A man called a cellphone manufacturer and says, “Hey! This is Rick over Arlington Heights and I am looking for the project manager of the MicroTAC UltraLite.” The person over the phone says, “Yeah! She is Pam, she works for me.” The caller connect with Pam and hit on her voicemail, she was on vacation. The voice mail instructs the caller to contact Aleesha in her absence. The caller connects with Aleesha and the conversation flows like this:
Caller: “Hey, did Pam go on vacation yet?”
Aleesha: “Oh! She has.”
Caller: “Oh! Before she left, she was supposed to send me the source code of the MicroTAC Ultralite and she said, you can help me out in her absence”
Aleesha: “Okay. Which version no. do you want?”
Caller: “How about the latest and the greatest!”
After a while, the man had the source code for the Motorola MicroTAC Ultralite. Well, the man behind the telephone call was the world’s most famous hacker, Kevin Mitnick and this was one of the hacks which he pulled off using Social Engineering.
What is social engineering?
Social Engineering is the art of convincing people to reveal confidential information and the people who perform this are called Social Engineers. Social Engineering involves science but it is more inclined towards art as it involves various factors from influence, charm, trickery, and deception. It relies on the fact that people are unaware of the valuable information to which they have access and are careless about protecting it.
In the art of exploitation – Hacking, every major hack out there involves some level of social engineering to get that initial access. Most of the time, you don’t have fancy zero days in your arsenal. Companies around the world spend millions on intrusions and prevention systems but forget that any dedicated threat actor will always go for the weakest link, which is usually people.
In this series, we will dip our feet in the area of social engineering, for more write-ups and full curriculum, Click on Curriculum. The following are the topics, we are going to cover today.
- Behavior Vulnerable to attacks
- Phases of Social Engineering attack
- Types of Social Engineering
Behavior vulnerable to attacks
- Authority – Authority implies the right to exercise power in an organization. An attacker can use this by posing as someone important in an organization and make the target divulge confidential information or make him/her do something, which is not ideal.
Ex – An attacker can call the front desk posing as the Head of Security and ask them to click on a malicious link in order to update the system.
- Intimidation – Intimidation refers to an attempt to intimidate a victim into taking several actions by using bullying tactics.
Ex – An attacker can again impersonate an important figure like CTO and ask the target to do something which he/she does not intends to do.
- Consensus or Social proof – Consensus or social proof refers to the fact that people are usually willing to like things or do things that other people like or do.
Ex – Attackers can indirectly convince the target to download and install a malicious software by posting fake reviews about the software. People usually belives that if a majority of the public is claiming something good, it has to be good but here is the thing, opinions could be wrong or fake in this case, which leads to the exploitation of the mind first, then the system.
- Scarcity – Scarcity implies the state of being scarce. It often implies creating a feeling of urgency in a decision-making process.
Ex – Imagine Apple rolls out a special limited edition of the air-pods and they will be sold out within 24 hours. Well, that creates urgency and the clock ticking becomes faster. In these rush situations, a user can click on the malicious link ignoring regular security procedures.
- Urgency – Urgency implies encouraging people to take immediate action. Attackers can take advantage of this by tricking victims into performing unintended tasks.
Ex – A user gets an SMS message like this, “Dear User, An amount of $10000 has been debited from your account XXXX2345. Please click here to log in to know more.”
Well, that’s one of the techniques known as SMSishing, which we will discuss later in detail but the point here is, when you will get this type of message, you are more likely to click on the link due to fear and curiosity and this urgent decision leads to your credential theft.
- Familiarity or Liking – It implies that people are more likely to be persuaded to do something when they are asked by someone whom they like.
Ex – An attacker befriends you online and you develop interests and liking for the person. This leads to trust and you will make sure that you won’t hurt them by telling them, straight No when they ask you to do something. Most of the time, this works just fine because the target is not expecting something shady.
- Trust – Attackers often attempt to build a trusting relationship with victims. The above example can also be used for this trait, trust and liking go hand in hand.
- Greed – Greed is the primary source of this doomed mankind. In this technique, attackers try to lure the target with something valuable in return for the desired information.
Ex – The attacker may do a thorough OSINT on the company’s employee and finds outs the ones who have questionable morals or may involve in things like – theft, fights with colleagues, or have some grudge against the company. The attacker then gets confidential information from the target by bribing them.
Phases of Social Engineering Attack
- Research the target company – The first phase involves research. you cannot perform a perfect social engineering engagement without the data. Start by doing OSINT on the company, its websites, employees, etc. Find out what dress code they have, perform physical onsite recon by doing Dumpster diving, and look out for possible entries, exits, security systems, and cameras. Remember, this is one of the most important phases and all the latter phases depend on the depth and comprehensiveness of the recon you do.
- Select a Target – After the research phase, you have to sort out the data and select a worthy target. This could depend on the access and the type of access you want. It depends on the target and the requirement, plus we have to look out for potential risks because if we select the wrong target, that could jeopardize the whole engagement and might alert the target organization. So, making it simple – Find the frustrated and disgruntled individuals, who are easy to exploit.
- Develop a relationship – The next phase involves developing a relationship with the selected target. The techniques explained above are used in this phase, which may involve either one of them or a mix of them, depending on the situation.
- Exploit the Relationship – The final step. Influence the target into divulging sensitive information or make him/her click on the malicious link or install the malicious software, giving you that initial access and the foothold in the company’s network.
Types of Social Engineering
- Human-based Social Engineering – Human-based social engineering involves interaction with people to gather sensitive information. The techniques include are:
- Shoulder Surfing
- Dumpster Diving
- Reverse Social Engineering
- Diversion Theft
- Honey Trap
- Baiting and Quid Pro Quo
2. Computer-based Social Engineering – Computer-based social engineering includes gathering information with the help of computers. The technique includes are:
- Pop-up windows attacks
- Spam Mail
- Instant chat messenger
3. Mobile-based Social Engineering – Mobile-based social engineering includes gathering information with the help of mobile apps. The techniques include are:
- Publishing malicious apps
- Using security apps
- Repackaging legitimate apps
- SMSishing (SMS Phishing)
Also read: How do hackers get your exact location?
Social Engineering is really an art to learn. It involves practice and relies on extensive recon on the target. Today, we went on a trip and saw what social engineering is, behaviors that are vulnerable to attacks, the phases of social engineering, and its types. In the next part of this series, we will dive into the techniques mentioned in the types of social engineering. So, stay tuned for the next part, till then “Happy Hacking.”