Mitnick Talks Social Engineering and Attack Tactics

Breaches get worse and attacks keep happening, as threat actors have all of the capability thanks to user’s habits.

Speaking at Infosecurity North America in New York City, author, speaker and chief hacking officer of KnowBe4 Kevin Mitnick said that threat actors are able to collect information on their victims all too easily, and when evaluating a company it is also straight-forward to determine suppliers, customers, partners, vendors and employees to enable a social engineering exercise.

In his opening keynote 'How to fight back against hacker attacks', Mitnick cited several examples of how to socially engineer a company and bypass traditionally strong security tools like anti-virus and two-factor authentication.

In one example, he said he had been hired by a Canadian retailer for an assessment and he was able to determine who an HR provider was, so he set up a cloned website using the Canadian .ca domain, called a member of the company and told them they were “standardizing top level domains” and to try .ca first, which allowed him access to all payroll data, and all salary history. 

He said: “The attack was not so interesting to me, but the longest part of it was waiting for the DNS to propagate on the .ca domain, which took about half an hour.”

Mitnick was also able to demonstrate how to bypass two-factor authentication as “most companies offer one type of authentication” in the case of Paypal invoice which asked for credentials and once these were intercepted, so was the victim’s session cookies. To prevent this, he recommended using U2F protocol tokens, but said that these can also be stolen.

Overall, Mitnick demonstrated how simple it is to hijack a victim with a small amount of personal data when doing testing, and to defend against such attacks, to try using tactics that “the threat actors use” and create tools that the employees want to use.

To view this original article and other news items, please refer to the source.

Source: infosecurity

Topics: Social Engineering, Speaking Engagements, U2F protocol tokens, data theft, Infosecurity North America, KnowBe4, two-factor identification, authentication, cyber attack, DNS propagation, New York City, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg