Social engineering is an important and topical topic in the field of cybersecurity and protection of information. This term can be applied to a wide range of methods and techniques that are used for manipulating people with a method of removing imperceptible information from their interests, confidential data, or access to protected systems. The essence of social engineering is to beat human nature and inconsistency, to lure them away from the pasture and change them from unsafe business. It can be created through the use of manipulative techniques, as they are based on trust, negligence, or unknown people. Among the growing applications of social engineering and phishing attacks, malicious scammers try to take away confidential data, for example, passwords and credit card numbers, to spy on the victims and press them on the phone.
The second butt is social engineering in the physical form, if the evil-doers of vicorist social situations, or else, gain access to the surrounding areas, or systems, vicorist cunning, perekonlivist, or access. Zapobіgannya social engineering vymagaє poddnannya tekhnologichnyh and human visits. The main objectives are to enlighten and learn about potential threats and methods of manipulation, to strengthen the security of information, to recover complex passwords and to secure authentication, and to regularly update the software security and installation of the latest anti-virus programs. Organizations are also responsible for visiting for the protection of social engineering, including the installation of security systems, the limitation of access to confidential data, the establishment of reconciliations with an eye on the working environment and the adoption of policies that regulate the processing of confidentiality other information. Vishchezgadani come in, with no more than deaky zahistu for social engineering, but they play an important role in the early attacks and the defense of valuable data. The sound principles of social engineering and the introduction of security entrances will help to protect information from unauthorized access and to protect against potential threats.
Social engineering (social engineering) – be it an attack, like victorious human psychology for the target, zmushuyuchi or I will need to vikonate, or give secret information. These attacks play an important role in the industry of information security and hacker spying, and we regularly practice such behavior in our everyday lives. For example, sales and marketing often override the tactics of social engineering.
The seller, who calls potential customers, can try to get in on people on the other end of the line, proponing the solution of their problems. Children often complain about the “tough guys” to reach the riches of their fathers, at that hour, the fathers can overcome the negative effect of the child’s wrong behavior (guess what kind of legacy they licked you when you grew up, then you will eat a lot of licorice).
What is social engineering? 19 Someone is quiet, someone who reads this book, maybe by calling “bank security service” or by accepting an electronic sheet like “Nigerian prince”. A lot of people, including me, took off phishing lists with threats to malicious email screens and propositions to change passwords from social media on the updated site. This book teaches the basics of social engineering from the look of a pentester1.
The concepts presented here will help you to better understand, how to beat social engineering from an ethical point of view, copying the tactics of an evildoer, so that you can reveal weaknesses in the security system, so you can correct your life. You will be allowed to carry out social engineering attacks, and you will not be able to control the objects of attack.
The chapters describe the components of social engineering, including the most common types of attacks. As a pentester, you can apply any of these, but I generally adhere to strict ethical restrictions by avoiding using employees’ personal resources, including their mobile devices, social media accounts, and home computers. Bad guys rarely limit themselves to morality, but that doesn’t mean you have to follow them in everything you do when testing! We will discuss this point in Chapter 2.
According to the concept of social engineering, pretexting is the act of impersonating someone. You can wear someone else’s uniform, tell a fictional backstory, or create a fictitious pretext for contact. I use this term to refer to any occasion to speak to the victim. If, for example, you told the security guard at the entrance that you work for a garbage can service company, holding a notebook and wearing a company uniform, this is an excuse.
Open source intelligence
Open Source Intelligence (OSINT) is the collection of information about your target from publicly available resources. Sources of OSINT include newspapers, search engines, documents from various regulatory agencies, social media, advertisements, and review sites, and this is not an exhaustive list. OSINT will help you invent a reason for the contact. 1 Pentest (pentest) is an abbreviation of penetration test, i.e. a test for intrusion into a closed area (for example, a corporate network).
A pentester is an information security specialist who is hired to test the reliability of intrusion protection. – Approx. transl. 20 Chapter 1 OSINT can make or break your social engineering efforts because you often need to know important details about the victim company and its employees to be successful. What VPN are they using? What other technologies do they use in their work? What is the physical layout of the organization’s building? Knowing this information, you can significantly simplify the interaction. Several leading penetration testing professionals have told me that the optimal ratio of time spent collecting OSINT to time spent actually penetrating ranges from 30/70 to 70/30.
OSINT can make or break your social engineering efforts, because in order to be successful, you often need to know important details about the victim company and its employees. What Virtual Private Network (VPN) are they using? What other technologies do they use in their work? What is the physical layout of the organization’s building? Knowing this information can greatly simplify the interaction. Several leading penetration testers have told me that the optimal ratio of time spent collecting OSINT to time spent actually penetrating ranges from 30/70 to 70/30.
This is perhaps the most common form of social engineering. Phishing is the sending of fraudulent e-mails with the aim of influencing or forcing the victim to provide information, open files or click on links. Later in this book, I’ll talk about different methods you can use to do this.
Common phishing emails are usually not addressed to any specific recipient. Instead, they are sent to huge lists of email addresses bought by scammers and criminals. This means you can email a large number of people without collecting OSINT about them. For example, with virtually no knowledge of the victim’s context, you can send a generic email that tries to trick the user into entering a fraudulent website or downloading a file. When victims open the file, a remote command-line shell may be opened on their computer or malware may be installed. Once attackers have launched a remote shell or installed malware, they can interact with the system and perform exploit launch and privilege escalation attacks to further compromise the system and network.
Sometimes exploit kits (software used to carry out other attacks and download malware) use phishing to spread malware. According to the 2018 Symantec Internet Security Report (ISTR), 0.5% of all URL traffic is phishing and 5.8% of that traffic is malicious. This is 1 of 224 of all URLs!
However, simple phishing attacks like the one described above are not common in ethical hacking and penetration testing. If a client hires you to perform a penetration test, it’s safe to assume that they are competent enough in security to avoid a simple phishing attack.
Spear phishing is a type of conventional phishing in which the social engineer focuses on a specific target. If you were a fisherman using a spear instead of a net, you would probably need to know how each type of fish behaves and how to approach them. Similarly, as a pentester, you will need to collect, aggregate and use OSINT about your target company or individual, properly ambush them.
ISTR says spear phishing is the number one vector in targeted attacks. A 2018 report estimated that 71% of organized groups, including national intelligence, cybercriminals and hacktivists, use phishing to achieve their goals. In 2019, this figure dropped to 65%.
If you were a pentester with a focus on social engineering (or a consultant at a firm where other companies pay you to act as attackers), you’d probably spend most of your work time developing phishing. These are the most common attacks companies face and require the least amount of direct interaction, making them more accessible to potential customers.
You would start with an OSINT investigation in the direction of the victim’s computer or a specific person. For example, you can get information about the service providers they use. Then create a phishing email saying that you are a representative of an insurance company and want to clarify some details. You insert an insurance company’s logo into the email, along with wording specific to those companies, and then send the victim to a clone of the company’s real website to try to get their credentials or get them to download a file.
Phishing (whaling, whaling) is phishing aimed at the “big fish” – usually the company’s top managers. When conducting social engineering penetration tests, I found these people to be more trustworthy than many others. They also usually have more access rights than a normal user. For example, these can be local administrators in the company’s system. Attacks on these people need to be approached differently than phishing or spear phishing because these people have different motivations and interests than, say, your typical support or sales staff.
Imagine that your target is the CFO of the company. You can try to write a cover letter on behalf of the human resources department to establish additional relations with the potential victim. You can personalize the email by mentioning name and title, or touch on other key details about the victim’s company that only the recipient or the HR department should know. Or, you may need to run a completely different scenario involving the trade organization or professional group your target belongs to. OSINT can serve as a source of professional jargon that can be passed off as one’s own.
In vishing, the attacker calls the victim and talks to her on the phone. Vishing is often more difficult than phishing because it requires improvisational skills. While phishing gives you time to think about what you want to say before you send an email, vishing requires you to compose the conversation as you go and remember it down to the last detail. You may also have a bunch of problems: the victim is not answering the phone; you misunderstood who reports to whom in the company; You accidentally called on behalf of someone who is in the same office as the victim, or used the wrong accent or gender.
The advantage of vishing is that you can immediately see the result of your attack. When sending an email, you have to wait for the recipient to open the message, click on the link, and enter the information. Although it takes more time than phishing (especially when there are many potential victims), you can do a lot more damage in a shorter period of time with a successful phishing campaign.
During these meetings, you will most likely spoof a phone number using a special app or other software and call someone under some pretext. During the call, you connect with your victim and then try to get them to perform an action or provide information.
You can say you’re conducting a survey, or you can say you’re a customer, supplier, or buyer. You will ask them for information relevant to your drive and then document it in your report.
Be careful when recording these calls. Try to obtain and record only the minimally necessary official information that is not subject to the legislation on the disclosure of personal data of medical or banking secrecy. Before conducting any testing in this manner, a prudent tester or firm should consult with legal counsel to ensure that all actions are legal.
Sometimes, you can use bait to get the victim to take the desired action. Traditionally, USB drives have been used in this capacity, but now a more modern option in the form of a QR code can be used to trick the victim into downloading malicious code.
One can download the fake documents to a USB stick or a special device that hackers call a Rubber Ducky, and then put the device in a package with attractive inscriptions such as “list for layoff / promotion”, “pay bonuses”, “report to the CEO” and etc. Then throw the bait in the parking lot, at the entrance to the office or in the corridor of the victim company.
Using a “rubber duck” has its advantages. With this device, you can download malicious scripts to your device along with legitimate files. Connecting a duck to a computer bypasses any data loss protections (software or hardware solutions that prevent files from being moved from the computer via a USB drive, email, or a protocol such as FTP or SCP) because it simulates a USB – the keyboard. If you’re using a regular USB drive, you can be stopped by data loss prevention software installed on the victim’s computer. Unlike them, a duck will open a file and deploy a payload (a script or tool that helps you get the desired result).
You can use a decoy to remotely access a command line shell on the system, which will then allow you to interact directly with the host computer. But it is not easy to succeed with the bait, because it is difficult to guarantee that it will reach the victim and that the shell, connection or information from your work computer will be within your reach. Users can take the drive home and plug it into a home computer that you won’t have permission to attack.
Probably the least attractive social engineering technique is to dig up the contents of garbage cans or trash bags collected from the victim company’s office and then take them outside the office for analysis and information gathering. You can learn a lot about the organization and find exactly what you were looking for. Think about the things you throw away. Some of them are extremely personal. However, garbage bags can be filled with leftovers from the office cafeteria that have nothing to do with company secrets.
For this type of scouting, you will most likely have to pretend to be an employee of a garbage company and make up some kind of story to get into the local landfill. Once there, the first thing you need to do is collect a few garbage bags, take them outside the office and calmly examine the contents.
When rummaging through dumpsters, you’ll probably want to wear gloves and a respirator. You can even boost the local economy and hire high school or college students to do the dirty work. Make notes of what you find, read any written materials and glue together all the torn documents. What you find may be the ultimate goal of penetration, or a stepping stone to something greater.
Psychological concepts in social engineering
Unlike traditional information security, which borrows concepts from computer science, systems administration, programming, and database administration, social engineering borrows most of its concepts from psychology. For this reason, social engineering professionals must have a good understanding of human psychology and behavior.
While working on my PhD (which I never finished), I spent more time reading psychology and sociology journals than computer science journals. I still occasionally go through a thick folder full of scientific papers and use access to academic journals to get new information. In this chapter, I review some basic psychological concepts useful for social engineering.
Rubber Ducky Hak5 is a device with a microcomputer inside, enclosed in a case, identical to a regular USB drive, which acts as a keyboard and can enter data into the system as if the user were typing it himself.
Influence is a neutral term that refers to the activity of a person who motivates others to a certain result. The impact can be positive or negative. An example of influence would be a doctor talking to a patient about their health, the lifestyle changes they need to make, and the risks they face to inspire the patient to live a healthy life.
Outside the world of psychology, people usually don’t see the difference between manipulation and influence. But among specialists, these terms have a completely different meaning. Manipulation is a harmful influence, usually aimed at causing harm. In social engineering, both attackers and well-intentioned pentesters often use manipulation instead of influence due to lack of preparation or recklessness.
Mutual understanding (mutual understanding)
In short, mutual understanding is mutual trust. Most dictionaries define rapport as “a friendly, harmonious relationship” and add that such a relationship is usually “characterized by agreement, mutual trust, or empathy that makes communication possible or easy.” The American Psychological Association (APA) builds on this definition, saying that “establishing rapport with the client in psychotherapy is often an important intermediate element. The therapist’s goal is to facilitate and deepen the therapeutic experience and to promote optimal progress and improvement.”
Like psychotherapists, social engineering specialists try to establish contact with their subjects in order to gain their trust. To build mutual understanding, they often rely on shared experiences (real or imagined), play on the interests of the victim and emphasize their own character traits. You can use OSINT to learn about a victim’s likes and dislikes.
In his book “The Psychology of Influence”, psychologist Robert Cialdini describes in detail the relationship between influence and manipulation. Dr. Cialdini identifies six main principles of influence: authority, attractiveness, urgency and scarcity, constancy and consistency, social proof, and reciprocity.
Let’s take a closer look at these principles and their application
People tend to perform certain actions when someone in authority asks them to do so, or when they are led to believe (truthfully or under false pretenses) that the same action is being performed by an authority figure. I like to use influencer links in vishing. For example, I can call and say that I am acting on behalf of the CEO, the CISO, or in accordance with a certain law.
The use of authority can be very effective. Keep in mind, however, that you should never impersonate law enforcement, tax, customs, or other government agencies that have special powers to collect confidential or other information. This is illegal!
People tend to want to help those they find cute and attractive. Have you ever met a salesperson who didn’t at least try to seem like a nice person? Most likely, he will compliment you on your clothes, looks and intelligence to win your favor.
If there is a risk that a person will not get something, he starts to want it much more. I recently took advantage of a promotion at a local gym. During the registration process, a timer appeared on the website page, which warned me that there was one minute left to complete the procedure, otherwise I would be excluded from the list of privileged customers. As an experiment, I went through the registration procedure three times. The first two times I logged in from the same IP within a minute. The third time I spent about five minutes, and the timer simply reset without consequence every time the minute was up.
Moral of the story: The gym was trying to pressure me into signing up for something that may or may not benefit me. The timer gives potential customers an artificial time limit and the feeling that they will miss out on something important if they don’t act quickly.
In phishing, many scammers claim to sell or give away something that only exists in small quantities. In order to entice the victim to take action, be it clicking on a link or entering information, they offer something of value in a deal that is too good to be true, but with the condition that the victim must act as soon as possible.
In other cases, the criminal may try to force payment of the ransom for his ransomware, giving the victim only a few hours to pay before finally deleting, stealing, or making the data public – regardless of whether he intends to follow through on the threat. In any case, the criminal hopes to frighten the victim and force her to act before she has time to think things through.
People value consistency and generally dislike change. Social engineers sometimes maintain consistency and sometimes break consistency and consistency to influence the victim. A salesperson may claim to be more interested in their client’s success than commissions, saying something like, “I’ve always cared about my clients. I understand your needs from the first day of cooperation. I always work with you according to the principle “what is promised is what is done.” This technique is common among sellers whose success depends on strong, long-term relationships.
Society demands that we “keep up with our neighbor.” In other words, we often do things solely because others think it is normal, appropriate, or status quo. You can try to convince your victim that a certain behavior or action increases social status, or that all other effective employees are performing some action you want. The interlocutor’s belief in the desirability of something is called social proof. A car salesman may try to convince you to buy a luxury car by saying, for example, that it is driven by successful people your age.
An attacker can invent social proof using information obtained from OSINT. For example, it can determine who in the company is an influencer. He will then send you an email claiming he spoke with a reputable person who spoke highly of you and provided your contact information so you could help “fix the problem”. I’ve had two or three not-so-clever recruiters email me claiming that a friend of mine gave them my contact information, but asked me not to use his name. The jobs they offered were related to Java development, which I don’t mention on my resume or LinkedIn. Of course, I immediately blacklisted them.
Ми охочіше допомагаємо людям, які нам допомогли. Часто соціальні пентестери допомагають комусь, а потім просять зробити щось натомість (і це не завжди в інтересах людини, яка допомагає). Один такий випадок трапився зі мною, коли я відвідав конференцію Layer 8, конференцію з соціальної інженерії в Ньюпорті, штат Род-Айленд. Біля пірсу я побачив пару, яка намагалася сфотографуватися перед вітрильником. Я запропонував їх сфотографувати.
“Звичайно, це вас не потурбує?” – запитали вони.
“Зовсім ні. І, до речі, тримайте мій телефон, щоб знати, що я не втечу з вашим”, – відповів я, щоб встановити з ними більш тісний контакт.
Я зробив знімок. У цей момент прямо за цією парою пропливла ще одна красива яхта, і я попросив їх не йти. “Дозвольте мені ще раз сфотографувати вас перед цією яхтою”,—сказав я.
Вони погодилися: «Це було б круто».
Я зробив ще кілька знімків. Коли я закінчив, я передав їм свій телефон, щоб вони могли переглянути фотографії, і мої нові знайомі подякували мені.
“Нічого, зовсім ні. Чи хотіли б ви хоч трохи допомогти мені з антропологічними дослідженнями, якими я займаюся цього літа?»
«Звичайно, що це за дослідження?» – запитали вони у відповідь.
Оскільки я допомагав їм фотографувати, вони відчували себе зобов’язаними відповісти взаємністю, хоча відповіді на мої запитання не обіцяли їм нічого хорошого.
«Я досліджую природу людської міграції та те, як змішуються різні етнічні групи. Я збираю інформацію про імена, про те, куди подорожують ці люди, про моделі поведінки і так далі. На жаль, у мене дуже мало інформації про батьків членів сім’ї, з якими я спілкувався. Наприклад, як звали вашу матір до того, як вона вийшла заміж?”
Зверніть увагу, що я не запитував: «Яке дівоче прізвище вашої матері?», тому що це питання миттєво насторожує. Це поширене питання для відновлення пароля, і люди захищають цю інформацію.
Вони обидва відповіли на моє запитання, а потім сказали, звідки вони. Я сказав, що у мене є друзі в цьому місті. Це була брехня – насправді я був просто смутно знайомий з місцевістю. Я повідомив, що мої друзі навчалися в тій самій середній школі в цьому місті. Вони відповіли, що ця школа конкурує з тією, в якій навчалися. «А що було зображено на гербі вашої школи?» – запитав я.
На це питання охоче відповідали і мої співрозмовники. Я міг би дуже довго допитуватися…
A great way to build rapport is to show sympathy – caring for someone who is feeling down or stressed, such as after losing a loved one or pet. Unlike sympathy, empathy is the ability to feel the same feelings as other people, as if you were in their shoes. Empathy means shared emotions or viewpoints, while sympathy expresses sympathy and concern on your part.
Both are important for establishing mutual understanding under certain circumstances. You need to be able to express your feelings and understand the feelings of the victim, to be able to influence and know when to bend the stick. When interacting with the victim, you can share a story (be it fact, fiction, or some embellished combination) about a similar situation you’ve been in and how you handled it. This will allow them to show mutual empathy for your situation and improve your mutual understanding. Alternatively, if someone is talking about a situation you have nothing to do with, simply ask clarifying questions and then say you’re sorry that happened, expressing sympathy in this way. Be careful, though: if you have an answer or a story ready for absolutely anything the person tells you, they may become suspicious, so use this approach with caution.
We used materials from the book “Social Engineering and Ethical Hacking in Practice”, which was written by Joe Gray.