Introduction to Social Engineering

 
 

Welcome to the social engineering phase. Ever wanted to hack humans, but don’t have the biological knowledge to do so? Well, social engineering is for you!


Introduction

Social engineering is the art of persuading someone to give you the information you need. It is usually easier and less risky than other forms of attacks and is often successful.

Social Engineering comes in different forms, but all are based on the principle of disguising as someone who needs or deserves the information.

The two principle forms of social engineering are:

  • Human-based

  • Computer-based

HUMAN-BASED

This functions at a personal level. It preys on qualities of human nature such as:

  • being helpful

  • trust

  • fear of getting into trouble

Any medium that provides one-to-one communications between people can be exploited - all it takes is a good actor/liar.

COMPUTER-BASED

Attacks employ software to retrieve data, but still require human input. It can function through a variety of media including:

  • Pop up windows that asks victims for data or to sign up to a deal

  • Emails with links or attachments


Social Engineering Techniques

There are a variety of techniques that can be employed including:

  • Impersonating a valid user - may lead to gain physical access to a building and once inside, gather information from devices

  • Posing as an important user - intimidating lower-level employees

  • Calling tech support - support staff are trained to help

  • Using a third person - pretending to have permission from an authorized source to use a system

  • Eavesdropping - or unauthorized listening of conversations or reading of messages

Some of these techniques are described below with examples.

Phishing

Phishing often involves acquiring data fradulently over the internet by masquerading as a trustworthy business. It employs spoofed emails to lead users to counterfeit websites designed to obtain data via trickery.

What makes it so successful is the ease with which seemingly authentic web sites and legit-looking email can be reconstructed.

Spear Phishing

Spear Phishing is a targeted form of phishing.

Here, the attacker sends a message to a target making it look as if it was sent by a person the target trusts (e.g. family or co-worker).

It requies some form of research of the victim.

Whaling

Whaling is nothing else but spear phishing targeted at a BIG user - generally a senior manager, CEO, etc... who has all the information required by the social engineer.

The attack is slow and methodical and requires the attacker profiling the target in order to attack at the right moment.

Vishing

Vishing is a type of phishing attack that targets VoIP or mobile phones.

A criminal configures a war dialer to call phone numbers in a given region. On answers, an automated recording is played to alert the consumer that their credit card has had fradulent activity.

The message instructs the consumer to call a number. When called, automated instructions ask to enter credit card numbers on the key pad.

Reverse Social Engineering

Reverse SE involves attackers creating an assumed air of authority or knowledge such that potential victims actually approach them.

The typical reverse social engineering attacks consists of three major parts:

  • Sabotage

  • Advertizing

  • Assisting

Due to the nature of reverse attacks, and the development of trust, the hacker can receive much more information.

Impersonation

This is an act of pretending to be someone you are not - could be a manager, delivery driver, support technician, etc...

Impersonation can be done in person, over the phone or via email, chat, etc..

Dumpster Diving

What is going out in the trash? Was that shredded document completely shredded? What happens to the stuff in the waste paper bin?

Who might have access to it? Will it end up in a skip out the back of the building?

These are all questions you should ask yourself before throwing important stuff away. Dumpster diving involves scavenging through this kind of stuff to find any important documents, printed papers, contracts, emails, etc...

Shoulder Surfing

Who has not come across someone on a train or bus using their device to do some work?

Malicious social engineering can use this technique to their advantage to obtain passwords or other information by simply looking over their shoulder at their device.

Tailgating

Tailgating allows an attacker to gain physical access to buildings or other locations. Attackers are hoping on the kindness of someone just entering a building to keep the door open for them.

Especially effective if used in conjunction with impersonation.


Attack Steps

The basic steps of a social engineering attack are:

  • Research the company - get the lingo and inside knowledge on operational procedures, groups and individuals

  • Identify victim or victims possibly by their positions in the company (e.g. guard, secretary, manager)

  • Develop a relationship with the victim

  • Exploit the relationship for knowledge gain

  • Utilize the knowledge to move closer to a goal

It's important to note that EVERYONE is at risk. Even if we are aware of the problems, there is always a moment in time when we are vulnerable.

This is due to being busy, distracted, acting routinely and many other reasons.

Social engineers can be potentially anyone. Some typical examples include ex-employees, competitors, and hackers claiming to be employees, support staff or vendors.

They can be very patient, slowly building trust, moving contacts between departments collecting small pieces of information.

Why are they so effective? Well because of some of the basic principles of social engineering including:

  • Authority

  • Intimidation

  • Social Validation

  • Scarcity

  • Urgency

  • Familiarity/Liking/Trust

  • Reciprocity


Useful Countermeasures

Some of the most useful countermeasures against these techniques are as follows:

  • Training - increase awareness on social engineering

  • Operational guidelines - sensitive information, use of resources, etc..

  • Physical security policies - ID of employees

  • Classification of Information - categorize the information

  • Access privileges - accounts with proper authorization

  • Password policies - periodic password changes, account blocking after failed attempts, length and complexity of passwords

As an example, here are some key concepts you can take to identify a phishing email:

You can also look at the URL:

Previous
Previous

Introduction to Network Attacks and DoS Attacks

Next
Next

Introduction to Password Cracking Techniques