What is social engineering?
Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.
Criminals frequently use social engineering because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your infrastructure or software. In some cases, attackers use more simplistic methods of social engineering to gain device, network or computer access. A hacker might frequent the public food court of a large and popular office building and “shoulder surf” users working on their laptops or tablets.
Doing so can result in a large number of users credentials without sending an email or writing a line of virus code. Some attacks, meanwhile, rely on actual communication between attackers and victims; here, the attacker pressures the potential victim into granting network or computer access under the shape of a very serious problem that needs immediate attention for example.
What types of social engineering are most popular?
- Phishing: Phishing attacks are the most popular type of fraud in social engineering. The purpose of phishing is to illegally obtain confidential user data (username and password or some other useful information). To attack users, attackers use email, having previously collected from a public source like a list of company employees and their email addresses. After collecting the addresses, hackers proceed to preparing the payload email.
- Pretext: a set of actions worked out according to a specific, pre-compiled scenario, as a result of which the victim can give out any information or perform a certain action. Most often, this type of attack involves the use of voice tools such as Skype, phone, etc. To use this technique, an attacker must first have some information about the victim (employee’s name; position; name of the projects with which he works; date of birth). An attacker initially uses real-world queries with the name of the company’s employees and, after gaining confidence, receives the information he needs.
- Trojans: This technique uses the popular qualities of a potential victim, such as curiosity and greed. The social engineer sends an email with a free video or anti-virus update in the attachment. The victim saves the attached files, which are actually can be Trojans or set of scripts/macros. This technique will remain effective as long as users continue to mindlessly save or open any attachments in their emails.
- Quid pro quo: By using this type of attack, attackers promise the victim a profit in exchange for facts. For example, an attacker calls the company, pretends to be a technical support employee, and suggests installing the “necessary” software. After the consent is received to install the programs, the attacker gains access to the system and to all data stored in it.
- Tailgating: Tailgating or piggybacking involves the unauthorized passage of an attacker along with a legitimate user through a checkpoint. This method cannot be applied in companies where employees need to use passes to enter the enterprise. Obviously, social engineering can do huge damage to any organization. That is why it is necessary to take all possible measures to prevent attacks on the human factor.
Recipes for successful social engineering
Social engineering is usually considered part of a targeted attack, but what if massively deploying such schemes? Let’s look at ten of these scenarios to understand how people will react to them and what the consequences may be.
1. Verified Sender
Sometimes site administrators, by oversight, do not include filtering the “Name” field in the registration form (for example, when signing up for a newsletter or when sending an application). Instead of a name, you can insert text (sometimes kilobytes of text) and a link to a malicious site. In the email field, insert the victim’s address. After registration, this person will receive a letter from the service: “Hello, dear …”, and then our text and link. A message from the service will be at the very bottom.
How to turn it into a weapon of mass destruction? Elementary! In one of the search engines in December 2017, the ability to send messages through the spare email binding form was discovered. It was possible to send 150 thousand messages per day – it was only necessary to automate the form filling a little.
This trick allows you to send fraudulent emails from a real technical support address of the site, with all digital signatures, encryption, and so on. That’s just the whole upper part is written by an attacker. Such letters came to me, not only from large companies like booking.com or paypal.com, but also from lesser-known sites.
This method of getting a person to follow the link requires some preparation. A fake company website is created with a unique name that immediately attracts attention. Well, for example, “DataMataPrata” LLC. We are waiting for the search engines to index it.
Now we come up with some reason to send congratulations on behalf of this company. Recipients will immediately google it and find our site. Of course, it is better to make the congratulation itself unusual, so that the recipients do not swipe the letter into the spam folder.
3. Fake newsletter subscription
Here is a very simple way to get a person to go to the site using the link in the letter. For example, we write the text: “Thank you for subscribing to our newsletter! Every day you will receive a price list of reinforced concrete products. Yours faithfully, …”.
Next, add the link “Unsubscribe from the newsletter”, which will lead to our website. Of course, no one has subscribed to this newsletter, but you will be surprised to find out the number of unsubscribe attempts.
4. Email Mining
To compile your base, it is not even necessary to write your own crawler and go around sites in search of badly lying addresses. A good list of domains is sufficient. Add info @ to them, check the resulting addresses, and as a result, we have somewhere around 500 thousand work mails.
Similarly, you can attribute director, admin, accountant, HR and so on. We prepare a letter for each of these departments, send out and receive from hundreds to thousands of answers from employees of a certain field of activity.
5. And what is it written there? Small text!
To lure users from any forum or site with open comments, you do not need to invent tempting texts – just post a picture. Need to choose something more attractive (some meme) and reduce it size (make it as small as possible so text is not readable) so that it is impossible to distinguish the text. Curiosity always forces users to click on the picture.
6. Hi! What’s your name?
Forcing a user to open a file or even a document with a macro is not so difficult, even though many have heard of dangers inside of such documents. With mass mailing, even just knowing the name of a person seriously increases the chances of success.
For example, we can send an email with the text “Is this email still active?” Or “Please write your website address.” In the answer, at least in 10–20% of cases, the name of the sender will come (this is more common in large companies). And after some time we write “Darla, hello. What is the matter with your site (attached photo)?” Or “Josh, good afternoon. I can’t figure it out with the price. I need the 24th position. I apply the price.” Well, in the price list there is a banal phrase “Turn on macros to view contents …”, with all the ensuing consequences.
In general, personally addressed messages are opened and processed an order of magnitude more often.
7. Personalized evil
If you need to force a large number of organizations to respond to a letter, then the first thing to do is look for weak points. For example, you can send a complaint about goods to stores and threaten with litigation: “If you do not solve my problem, I will complain to the director! Is that what you delivered to me (photo attached)?! Password from the archive 123″. On the basis of car services, in the same way, you can send a photo with a breakdown and the question of whether they can repair it. For builders – the “project of the house.”
8. Mass intelligence gathering
This scenario is not so much an attack as preparation for it. Suppose we want to find out the name of an important employee — for example, an accountant or security manager. This is not difficult to do if you send someone from the staff who may have this information a letter of the following content: “Please tell me the middle name of the director and the schedule of the office. Need to send a courier. “
We ask working hours to blur our eyes, and asking for a middle name is a trick that allows us not to give out that we do not know the name and surname. Both that and another, most likely, will be contained in the response of the victim: the full name is most often written in its entirety. In the course of the study, I managed to collect the name of more than two thousand directors in this way.
If you need to know the mail of the authorities, then you can safely write to the secretary: “Hello. For a long time did not communicate with Nick Bormann, is his address email@example.com still working? And then I did not receive an answer from him. Alex Robinson.” The secretary sees the email, invented on the basis of the real name of the director and containing the company’s website, and gives the real address of Nick Bormann.
9. The site is down
The database of sites with postal addresses of owners can easily be turned into transitions to any other site. We send letters with the text “For some reason, the page on your site www.website.com/random.html does not work!”. Well, a classic trick: in the text of the link, the victim sees his site, and the link itself leads to a different URL.
10. Multi landing website
You will need to prepare for this method. We create a one-page website, draw up a news resource. We put a script that changes the text on the site depending on which link the person clicked on. We make a newsletter based on a database of addresses and company names.
Each letter contains a unique link to our news resource, for example news.com/?1234. Parameter 1234 is tied to a specific company name. The script on the site determines which link the visitor came to and shows in the text the name of the company corresponding to the mail from the database.
Having visited the site, the employee will see the heading “Company … (the name of the victim’s company) is again rampaging.” Next is the short news with some tales, and in it is a link to the archive with revealing materials (a Trojan).
In conclusion, I would like to draw attention to the fact that not only psychological methods of influencing the victim can be used, but also technical ones that will help mislead the potential victim and thereby slowly bring him to a certain scenario that we have provided. As a result, we can get something useful from those attacks (personal data, money, access, etc.) to continue attack on the company, employees or even get access to the infrastructure.
Therefore, a very important aspect of security is not only the acquisition of expensive security software solutions, but also the constant education and training of employees on information security issues, modeling of incidents (i.e.: email phishing simulation) and keep your finger on the pulse.