How Social Engineering Attack Done by Pro Social Engineers
Today we're gonna find out what is a social engineer. So let's get right into it, So what is social engineering? And How Pro Social Engineers do that.
Who are Social Engineers and what is social engineering attack?
A Social engineer is someone who persuades another person to either disclose confidential information or perhaps provide access to restricted areas, such as a company server room by pretending to be someone they're not. And this act called Social engineering.
This is how social engineering defines or social engineering Definition.
Well, a social engineer might pretend to be from a maintenance company, or here to deliver a package, or they may pretend to be the CEO's new assistant, so they're pretending to be someone who would normally have access to the information or locations that they're looking for.
There are many different ways to conduct different types of social engineering. Let's imagine an attacker who wants to gain physical access to a server that's located in a corporate office building, the attacker might pretend to be from the company's internet provider, and tell the receptionist at the front desk that they need access to the server room to replace the modem.
They could also pose as the maintenance manager of an office and request access to a restricted area under the disguise that something like the heating or cooling system needs to be repaired. But social engineering doesn't always have to be in person.
Sometimes social engineers will call employees pretending to be from the help desk and request remote access, or call someone pretending to be a bank employee asking for account information.
But probably the most common type of social engineering that we see is email phishing or sending an email pretending to be from a trusted source.
You can see examples of social engineering For instance, in the popular television show, Mr. Robot in season one, Episode Five the main character Elliott uses social engineering tactics to gain unauthorized access to the steal backup facility.
- Social engineering attacks rely on which of the following?
Let's look at a few reasons why social engineering works as well as it does
- Trusting to anyone
The first reason is simple. We as humans tend to have a trusting nature. We don't want to believe that everyone is out to harm us. If someone calls or approaches us claiming that they want to help, our instinct is to take them at face value. This doesn't always mean we will fall for these tricks. But when paired with other tactics on this list, it certainly makes social engineering more effective.
we have urgency. humans tend to throw caution to the wind when faced with urgency. This is probably the number one reason why phishing campaigns from so-called executives are effective. When a high-level executive in the company tells you they need something done immediately. You tend to just do it. And this is because you don't want to let them down. Even if the request seems odd.
I can't tell you how many times in my career, I've seen financial teams set up wire transfers, because the CFO told them to do it immediately, only to later find out it wasn't the CFO at all.
Along with urgency comes fear. When you're afraid of failing someone important or losing your data, you may not think your actions all the way through fear affects our mind in an interesting way, and we're more likely to make a mistake.
fear of having the company find out that they got a virus to impair judgment, embarrassed and feared being reprimanded for it. This lowered people's judgment and in the end, they ended up allowing themself and the company's computer to become a victim to a social engineering attack.
Finally, and in my opinion, the most obvious reason is simply ignorance. A lack of understanding is the most dangerous thing. Perhaps you aren't someone who would fall for a scam. But what about your elderly grandparents? If someone who isn't extremely familiar with how the technology works, or familiar with these types of scams receives a call like this, they might not even think twice before doing whatever they're asked.
Now that we've discussed the human elements that make social engineering so successful, let's look at some of the factors that leave companies vulnerable to social engineering attacks.
- lacked security policies
First up, we have lacked security policies, or in some cases, no security policies at all. There should always be some policy in place that makes users aware of what information they're allowed to share via email or over the phone. If there's a policy in place that states that the help desk will never ask for your password via phone or email, then the end-user might think twice when they get this request from a social engineer.
- Poor permission regulation
Another factor is poor permission regulation. The more information a user has access to the more information that the company risks losing if that user is a target of a breach. Not all users in the company should have access to sensitive data. It's best to practice the concept of least privilege and only have access to a resource to those users who will absolutely need it.
- Minimal to no security Awareness Training.
Last but certainly not least, minimal to no security awareness training. How can a company get upset with their employees for clicking on a phishing email when they've never been told what one looks like? We discussed that ignorance and a lack of understanding is a huge reason why show social engineering attacks are so successful.
If companies are able to roll out a successful security awareness training program, their employees are much more likely to spot a scam before those who have never attended a security training at all. security awareness training can vary from company to company, but it's usually a combination of online learning modules and phishing tests in which a company will send phishing emails on purpose to gauge their employee's awareness.
- Social Engineering Phases
I should point out that not all social engineering attacks will go through all of these phases. Sometimes social engineering attacks aren't targeted. They just send a bunch of phishing emails to a lot of people. But this article is going to cover the phases of a targeted and focused social engineering attack.
There are four main phases of targeted social engineering attacks. So we'll look at each one of them.
- Recon and Information Gathering
So the first thing that an attacker will need to do when carrying out a social engineering attack is to research their target company. This is just like the first step of the cyber kill Chain you need to do your recon. The more information that you have about the company, the better prepared, you'll be to fool them into giving you the information that you need. There are many different ways to do recon on a target company.
The first and easiest way is to look through the company's website. The website will provide an overview of the company and if they have any blogs, they might have posted about recent events, promotions, or things of that nature. And this can all be really helpful information to a social engineer. by searching for the company's name online, you might be able to find them mentioned on local news sites or in press releases.
Sometimes when companies have large events or a new CEO or president is starting it ends up in the media. Employment websites and job postings can also be a treasure trove of information to a social engineer. organizations may not always send out emails to the entire staff when a new hire is starting.
So a social engineer could potentially go into a company pretending to be a new employee there, and the company's receptionist might be none the wiser and let them right in through the front door.
like dumpster diving, Dumpster diving is exactly what it sounds like. Organizations there are a lot of documents away and if there isn't a shredding policy in place, you'd be surprised at the type of information you can find just due to what people will carelessly throw away.
- Choosing an employee at the target organization
Once the research aspect is complete, the social engineer will choose an employee to target specifically, while it is possible to simply target the entire organization and send out emails to the full mailing list. Any experienced social engineer knows that they'll be much more successful if they choose one or two people to target.
When it comes to cybersecurity humans are always the weakest link. Sometimes targeting a new employee of the company can be helpful. They may not know every single person in the company so it might not faze them when they don't recognize your name or face.
Another target could be a disgruntled employee, they are already at the end of the road with their company and they just simply don't care what happens. careless employees are social engineer's best friend. These types of employees are not going to do extra work to follow protocol, they will always choose the easiest solution.
Whenever possible, social engineers will choose a target that either has access to what they want or has direct access to someone who does. Social engineers don't want to try to go through 10 people to get to their goal, the least amount of people they have to trick the easier their job is.
- Gaining the trust of that person
Once the social engineer has chosen an employee to target the next step is to gain the trust of that person and build a relationship with them. social engineering really depends on the victim trusting the social engineer completely. If there is a hint of doubt, the attack might not be successful.
In order to gain the trust of the employee, the social engineer might provide fake credentials. Through research done in phase one, they might have been able to see what an employee badge looks like and forge a recreation of one themselves.
knowing a lot about the company and recent events or functions helps to clear any doubt that the target might have about whether or not the social engineer can be trusted. This is why it's really important for social engineers to do extremely thorough research on the organization as a whole.
Before beginning their attack, the more that the social engineer knows the higher likelihood of them succeeding in gaining people's trust. Finally, social engineers will always have to be confident. When people sound like they know what they're talking about. Others tend to believe them.
Even if it goes against their better judgment. The moment a social engineer starts to sound unsure of themselves, the trust they built will be completely shattered. Once the social engineer builds trust or a relationship with the target employee,
- Exploit the weakest link
This is the final step for the social engineer as this is when they are going to try and gain access to what they were looking for. One thing a social engineer could be looking to gain is access to a particular restricted area. They could exploit their target by telling them that they normally have access there but they left their keys at home. If the target trusts the social engineer enough, they might help them out.
Some Social Engineering Attack Example
Another scenario is someone posing as an employee who just started the company. Perhaps they're trying to access a door With a key code, they could pretend they forgot the passcode since their first day and the target might actually be willing to give it to them.
Perhaps the social engineer's goal is to get a piece of malware installed on the network, they could tell the target they are trying to get a file off of the USB drive to open but it's not showing up when they plug it in, they'll ask the target to plug it into their machine and see if they can open it. However, when the trusting target clicks on the file from the USB, they are unknowingly infected with malware.
Another scenario could be that the social engineers' one and only goal is to simply gather Intel that isn't publicly available. It could be a case of corporate espionage, the social engineer could be trying to steal intellectual property or trade secrets. If they befriend the right target in the organization, that person might tell them all about how the company is run and how the products are, and how the products are produced.
Just a quick recap, the four phases of social engineering that we discussed in this Article are phase one researching your target organization. Phase Two, choosing an employee at the target organization, phase three, gaining the trust of that employee, and phase four exploiting that employee's trust.
- Social Engineering Techniques
social engineering techniques, there are tons of techniques that social engineers use, and we're going to cover a lot of them in this article. So in order to make things a little bit easier, I've broken them up into different categories, social engineering attacks that occur in person, social engineering attacks that occur via computer, and finally social engineering attacks that occur over the phone.
- In-person social engineering
Let's begin with in-person social engineering. When I talk about in-person social engineering attacks, I'm referring to any attack that isn't done over the phone or using a computer. This type of social engineering can't be done by an attacker who is sitting in their home, they have to go out and actively attempt their techniques on a person. Here are some techniques I consider to be in-person social engineering, eavesdropping, shoulder surfing, dumpster diving, tailgating, piggybacking, and finally impersonation.
Eavesdropping is a social engineering technique in which the attacker will attempt to listen in on private conversations to gain information.
An example of eavesdropping would be listening in while a helpdesk technician reads off a password to a user that had forgotten it.
Well, Eavesdropping can be as simple as being in the right place at the right time to listen to a conversation. Some attackers will take it one step further by creating their own listening devices.
- Shoulder Surfing
Shoulder Surfing is similar to eavesdropping, but instead of gathering information with their ears, attackers try to gather information with their eyes.
Shoulder Surfing is the act of spying on an unknowing user while they're entering private information.
One example of shoulder surfing would be an attacker watching a user type their username and password into their computer. While Another example would be watching a person type in their pin number into a banking system or ATM.
- Dumpster Diving
Dumpster diving is a social engineering technique in which the attacker will find personal information about an individual or organization in their trash.
People are often careless in terms of what they throw away and even junk mail could be potentially useful to an attacker.
Imagine an office worker who throws away an old list of user phone numbers because they received an updated list. Although the list they threw away might not be entirely accurate anymore, it's found has some phone numbers that are still relevant. If a social engineer finds us in the trash, they now have a semi-complete list of users and their phone numbers. This can be very useful to a social engineer.
When you hear the word piggyback, you might think of someone riding on another person's back. However, in terms of cybersecurity piggybacking means something else.
piggybacking is a social engineering technique in which the social engineer has tricked their target into allowing them to use or piggyback so to use or speak onto their credentials.
In this example
imagine a social engineer trying to gain access to a locked building. When a person comes over Along with a valid badge that grants them access to the building. The social engineer might say something along the lines of
' I forgot my badge. Do you mind letting me in '
and they're speaking to the good nature and people and a lot of folks will help them out.
tailgating is somewhat similar to piggybacking, so it's easy to confuse the two. But in a tailgating situation, the social engineer follows after the target without speaking to them.
Let's imagine a scenario in which a social engineer is carrying a large box. There may or may not be anything in the box, but to everyone else, it looks like they have their hands full. In order to be polite, the target may hold the door open for them. Or perhaps they don't even hold the door open for them, but they're probably not going to pay any mind if the social engineer sticks his foot out and keeps it open.
The main difference between piggybacking and tailgating is that in piggybacking, the social engineer has the person's consent to follow them in or use their credentials. In a tailgating scenario, the user did not give the social engineer explicit consent to enter the building.
If it's hard to remember, just think of it this way. When more than one person tailgates a car, it's done without consent. When a person gives another person a piggyback ride, though, it's something that's typically agreed on by both parties.
And the last in-person social engineering technique that I'm going to cover also happens to be the most common in-person social engineering attack.
Impersonation is exactly what it sounds like the social engineer is pretending to be someone they are not in order to gain access to something they should not have access to.
The person may pretend to be from the company's telecommunication provider requesting access to the server room, or the social engineer might pretend to be a potential client asking for a tour of the facility.
Either way, impersonation is a very popular and very effective technique used by social engineers. And impersonation isn't technically just an in-person technique. impersonation is used in all of the categories it's used in person. over the phone on the computer by email, impersonation is really the bread and butter of social engineers.
- Phone and Mobile Social Engineering
So that brings us into our next category, which is phone and mobile. These are attacks that are done either with a landline or through a cell phone. This category includes things like vishing, and smishing.
Vishing stands for voice phishing, and it's the process of trying to trick a user into disclosing personal information over the phone.
You hear this all the time on the news channels regularly talk about individuals who have received a phone call from people claiming to be with the IRS. Those people end up sharing all their information. And next thing you know, they have their identity stolen or elderly people who receive a phone call saying that their grandson is in jail and they have to send bond money.
These are all examples of vishing attacks. vishing attacks occur when a social engineer calls a user and pretends to be someone else in order to steal their private information or to steal their money.
Smishing, on the other hand, is very similar except that it occurs using text messages. Have you ever received a text message that you just didn't think was legitimate?
I once received a text message asking me to log into my Amazon account using a link in the text message to check the status of an order. Lucky for me, I was able to spot the fake message right away. I knew I didn't have any packages coming from Amazon at the time. And even if I had I probably would have checked it by logging into my account from the computer and not using that text message link.
But let's say for the sake of examples that I did click on that link in the text message. Most likely it would have taken me to a site that looked like Amazon was actually a fake created by the attacker. After I enter my login credentials, I might be redirected to Amazon but it would be too late. The attacker would already have my username and password. This is an example of SMS phishing, also known as smishing.
- Computer-based social engineering attacks
And the last category of social engineering attacks that we're going to talk about in this Article, are computer-based social engineering attacks. Obviously, computer-based social engineering attacks are going to be any of those social engineering attacks that initiate from a computer.
So this includes things such as pop-up messages, spam, spamming, and phishing. Pop Up messages from the web browser are a really easy and common way for social engineers to trick users into calling them and giving them personal information.
I honestly cannot tell you the number of times in my career, I have received a frantic call from an end-user panicking because they believe they've gotten infected with malware. I'll log into their computer remotely to see a giant frightening message plastered across the web browser, you have a virus, it will say the exact wording of the pop up might vary every time but the core of it stays the same.
This computer has been infected with malware, and the only way to resolve it is to call this number. Now 99.9% of the time messages like this are not actual viruses. Instead, when a user accidentally navigates to the wrong URL or allowed to get notifications from an untrusted source, they get that scary popup.
The purpose isn't to infect the user with malware at all. It's to get the user scared enough to call the number listed. Once the user calls the number, then the attacker on the other end works to take advantage of them.
However, in every case that I've personally seen a pop-up like that, go into the task manager and ending the task fixes it immediately or disable the notification in the browser that causing that popups can work also. But it's not always meant to be frightening.
Sometimes users will receive a message saying they won something like an iPad. And they'll have to call a number email or click something that fits into the pop-up social engineering category as well
as instant messaging scams are messages that are received through some type of instant messaging platform. This could be Gmail, chat service, Skype, or even Facebook Messenger.
Have you ever received one of those Facebook messages from a friend that says "hey man, I saw this video of you, I can't believe this is you" with a link video from some weird source If you don't click on it, you may find out later that your friend's account was compromised and started out sending out all these spam messages.
If you do click on it, well, then you might be the one sending out spam next. This is also considered a type of social engineering attack. So it's always best that if something looks suspicious, just don't click on it, and maybe call that friend and double-check with them actually meant to send that to you.
And that brings us to our final type of social engineering attack that we're going to talk about, and that is phishing. And I know that you all already know what phishing is.
It's the act of sending emails that appear to come from a trusted source in order to convince a user to disclose information.
Phishing is becoming such a huge problem in our world today, it seems like every single day, thousands of getting sent phishing emails.
So I will Cover How to do Phishing Attacks and Prevention in another Article.