Introduction to Social Engineering
Welcome to the social engineering phase. Ever wanted to hack humans, but don’t have the biological knowledge to do so? Well, social engineering is for you!
Introduction
Social engineering is the art of persuading someone to give you the information you need. It is usually easier and less risky than other forms of attacks and is often successful.
Social Engineering comes in different forms, but all are based on the principle of disguising as someone who needs or deserves the information.
The two principle forms of social engineering are:
Human-based
Computer-based
HUMAN-BASED
This functions at a personal level. It preys on qualities of human nature such as:
being helpful
trust
fear of getting into trouble
Any medium that provides one-to-one communications between people can be exploited - all it takes is a good actor/liar.
COMPUTER-BASED
Attacks employ software to retrieve data, but still require human input. It can function through a variety of media including:
Pop up windows that asks victims for data or to sign up to a deal
Emails with links or attachments
Social Engineering Techniques
There are a variety of techniques that can be employed including:
Impersonating a valid user - may lead to gain physical access to a building and once inside, gather information from devices
Posing as an important user - intimidating lower-level employees
Calling tech support - support staff are trained to help
Using a third person - pretending to have permission from an authorized source to use a system
Eavesdropping - or unauthorized listening of conversations or reading of messages
Some of these techniques are described below with examples.
Phishing
Phishing often involves acquiring data fradulently over the internet by masquerading as a trustworthy business. It employs spoofed emails to lead users to counterfeit websites designed to obtain data via trickery.
What makes it so successful is the ease with which seemingly authentic web sites and legit-looking email can be reconstructed.
Spear Phishing
Spear Phishing is a targeted form of phishing.
Here, the attacker sends a message to a target making it look as if it was sent by a person the target trusts (e.g. family or co-worker).
It requies some form of research of the victim.
Whaling
Whaling is nothing else but spear phishing targeted at a BIG user - generally a senior manager, CEO, etc... who has all the information required by the social engineer.
The attack is slow and methodical and requires the attacker profiling the target in order to attack at the right moment.
Vishing
Vishing is a type of phishing attack that targets VoIP or mobile phones.
A criminal configures a war dialer to call phone numbers in a given region. On answers, an automated recording is played to alert the consumer that their credit card has had fradulent activity.
The message instructs the consumer to call a number. When called, automated instructions ask to enter credit card numbers on the key pad.
Reverse Social Engineering
Reverse SE involves attackers creating an assumed air of authority or knowledge such that potential victims actually approach them.
The typical reverse social engineering attacks consists of three major parts:
Sabotage
Advertizing
Assisting
Due to the nature of reverse attacks, and the development of trust, the hacker can receive much more information.
Impersonation
This is an act of pretending to be someone you are not - could be a manager, delivery driver, support technician, etc...
Impersonation can be done in person, over the phone or via email, chat, etc..
Dumpster Diving
What is going out in the trash? Was that shredded document completely shredded? What happens to the stuff in the waste paper bin?
Who might have access to it? Will it end up in a skip out the back of the building?
These are all questions you should ask yourself before throwing important stuff away. Dumpster diving involves scavenging through this kind of stuff to find any important documents, printed papers, contracts, emails, etc...
Shoulder Surfing
Who has not come across someone on a train or bus using their device to do some work?
Malicious social engineering can use this technique to their advantage to obtain passwords or other information by simply looking over their shoulder at their device.
Tailgating
Tailgating allows an attacker to gain physical access to buildings or other locations. Attackers are hoping on the kindness of someone just entering a building to keep the door open for them.
Especially effective if used in conjunction with impersonation.
Attack Steps
The basic steps of a social engineering attack are:
Research the company - get the lingo and inside knowledge on operational procedures, groups and individuals
Identify victim or victims possibly by their positions in the company (e.g. guard, secretary, manager)
Develop a relationship with the victim
Exploit the relationship for knowledge gain
Utilize the knowledge to move closer to a goal
It's important to note that EVERYONE is at risk. Even if we are aware of the problems, there is always a moment in time when we are vulnerable.
This is due to being busy, distracted, acting routinely and many other reasons.
Social engineers can be potentially anyone. Some typical examples include ex-employees, competitors, and hackers claiming to be employees, support staff or vendors.
They can be very patient, slowly building trust, moving contacts between departments collecting small pieces of information.
Why are they so effective? Well because of some of the basic principles of social engineering including:
Authority
Intimidation
Social Validation
Scarcity
Urgency
Familiarity/Liking/Trust
Reciprocity
Useful Countermeasures
Some of the most useful countermeasures against these techniques are as follows:
Training - increase awareness on social engineering
Operational guidelines - sensitive information, use of resources, etc..
Physical security policies - ID of employees
Classification of Information - categorize the information
Access privileges - accounts with proper authorization
Password policies - periodic password changes, account blocking after failed attempts, length and complexity of passwords
As an example, here are some key concepts you can take to identify a phishing email:
You can also look at the URL: