Social Engineering

PRETEXTING

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and manipulate victims. It takes good observational skills and empathy. The latter can be honed by considering the mindset of others. Who - internally - ask:

Who are you
What do you want
Are you a threat
How long will this take

Addressing these concerns before engaging with the mark, can weaponize the social engineer to pretext successfully.

BAITING

A good example of baiting is illustrated by Secure Network Technologies. This company were hired by a credit union to assess their vulnerabilities and security posture. The test involved dropping twenty flash drives, containing a Trojan virus, which were left in the car park and other areas nearby. Once plugged in, these portable thumb drives collected employee passwords. Fifteen of the twenty drives were found and plugged in by employees.

In another test a mobile coffee unit offered free coffee's to employee providing they enter their username and password

into a 'networked system' to verify they were genuine staff. As you can imagine, the ploy was equally as successful.

TAILGATING

Tailgating is used to gain access to a secure building by blending in and making you think that the hacker truly belongs there. Drop off points - used by deliveries - are often exploited by attackers because of the frequency of unfamiliar personnel coming and going. Side doors are also good entry points. They are often used by workers who smoke - some of whom enjoy talking to others and will happily hold the door open for you instead of following protocol. Even 'clocking' the name of the security guard on the front desk can be helpful - 'Oh, sorry, David said I was to come straight here'. . .

MITIGATION STRATEGIES

GET TRAINED: Knowing the techniques used by social engineers will help you identify them when employed by others. This knowledge is your best defence against the dark arts. A strong security program will take the time to explain how we are tricked, use illustrative examples and explain why security controls and protocols exist.

ALWAYS FOLLOW PROCEDURES: For example,
- Always challenge unfamiliar staff with a polite 'can I help you?' or contact your supervisor or security team when you are unsure. There is a reason why we wear ID badges, lock doors and do not hold them open for others.

Don't plug in unfamiliar USB drives or any other form of portable media - hand it over to IT where it can be investigated and returned to the rightful owner

Be wary of giving out personal data or sensitive data - whether the request is over the phone, by SMS or in the shape of an email. This might be as simple as asking
- Do I know you?
- How sensitive is the information you need?
- Why do you need this information?
- Is this request expected?
- Does the request conform to protocol?
- How can I confirm the authenticity of this request through the use of other means?
- Am I being caught up in a story being told (a typical red flag moment).

WATCH THOSE EMAILS: Always check the 'from' field and hover the mouse over any link to see it's true destination. If the email is sensitive, you can also ask
- Is the tone and grammar recognisable?
- Does the formatting look correct?

WATCH YOU DIGITAL FOOTPRINT: When was the last time you ran a search engine on your name? Have you yet to explore the privacy settings on your social media account? What about friends and relatives? Can I get to you via them? If your details appear on a website you are quite within your rights to request their removal under GDPR.

KEEP A CLEAN DESK: It's amazing what a scruffy desk can tell the social engineer. Is there an internal phone directory on display? Can I see what operating system you use, what browser and mail client? Are there personality clues, which I can exploit.

BE MINDFUL OF YOUR ENVIRONMENT: When I'm on the train, I mindful of who can overhear my phone calls or see my laptop screen or the password I enter. But we can apply these rules elsewhere too - even at our place of work.

BEFORE WE BEGIN

The reason for this article is not to teach you how to social engineer. Yes, it might, and you might be interested in learning too, however, conducting a pen-test along these lines requires the consent of the target organisation and clear - documented - rules of engagement. Polices and procedures must be air-tight from a legal standpoint.

We often hear about the attacker who uses technical expertise to infiltrate computer systems and compromise sensitive data, prompting organisations to invest in new technologies that will bolster network defences.

However, there is another type of attacker who uses different tactics; they are called “social engineers” because they exploit the one weakness that is found in every organisation: human psychology. Using phone calls and other media, these attackers fool people into handing over sensitive information.

YOU JUST NEED A BIT OF SPADEWORK

With a bit of research, cybercriminals turn a very obvious attack into a cunning ruse that is hard to spot. For example:

LinkedIn: Tells me your job history; where you were educated, what school you went to, your academic achievements, associations you are involved in and the people who endorse your skills

Facebook: Gives me your favourite movies; the clubs you belong to, your friends, your family vacations, your favourite foods, places you've lived and much more to boot

Twitter: Tells me what you are doing right now, your geolocation, your opinions and emotional state

Corporate Websites: Gives me your business objectives, address, name and title of personnel, email addresses or how emails are structured, corporate branding and formatting and in some cases, a means to access the IT infrastructure if the website used by the organisation is vulnerable to attack.

IS THAT ALL?

Well, since you asked - no it isn't. There are sites like Webmii and Piple, which, according to Christopher Hadnagy,

'is what would happen if the White Pages and social media scraped sites and had a baby. What is great about this site is that you can search for a name, a user name, a nickname, or any other detail you may have about someone' in order to unearth their personal data. You can also download tools like Maltego which gather information from disparate sources and automatically combines them into a comprehensive graphical representation - which you can visually explore to determine the relationships within the data.

PILLAGING DOCUMENTS

The web also gives us access to a plethora of documents; pdfs, Excel files, Word documents and pictures. Apart from the obvious reasons, these documents are useful because they have something known as 'metadata'. Metadata, for example, gives us the

Date and time the document was made
The author's name and title
How many revisions the file has been through, and so on

If we're talking about a picture, then the metadata might give me intel on the camera used as the location it was taken.

SO WHAT?

Just the name and the type of document can be a huge piece of intel for the social engineer. To use Hadnagy's example, what if I was to find a new HR policy from your company? The metadata reveals when the policy was last revised, who wrote it, and when it was released. A phishing email that seems to come from the author and appears to include an update would surely get more than a few clicks.

POPULAR TECHNIQUES

Here are a few of the most common social engineering techniques to be on the lookout for.

PHISHING: Uses a fake email to trick a user into giving away sensitive information or downloading harmful software. There are quite a few different forms of phishing.

WHALING: Emails purportedly sent from enterprise leaders requesting sensitive data or payments

SPEAR PHISHING: Bespoke emails carefully crafted to deceive the recipient. These are well written, well formatted and context aware. They will include 'insider' information because they are the product of considerable research on the target organisation.

MASS CAMPAIGNS: With generic information. These are easier to detect but successful because of the sheer number of people who receive them.

SOME THOUGHTS ON SPOOFING:

An effective phishing email will use 'spoofing'. Lets say our supplier is called trident and their emails usually look like this : someone'sname@trident.com

Step 1: I create a similar domain called tridant. To cut to the chase, businesses buy domains (for as little as a tenner) so they can set up a website and company email using that name.

Step 2: I research the supplier (probably by trawling their webpages) and find out that Robert Smith is the director. His social media account also gives me the load-down on his personal life

Step 3: I now send an email to the company from robertsmith@tridant.com. There is a good chance that the recipient won't notice the variation in spelling and will assume that the email comes from their actual supplier.

VISHING

Vishing uses the phone instead of email. Scammers ask for personal information such as date of birth, address, financial information, etc in order to exploit that data for personal gain. The social engineer will use one or more of the following:

The authority principle: they will claim an important job title to convince you to hand over data

The intimidation principle: they will act belligerently, telling you that there will be unpleasant financial or legal consequences. This prevents the target from thinking straight.

The familiarity principle: conversely, they may be very personable or seek common ground to create a bond between you and them

The trust principle: involves citing professional credentials or known organisation information to sound credible

The social proof principle: they may claim that you both know a trusted 3d party which implicitly suggests that they are also trustworthy - we all know each other!

The urgency principle: finally, the social engineer might claim that a situation is urgent or that he or she has very little time to verify their identity.

If you don't believe that these principles works then you should definitely check this YouTube video out: