Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Defenses against Scams, Social Engineering and (Spear) Phishing

Introduction[edit]

Kicksecure does not protect against social engineering attacks. These attacks rely on human cognitive biases and trick people into revealing passwords or other sensitive information that allows the compromise of a target system's security. ^[1]

Other examples of social engineering include convincing someone to send a copy of logs or other information from the Kicksecure. In all cases, after trust has been established between the attacker and the victim, and sufficient information has been gathered, an exploit will be executed to perform harmful actions such as stealing personal or financial information, sabotaging the target's system, installing malware on target systems and so on. ^[1]

Phishing is specifically highlighted in this chapter because it is one of the most common social engineering vectors used to fraudulently obtain private information. In all cases, the phisher's modus operandi is impersonation of a genuine business or staff member in order to obtain sensitive personal or financial information from contacted people.

It is notable that social engineering attacks prey on human biases and utilize psychological manipulation techniques. In other words, successful exploitation does not rely solely upon technical measures to subvert the user's platform to achieve the same aim. Attacks using low-technology means are perhaps the greatest risk normal Internet users will face and successful defense requires both awareness and a cautious mindset that can identify how to respond to potential impersonation, lies, bribes, blackmail and threats. There are a host of possible motives for a social engineering attack, but the most common are for financial gain, revenge, self-interest ^[2] and responding to external pressure from friends, family or organized crime for the aforementioned aims. ^[1]

In the specific case of Kicksecure, the best tools for maintaining security are the knowledge that comes from research and experience, and healthy skepticism towards scenarios that pose potential security threats.

Attack Methodology[edit]

Social Engineering Cycle[edit]

Although each social engineering attack has unique elements, researchers have identified four primary phases in the lifecycle: ^[1]

• Information gathering: The attacker will gather information about the intended target(s) and related persons to build a relationship and increase the likelihood of a successful attack; for example, gathering birth dates, phone lists, personal interests, and organizational charts. Examples include:
  • Shoulder surfing to observe access codes or password/PINs entered on a keypad.
  • "Dumpster diving" to retrieve potentially useful information that has not been disposed of securely in waste systems.
  • Conducting mail-outs to gather information about individuals or organizations; for example surveys that offer prizes for completion.
  • Forensic analysis of old computer equipment like SSDs, HDDs, USBs, DVD/CDS or other removable media to extract relevant information about individuals or organizations.
• Relationship development: Targets with a trusting nature are exploited so a rapport is developed with the attacker. Conversations are initiated that seem appropriate for the context.
• Exploitation: After engaging with the target(s) for a sufficient period, trusted attackers use manipulation techniques to reveal sensitive information (like passwords) or have targets perform other actions that are abnormal, such as creating an account. This might be the end of the attack cycle or the completion of a preliminary stage.
• Execution and disengagement: Once targets have completed tasks requested by the attacker, the cycle is complete. Attackers slowly disengage from communications to not arouse any suspicion -- many victims are unaware that an attack has taken place.

Psychological Techniques[edit]

In order to achieve exploitation, attackers rely upon one or more of the following cognitive biases related to influence: ^[3]

• Authority: People will generally follow the instructions of perceived authority figures, even when the act is objectionable.
• Intimidation: Attackers state or imply there will be negative consequences if instructions are not followed. ^[4]
• Consensus: People will most often do things they see other people performing. ^[5]
• Scarcity: Demand is generated by perceived scarcity; for example when an offer is stated as being for a limited time only.
• Urgency: Similar to scarcity, attackers impress upon the target(s) that certain actions must be completed quickly.
• Familiarity / liking: It is easier for attackers who are familiar or liked to persuade others to take certain actions.
• Trust: Targets are more likely to perform actions if they believe the attacker is a trusted source such as "someone from IT" or a well-known company (like Microsoft).

Artificial Intelligence[edit]

It is notable that appealing and convincing (spear-)phishing emails can be supercharged by artificial intelligence methods. Consider the following research presented at the 2021 Black Hat and Defcon security conferences: ^[6]

...a team from Singapore's Government Technology Agency presented a recent experiment in which they sent targeted phishing emails they crafted themselves and others generated by an AI-as-a-service platform to 200 of their colleagues. Both messages contained links that were not actually malicious but simply reported back clickthrough rates to the researchers. They were surprised to find that more people clicked the links in the AI-generated messages than the human-written ones—by a significant margin. “Researchers have pointed out that AI requires some level of expertise. It takes millions of dollars to train a really good model,” says Eugene Lim, a Government Technology Agency cybersecurity specialist. “But once you put it on AI-as-a-service it costs a couple of cents and it’s really easy to use—just text in, text out. You don’t even have to run code, you just give it a prompt and it will give you output. So that lowers the barrier of entry to a much bigger audience and increases the potential targets for spearphishing. Suddenly every single email on a mass scale can be personalized for each recipient.”

Researchers emphasized it is easy for malicious actors to get access to OpenAI APIs that provide free trials and which do not verify personal information. This makes it more likely that AI methods will be regularly used for harmful phishing activities in the future, increasing the likelihood of success.

Exploitation Vectors[edit]

Common Phishing Attacks[edit]

The most common social engineering vectors relate to phishing attacks which are summarized below, as well as related exploitation vectors.

Table: Social Engineering Exploitation Vectors ^{[7] [1] [8]}

IDN Homograph Attacks[edit]

Video Could a SCAMMER fake apple.com? - URL impersonation, homoglyphs and homographs

Wikipedia provides a concise summary of this phishing attack vector: ^{[18] [19]}

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character "a" is replaced with the Cyrillic character "а". This kind of spoofing attack is also known as script spoofing. Unicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. Their incorrect or malicious usage is a possibility for security attacks.

IDNs exist because it allows non-English speakers to use domains in their local language. Unfortunately, depending on the font in use supported characters can be visually similar or identical to others. In certain browsers it is possible to construct phishing sites that are indistinguishable from the real, legitimate ones unless IDN is manually disabled and domains are shown in their raw "punycode" format. ^[20] Punycode encodings allow for various different types of input, including ASCII characters, non-ASCII characters, mixed strings/scripts and foreign languages. ^{[21] [22]} Internationalized domain names are prepended with the xn-- prefix, meaning the example domain name "bücher.tld" would be represented in ASCII as "xn--bcher-kva.tld". ^[23]

At the time of writing the default Firefox and Tor Browser settings remain vulnerable to this attack, while other browsers like Chrome, Chromium, Opera and Safari are protected. ^[24] To date, Mozilla has decided to rely upon domain registries, standards bodies and browser vendors developing an agreed plan to prevent IDN domain phishing scams. This is arguably a naive approach considering how long this attack vector has remained unfixed (over five years).

Quote Tor developer ^[25] Matthew Finkel @sysrqb:

And Mozilla's FAQ is/was https://wiki.mozilla.org/index.php?title=Gerv%27s_IDN_Display_Algorithm_FAQ&direction=prev&oldid=1169184

This situation is clearly unsatisfactory because malicious, spoofed websites can potentially record sensitive information like account details and passwords, among other harmful activities.

Security researcher Xudong Zheng provided a proof-of-concept homograph attack in this 2017 article: Phishing with Unicode Domains. By utilizing punycode he was able to register a domain name with foreign characters; in this example the domain "xn–pple-43d.com", which is visually equivalent to "аpple.com" due to the font used by Firefox and Tor Browser. The homograph attack is possible because the registered domain is using the Cyrillic "а" (U+0430) rather than the ASCII "a" (U+0061).

Figure: Fake apple.com Website

Figure: Real apple.com Website

This example illustrates that if the punycode form does not appear by default when multiple different languages are in use (hiding the unicode form), user confusion and spoofing attacks remain a distinct possibility unless a site's URL or SSL certificate is carefully examined.

It is possible to change Firefox and Tor Browser settings to enforce IDN domains in punycode form to detect malicious websites. Note: This may break some website domains utilizing languages other than English because everything will display either as ASCII or ASCII-encoded text.

• about:config → search for: network.IDN_show_punycode → toggle to "true"

When navigating to the same fake apple.com website in Tor Browser, the punycode allows identification that it is an illegitimate website.

Figure: Fake apple.com Website in Punycode Format

As the fingerprinting risk of this configuration change is unknown, it is currently unrecommended. To mitigate against this threat, avoid clicking on links to popular websites via emails or on social networking or other sites. Instead, manually type the website address into the URL bar or navigate to sites via reputable search engines. Browser extensions do exist to detect whether visited websites are homographs of another domain from user-defined lists, but this action is unrecommended in Tor Browser due to the fingerprinting risk.

If you run a personal website, it is also possible to check if phishers might have used IDNs to abuse the existing domain name via the IDN checker website. kicksecure.com is used in the example below and presently there are no existing, registered impersonations utilizing letters from different alphabets/languages. ^[26]

Figure: IDN Check for kicksecure.com

For further reading on this topic, see:

• Look-Alike Domains and Visual Confusion
• Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites
• IDN Checker: Domains Integrity Service
• Forum: Very hard to notice Phishing Scam - Firefox / Tor Browser URL not showing real Domain Name - Homograph attack (Punycode)
• Should torbrowser enable network.IDN_show_punycode by default?

Countermeasures[edit]

It is difficult to fully protect against social engineering attacks because no system is immune to human elements that can undermine the security of even the most robust systems. This is evidenced by the previous success of attacks that have targeted high-level government institutions, in addition to well-known corporations and business identities.

For Kicksecure users seeking to protect their security, the simplest solution is greater education and awareness of common methods used by attackers, as well as adopting a skeptical mindset. That means in virtually all cases, users should never provide any personal or other information that can reduce their security set, regardless of the forum. This includes all interactions with fellow Kicksecure users and developers on the available infrastructure, including forums, developer portals and so on. Similarly, technical advice that is provided should be carefully scrutinized and not followed unless the user is absolutely sure that it will not harm their security.

Outside of the Kicksecure context, virtually all social engineering attacks rely on an individual's trust in the claims and assumed authority that are invented by the attacker. Unless absolutely certain, potentially sensitive information should never be disclosed and suggested actions should not be performed as they can lead to a breakdown in security systems and theft of personal or financial information.

Organizational Measures[edit]

Organizations also need to employ robust measures that can reduce the likelihood of successful social engineering attacks, as well as limiting the potential harm if/when it does occur. This requires: ^[1]

• managers implementing protective measures and understanding their role
• security policies defining staff expectations, particularly regarding assistance offered by support teams and staff
• strong controls that restrict physical access to facilities for any staff, contractors or visitors
• security architecture that carefully controls outbound and inbound firewall access
• limiting the amount of data that is available on public websites, databases, internet registries, phone lists and so on -- generic information should be preferred to limit research opportunities for attackers
• implementing incident response strategies that ensure users have clear guidelines on procedures to be followed for different requests -- particularly methods of confirming authenticity before acting
• educating users about security issues and providing them with tools to react appropriately
• secure waste management procedures
• performing periodic tests of the security framework that are unannounced

Anti-phishing[edit]

With regards to phishing, anti-phishing training can be paired with additional technical measures for protection, including: ^[27]

• spam filters that reduce the number of phishing emails that reach inboxes ^[28]
• taking note of browser warnings regarding possible fraudulent websites
• adopting two-factor authentication (2FA) / multi-factor authentication (MFA) so stolen passwords cannot be used on their own to breach a specific system
• redacting URLs in email messages so it is impossible to click on embedded links
• using a smartphone as a second verification channel for all authorized banking transactions

Examples[edit]

Help Welcome[edit]

Please add screenshots, texts, examples of actual social engineering / phishing attempts with explanations of how it could have been detected as one.

See Also[edit]

• Mental Model
• Mobile Phone Security

Footnotes[edit]

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!