In the last part of Social Engineering 101, we went on a ride and learn about what social engineering is, behaviors vulnerable to attacks, phases of social engineering, and lastly the types of social engineering. If you haven’t gone through Part 1, we highly recommend taking a peek before continuing here, Click here for Social Engineering 101 – Part 1.
Moving on, in this part, we will develop more on the types of social engineering section and take a deep dive into the techniques mentioned in that section. Till now, we know that there are mainly three types of social engineering:
- Human-based social engineering
- Computer-based social engineering
- Mobile-based social engineering
Human-based social engineering techniques
- Impersonation – Impersonation means posing as someone who you are not. The attacker pretends to be someone legitimate or an authorized person. The attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc.
Ex – A man walks up to a receptionist in a classic suit and asks her to let him in an unauthorized area, by posing as someone important from the organization’s major client list.
- Vishing – Vishing is an impersonation technique in which the attacker tricks individuals to reveal personal and financial information using voice technology such as telephone systems, VOIP, etc.
Ex – An attacker can spoof an internal number and call the HR or finance department posing as someone from IT and makes the target log in on a rogue website.
- Eavesdropping – The unauthorized listening of conversations or reading of messages is known as eavesdropping. Eavesdropping also involves interception of audio, video, and written communication on channels like telephone lines, emails and instant messaging services, etc.
Ex – An attacker can physically be in the vicinity of the target like in a public bus and listens to the conversations of the victim with his/her peers to gather information about interest, routines, and likings and dislikings.
- Shoulder Surfing – Shoulder surfing is a direct observation technique such as looking over someone’s shoulder to get information such as passwords, PINs, account numbers, etc. It can also be performed from a distance using binoculars or cameras.
Ex – Befriending the target and looking over his/her phone while they are logging into their Facebook profile. When done properly, this technique is the easiest to pull off and doesn’t involve any technical knowledge but is really effective.
- Dumpster diving – Dumpster diving is the process of looking for treasure in someone else trash. You can get very critical information by looking at the trash like phone bills, contact information, financial information, operations-related information, etc. From the target company’s trash bins or printer bins, or user desks.
Ex – While looking at the target’s trash, you found out that he is a patient with diabetes. Well, this couldn’t be a big deal right, like what’s big you can do with that information? Actually no, if the stage of the target’s diabetes is high and critical, he will definitely visit his doctor quite often. What happens when he got a mail from his doctor’s laboratory mentioning his health report, he will more likely get it to download and open it. Bam! He just got pwned.
- Reverse Social Engineering – In this, the attacker presents him/herself as an authority and the target seeks his or her advice before or after offering the information that the attacker needs.
Ex – An attacker first creates a panic situation and then comes forward and offers to help the target. The target in the situation of rush and impulse with open arms welcomes the attacker inside the perimeter and lets him completely exploit the organization and its assets.
- Piggybacking – Piggybacking is when an authorized person intentionally or unintentionally allows an unauthorized person to pass through a secure door.
Ex – The attacker dresses up like a regular employee and asks the security guard to let him into a secured perimeter by saying him that he had forgotten his ID badge at home and he needs help.
- Tailgating – The attacker, wearing a fake ID badge, enters a secured area by closely following an authorized person through the door that requires key access.
- Diversion Theft – The attacker tricks a person responsible for making a genuine delivery into delivering the consignment to a location other than the intended location.
- Honey trap – Attackers target a person inside the company online, pretending to be an attractive person, they then begin a fake online relationship to obtain confidential information about the target company.
- Baiting – Attackers offer end users something alluring in exchange for important information such as login details and other sensitive data.
Ex – Attackers drop a bunch of malicious USB flash drives on the campus. One of the employees saw the flash drive with the sticker “Payroll 2022”. He/She went ahead and plug it into their work computer to see what was inside and there it is – Game Over.
- Quid Pro Quo – Quid Pro Quo involves going through a potential target list and trying to exploit the targets in order to gain access or gather sensitive information.
Ex – Attackers call numerous random numbers within the company, claiming to be from technical support. They offer their service to the end users in exchange for confidential data or login credentials.
- Elicitation – Attackers extract information from the victim by engaging him/her in normal and disarming conversations based on the victim’s interests and liking. It is an indirect way of gathering information, which doesn’t involve direct questions but rather a slow and composed approach to the collection of the information.
Computer-based social engineering techniques
- Hoax letters – Hoax letters are emails that issue warnings to the user about the new virus, trojans, or worms that may harm the user’s systems. These are usually done to create panic and chaos in the user’s mind.
- Chain letters – Chain letters are emails that offer free gifts such as money and software on the condition that the user forwards the mail to a specified number of people.
- Instant chat messenger – Attackers use instant chat messengers to gather personal information by chatting with selected targets on the web.
- Spam email – Irrelevant, unwanted, and unsolicited emails that attempt to collect financial information, social security numbers, and network information are called spam emails.
- Scareware – Malware that tricks computer users into visiting malware-infected websites or downloading/buying potentially malicious software.
- Phishing – Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information. Phishing emails and pop-ups redirect users to fake web pages that mimic trustworthy sites, which ask them to submit their personal information.
Mobile-based social engineering techniques
- Publishing Malicious apps – Attackers create malicious apps with attractive features and similar names to popular apps and publish them in major app stores. When the naive user downloads these apps, they got infected by malware that sends credentials and other sensitive information to the attackers. There are plenty of malicious apps in the Google play store posing as camera, beauty, and fitness apps.
- Repackaging legitimate apps – An app developer creates a gaming app and uploads it to the app store. After that, the attacker saw the popularity of the app and downloads the legitimate app and repackages the app with the malware, and uploads it to other third-party app stores. When the end user downloads this malicious app, the attacker got full access to the device and smuggles the users’ credentials.
- Fake security applications – In this technique, the attacker first infects the victim’s PC and uploads the malicious app to the app store. When the victim logs into his or her bank account, the malware is the system displays a pop-up message telling the victim to download an app onto his or her phone to receive security messages. When the victim downloads the malicious app on his or her phone, at this point attacker can beat the 2FA from the bank as he/she now holds access to the victim’s mobile phone. This is one of an advanced attack as it involves layers of deception and access to pull this off.
- SMSishing (SMS Phishing) – SMSishing is the act of using the SMS text messaging system of cellular phones or other mobile devices to lure users into instant action, such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number. These messages are generally crafted to provoke an instant action from the victim, requiring them to divulge their personal information and account details.
Ex – A user gets an SMS from Google claiming suspicious activity in your google account and lures the user to log in to know more. The message could be crafted like this – “Dear User, We noticed a suspicious activity on your account firstname.lastname@example.org, if this wasn’t you, click here to know more.”
So, those were all the techniques we usually come across while discussing social engineering. There are other attackers like Insider attacks which usually involve insiders and disgruntled employees. The attackers exploit the frustrated and recently fired employees to gather confidential information or gain a backdoor entry into the organization using these people.
Social Engineering is truly an art of human hacking. We saw how manipulating certain human emotions can let us in the most secure organizations and systems because we can’t beat an automated system after 50 years but we will still be getting in with the help of unaware employees and people. People are the weakest link the security and we see this from time to time. Most of the high-profile attacks are carried out by social engineering only. So, this is one of the most crucial skill in the 21st century, which you needs to master. Well, those were my closing thoughts on this topic. If you have still not gone through Social Engineering 101 – Part 1, CLICK HERE. We are also working on a full social engineering course, so stay tuned, and till then “Happy Hacking”.