Commiting Fraud using Social Engineering
An assignment is requested
as follows:Conduct a risk assessment using passive non-intrusive means and gain
access to a fortune 500 company in one week so as to address the risk posed by
fraud in an corporate environment.
Deliverable:Use theoretical
and technical non-intrusive means in your POC.
Sample of how the problem
was solved
Fraud is defined as the
multifarious means which human ingenuity can devise, which are resorted to by
one individual, to get an advantage over another by false representations.
For fraud to happen,3
elements have to be present;
1.Rationalization >> 2.Perceived
opportunity >> 3.Perceived pressure
Fraudsters Aka Hackers will use systematic social engineering as per below
ssvforensic labs:The tool Kit for this operation not limited to;
Use Passive non-intrusive means to gain access and leave stones unturned
Case Fortune 500 company
411 about the firm Fortune worth in the excess of 2 Billion Dollars
Mission Charles_Ponzi
Objective Impact of pseudo frauds with the advent of Fraud- As-A-Service(FAAS)
RV choice Kali Linux[Maltego,rapportive,facebook,Total AV,rootkit,jigsaw,glassdoor]
POC Below
Sample Theoretical principle on Fraud in relation to social Engineering
Sample of the Technical detail using phishing techniques
Finally,use the transporter[sendmail] to send the package and hope netcat listens to something nice from your multi-handler,7/10 times it will as shown below
In conclusion,information is the new money.Fraud-As-A-Service(FAAS) is an organised scheme used by techno-savvy fraudsters to embezzle billions from companies.The three affected elements of non-cash frauds are a)Inventory b)Securities and c)Information.
Sample of the Technical detail using phishing techniques
The payload is encrypted with shikata_ga_nai
obfuscated 100 times
This did not work due to the latest signature based proactive defence technologies.We later use PEScrambler and other undisclosed tool to encrypt it more so as to bypass vendor based AV signatures. PEScrambler is a tool to obfuscates win32 binaries automatically. It can relocate portions of code and protect them with anti-disassembly code. It also defeats static program flow analysis by re-routing all function calls through a central dispatcher function.We finally use totalAV to perform a malware net scan which yields {+}A detection ration of 0:47 against major antivirus scanners is desirable. None of the top vendor’s signatures is able to detect the malicious PDF
In conclusion,information is the new money.Fraud-As-A-Service(FAAS) is an organised scheme used by techno-savvy fraudsters to embezzle billions from companies.The three affected elements of non-cash frauds are a)Inventory b)Securities and c)Information.
No comments:
Post a Comment