bad guy has complete control over this user system.
They can log in to that system and do anything as if they were right on the system.
They can steal all of the information of theirs, all of the files, erase all of the files, get into the email, all of this kind of stuff.
So very damaging.
And in fact, this is a very, very common scenario.
A lot of people have fallen for because of fear and because of the sense of urgency.
What can we do to prevent this?
Well, some of the things that would help.
The same things I mentioned before.
If we had a way to block a bad site like this and we knew in advance--
the secure DNS would keep this user from accidentally downloading the bad software.
If we train the user, this is a scenario everyone should know about.
And that's what we're doing right now, is making you aware of that.
Then they're less likely to fall for that.
It turns out software companies don't call you up and tell you you've got malware on your system.
It doesn't happen.
If someone calls, hang up.
And the other thing is, again, develop those critical thinking skills.
We need people to question things and not just react, even if it seems like the sense of urgency is trying to get us away from that.
It's trying to remove any thought that we put in and just get us to operate at the brainstem level-- sheer reaction.
And then another thing that we could add in here that might help is a technical measure called multi-factor authentication.
Multifactor authentication would make it so that not just entering a user ID and password would get this guy into the system,
but maybe it would require another form of authentication.
Something that you have, something that you are.
Now depending on the nature of the way this RAT works, that may or may not help, but it certainly can help in preventing other types of attacks.
In our final scenario, we're going to really amp it up on the fear side and the urgency side.
And we're going to really use some technology to enhance all of that and make it even seem more real.
In this case, what we're going to do is we're going to steal some corporate IP.
That's what we're after, intellectual property.
So how are we going to do that?
We're start off with our bad guy down here, and one of the things he's done is, again, the intel phase.
He's gone out and searched all of this.
But, you know, one of the things he found in all of this was that this individual, our victim,
is going to be presenting at a conference, or attending a conference, that is at a specific date and time.
So he knows the person's going to be out of the office.
Another thing that this guy did in the meantime was he did some search on the web and found an instance
where there was a video of our victim doing a presentation at a conference, similar type of event.
He's going to take that and feed it into a form of artificial intelligence, AI, known as a deepfake generator.
The deepfake will take the information out of this video.
In this case, we're going to strip out the audio and train its language model
so that it can then produce an audio file that sounds like this individual, our victim.
It will sound almost exactly like them.
To the extent that someone might not be able to tell the difference.
And with that, then we can put words in that person's mouth.
So I can type up text and say, run that through this particular voice simulator.
And what comes out will sound like that person said something that, in fact, they never said.
So there's the big setup.
Now, what are we going to do?
What we're going to do is we're going to set this up so that we can make a call to this individual's administrative assistant,
which was also some information I got out of intel.
I found out their phone number, and now I'm going to place a call.
Except the call I'm going to place is going to go straight to their voicemail.
Now, how would you do this?
Well, you could do it by calling after hours, or you could do it if you know when they normally go to lunch,
or they're actually tools you can use that will allow you to bypass the ringing and have it go straight to voicemail.
Those tools already exist.
So what I'm going to do as the bad guy, is generate this message and I'm going to have it go off and call this person's voicemail.
And in the voicemail, I'm going to put a very urgent message.
I'm going to say, "Look, this is me", and whoever me is and say "I'm at the conference, as you know, and something really terrible happened.
I lost my phone.
That's why you see this call coming in from another number I had to use.
I had to borrow someone else's phone.
But I'm in real trouble right now.
And I need your help.
I need you-- since I also don't have my laptop with me.
I need you to give me access to a file." Those sales figures, those product plans, whatever the intellectual property has that the attacker is after,
"I need you to send that to my personal email account, because if I don't get that within the hour, I lose my job. If I lose my job, guess what?
You lose your job too.
So this is to save our jobs.
You've got to act on this right now.
Don't even stop to think." That's the urgency.
And in that message on the voicemail, I'm going to also tell them the name of a personal email account.
But it's going to be the hacker's email account.
It's not going to be the other person.
This person, if they're sufficiently motivated and convinced because it sounds like their boss, they know the boss is at the conference.
So this all sounds very plausible.
And it sounds plausible because this guy did his research,
and then aided by some AI technology, is able to simulate the voice of the ultimate victim.
And this person then complies, sends the information, the confidential company information off to the bad guy.
And now the information has been leaked.
This is not just hypothetical, it actually happened.
There was a bank that lost $35 million where someone was exploiting this exact kind of scenario and imitating the voice of an executive.
Now, what could we do to prevent this, because we're about solutions?
Well, in this case, the secure DNS wouldn't help because it wasn't a website we were going to.
But certainly user education would help.
People need to know just because you heard something doesn't mean it's necessarily real.
You have to have the critical thinking skills to verify this.
Maybe call the person back.
Verify through another means so that you know that in fact the story is true.
And ultimately be trained-- under no circumstances,
I don't care who is asking me to --I'm not sending confidential information to a personal email account.
I don't care what the justification is because that will get me fired for sure.
So these are the kinds of technologies that can help.
In many cases, though, if you think about it, it's not just about technology, it's about the user.
Unfortunately, no one has invented a firewall for a human mind.
If there was one, we could get it installed,
and then all we'd have to do is update the policy in everyone's head every time we found out about a new social engineering attack.
It's not that simple, obviously.
But hopefully you understand now, a social engineering attack is really not so much an attack on the system.
It's an attack on the individual.
And human psychology has certain weaknesses to it.
So what do we need to do?
In some cases, we can use technological means in order to thwart the attack.
But in most cases, it's going to be things like this where we're getting into the human mind
and trying to train them against this, make them strong against what otherwise would be this sort of vulnerability.
Thanks for watching.
If you found this video interesting and would like to learn more about cybersecurity, please remember to hit like and subscribe to this channel.