Like many of you, i feel like i could detect a social engineering attack. I know what to look for. I know the signs, and a lot of it is common sense to us, like you know, hey make sure that when you visit a website they’re using ssl tls, i hate seeing this and other things like don’t click. Officially, links in your email don’t give away information about yourself, don’t download stuff from websites you’re not familiar with, like i got that i got that locked down and i’m sure you do too. But what about when you’re feeling safe like when you visit a website that you always visit, that you know and love let’s, say: it’s networkchuck.com let’s go there networkchuck.com this site checks all the boxes. Right it’s got ssl um it’s from me. Networkcheck.Com, i mean you trust me right. This is a site that i hope you commonly visit and when you go there, you feel safe and, of course, that’s not just one website. There are a ton of websites that when you go there, you feel pretty safe facebook. Twitter, youtube i’m, like you feel pretty safe right now, right watching me on youtube, i don’t know. Hopefully you do, but let me run this past you what, if that website, you feel safe on what, if that was compromised, what if that website was hacked? If your favorite website got hacked, which of course is networkchuck.com right, i’m gon na make some assumptions one you wouldn’t know.
If a website gets hacked it’s, not gon na. Have this big red symbol, flashing we’re, hacked we’re hacked no it’s gon na feel like it. Normally, does you won’t know about it now, this type of attack is actually pretty common. It’S called a watering hole attack, watering hole, attacks are typically more targeted, and this is what makes them more dangerous. Let’S say they want to attack you a network chuck youtube subscriber. I mean you’ve subscribed right if you haven’t subscribe right now and hit that, like button, anyways, let’s, say they’re targeting my audience. They would assume that if you like my videos on youtube, you might go visit networkchuck.com my website. So, instead of the hacker trying to attack each and every one of you, they’ll set up an attack or a hack on a place that you might all visit the watering hole it comes from. You know an animal analogy and like a desert sahara situation, all the animals will come to one central place for water right and if you can poison that watering hole well, then you got everyone who visits so that’s. What they’ll do they’ll scan my website using some hacking techniques to find vulnerabilities and then they’ll exploit those vulnerabilities and set up their attack? It might look like this we’ll go to networkchuck.com forward, slash watering dash hole. This page looks totally legit right, like nothing fishy, going on here, totally safe now in real life. It won’t look like this.
Obviously they’re gon na make it seem like it’s a normal website, a normal page that you would normally visit and in a lot of cases they might try to get you to download something like this super safe download right here. In fact, if you want to do this, this is a live. Web page go visit it right now. Now i do need to say this: i’m not actually hacking anyone. This is totally a joke, so relax. But if you click on this and you try to download this man, you just got hacked you. Don’T have a virus on your computer to remove the virus. You need to uh, buy my coffee or become a member of my youtube channel either. One it’ll work just like magic now this is harmless right, but in real life this happens every day, so think about it. If you visited your favorite website, would you even know that you’re about to get hacked – and there are some scary examples i found of this? In some cases you didn’t have to do a thing you didn’t have to download anything. You just visited the website and boom. You were hacked, they got forbes ever heard of forbes kind of a big deal right. They had this thing and i think they still have it called thought of the day, which you could imagine attracting millions of users each day, here’s what it looks like now. They have their – i guess it’s called quote of the day now, but forbes a website that a lot of people trust they got hacked.
The hackers actually did two things: they uh used two zero day vulnerabilities, which zero day vulnerabilities it’s the worst kind of vulnerability. It’S vulnerabilities that no one knows about yet one attacked microsoft, internet explorer, which i mean if you’re using that you deserve to be hacked no i’m just kidding kind of, and then one was adobe flash player which see point number one what’s scary about this. Is that you just had to visit the website, you have to download anything didn’t have to sign up for things or put your credentials in no. No, you just visited the website and you were infected just like that. Anyone would fall for that. I would fall for that. I wouldn’t even know if i was falling for anything that’s. A scary attack. It just is watering hole. Attacks are scary because they take advantage of places that we feel safe, and the lesson learned here is that on the internet there really is no safe place. You got ta, be vigilant. You really can’t trust anything eventually. There will always be a vulnerability that you don’t know about now: watering hole, attacks, they’re common but they’re hard, because you have to actually hack the website to find a vulnerability, and these big profile websites are kind of hard to hack right. I would hope that facebook and twitter and linkedin all have crazy security teams that do all kinds of things so difficult to hack, but hackers don’t have to even hack the website to fool you have you ever uh started typing in the address bar and start typing.
Your favorite website and you had a little fat finger. A little typo like maybe you’re gon na go visit facebook.com, but instead of typing in facebook, you type in let’s, say facemook.com. This kind of mistakes happen all the time, not a big deal, but watch what happens when we do do that facemook.com. I i don’t like this. What just happened that see like it’ll redirect me to google, sometimes sometimes it’ll. Take me somewhere, weird yeah. I don’t know what just happened. Let me try it again. Let’S try face gook.com, just common things. You might just mistype bam. It just takes me like two random places. Look at that trying to fool me to do something classic fishing website. This type of attack is called a typo, squat or typo squatting, and it simply involves hackers going hey, um, there’s facebook.com, but what if people mistyped it little typo and let’s just go to face mooc or face. Remember hacking. Social engineering involves hacking, the human mind and human mind makes mistakes. The human fingers make mistakes, so these hackers will snatch up all these domain names that are similar to the existing ones. Now the big websites do try to mitigate that. Like google you’ve heard of google right uh, there was a notorious phishing website called goggle.com. You could imagine that’s pretty easy to type in as you’re typing right now. If you go to that let’s, try it out actually never mind it. Uh seems to be still kind of a thing yeah i don’t know, but typically bad example.
Right typically, these big websites will try to buy out these domains or sue these domains sue the people who own these to stop these phishing attacks. Now, sticking with a theme of hackers attacking you when you feel safe and secure it, doesn’t just apply to websites, it can apply the emails as well now we’ve already covered phishing emails in the series emails that we get, that we don’t want, but try to fool Us into doing something putting our passwords in clicking on links, things like that and they’ve gotten sophisticated. They can full even the best of us. They fooled my wife and the best way for companies to combat these phishing emails is to use a solid spam filter. This is normally an appliance or even a cloud service, and all of your email will go through this filter kind of like a brita filter or something it removes all the stuff you don’t want, but it can’t catch everything and it knows that hackers are getting smarter. Every day so here’s what they do now, as well there’s a thing called pre pending so let’s say in your company, you receive emails and they have a subject like all emails. Do so, for example, if you’re working for network chuck any email you receive from the domain, networkchuck.com so let’s say bob at networkchuck.comsuzy networkchuck.com. The spamfist is going to mark that as a trusted email because it’s coming from inside your company, it might even prepend something like this internal now, most of the time they don’t prepend anything they just leave it alone and that’s.
How you know you can trust that email. Then, of course, you’ll have your subject right after that coffee, but if you receive an email from an outside organization like maybe just a regular gmail account or another company, well, then your spam filter will by default flag that as external now, this is helpful because you Know hackers try to make emails seem like they’re safe, so hackers might craft an email that makes it look like it’s coming from someone inside your company, so it might say it’s from bob networkchuck.com and if you look in the from field and saw that you might Go oh well, that’s from bob. I know bob. I trust bob, but the spam filter’s smart enough to go whoa, wait that didn’t come from inside the company. They came from outside the company and it’ll flag that as an external email in the subject. So your employee should go hey, it says it’s from bob, but it’s marked as external something’s fishy here now. This is all good and great. This helps a lot, but hackers man – they don’t sleep. They get on this. What do they do? They take things that are meant for good and use them for evil, so hackers will often prepend their own stuff in the subject to make it seem like it’s, a trusted email. Maybe you um at your office are used to receiving uh, prepended emails that say internal and then maybe the hacker sends an email to your personal inbox, that’s prepended with internal just by daily conditioning of looking at that and trusting it.
You might click on that link in the email, because you trust internal prepended emails, so this is a primary example of how something we’re using for defense pre pending hackers, can turn around and use as offense right now, you are not safe if you’re on the internet. If you’re using the internet you’re not safe, you have to assume that hackers aren’t trying to attack you when you’re alert and vigilant and looking out no, no. No, they want to attack you when you feel safe when you’re at places that you let your guard down, but that should never happen. Your favorite websites, man, they can target those watering hole, attacks. You and your buddies. You and your buddies. Your company might go to one website if you’re a network check subscriber they might hack networkchuck.com. Please don’t do that, but they might do that. Knowing that my audience members go there and then suddenly bam you get hacked and they don’t have to hack a website. They can use something called typo squatting where they just buy up domains that thing your domains, networkchucks.com, goggle.com facemook and they put up a website that might seem legitimate and before you know it, you got hacked because you just typod and then even with emails systems that We use to make our emails better. Make us feel more protected. Pre pending flagging emails that are external internal, can be used against us. Hackers who will pre penned emails to make us feel safe when they’re, actually not so moral of the story again, you’re not safe.
Right now so be vigilant, anyways guys that’s. All i have today i’m at the beach house. Right now. I don’t have a beach house i’m, just at a beach house that’s, why you see the different scenery here, but hackers never sleep, and neither will i i’m gon na keep making videos even when i’m on vacation. So if you like this, video hit that like button, if you like what i’m doing here in general, subscribe hit that notification bell, so you get notified when i post stuff and if you like this course so far. This is part of my security plus course uh for free here on youtube i’m doing with david bomble and jeremy charra uh check out the playlist, and we also are releasing content as we release it or record it day by day at thisisit.io, so check that out.