This Article will dive deep into Social Engineering, How it is done and how we can protect ourselves from Social Engineering Attacks and Social Engineering Frauds.Social Engineering is a real life Hack but mostly now a days it’s referred to as a computer related Hack. Social Engineering hacking is the most dangerous and effect type of hacking and we will say this for the longest.
Table of Contents of Social Engineering Article
- What is Social Engineering
- Social Engineering Definition
- Social Engineering Examples
- Social Engineering Techniques
- Social Engineering Attacks
- Social Engineering Toolkit (SET)
- Social Engineering Tools
- Social Engineering Books
- Safety from Social Engineering Frauds
- In-depth Social Engineering Guidance
What is Social Engineering
To continue you will need to enter your Facebook Password < This line is a Social Engineering attempt had I built on to that line to obtain your password by involuntarily making you enter your own password is how Social Engineering (SE) is done.Hacker creates such a situation that leads the victim into sharing confidential Information.
social engineering tactics are used by criminals because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your account. It is much easier to fool a person into sharing their password than it is for you to try hacking it. This concept is what social engineering is all about.
Social Engineering Definition
Social Engineering Definition as per Wikipedia :
Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
Although the term “social engineering” as an act of psychological manipulation is also associated with social sciences, but since social engineering pertains to computers it is referred by information security professionals as a field of computer science. In my definition Social Engineering is an Art, Hacker is the artist and victim is the painting.” Social Engineering the art of human hacking is a great read which will show all aspects of SE based on the same logic I presented above.
Social Engineering meaning must be very much clear by now , as it is important to understand what SE is all about before you read any further, I have tried to keep the start very simple.
Social Engineering Examples
Before we go into the mechanics and explain how social engineering is carried out, I will share some real life examples of social engineering.Although social engineering started taking place even before computers were invented , my favorite real life example is of 1960s when Frank Abagnale made a living faking identities and passing bad checks. Catch Me If You Can was based on the same story
- Mark Rifkin used a series of social engineering attacks to pull off a large bank heist in the 1970’s. He is responsible for stealing $10.2 million through wire transfer via telephone in the autumn of 1978.At that time, it was the largest bank robbery in U.S. history. Read Detailed Hack
- The Blind Badir Brothers is an amazing story of 3 brothers blind born who became notorious phone phreakers and social engineers. It is said at one point they could even tell you the number you dialed by the tones without being able to see you dial. Read their Story
- Notorious Fluffi Bunny was an extreme group of underground hackers that combined social engineering and hacking skills to wreak havoc on companies. They appeared after the incidents in New York, USA on September 11th vandalizing websites with a message “Fluffi Bunni Goes Jihad.” That landed them a spot on the FBI’s radar.Read More about their story
- AOL Hack is a prime social engineering example. AOL tech support member was called and the attacker spoke with him for 1 hour. During the call the attacker mentioned that he had a car and it was for sale. Using rapport building skills and a friendly voice he gained trust with the AOL employee instantly. The AOL employee showed interest in the attacker’s car. The attacker sent the support rep an email with a photo. Instead of sending a photo though, he sent a back-door exploit that busted through the AOL firewall giving the attacker access to AOL’s internal network. Before he was stopped he had accessed over 200 accounts gaining all their personal information.
- SecurID RSA Breach was carried out when the attacker sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees.These employees were not users with particularly level access. The email subject read ‘2011 Recruitment Plan. The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled ‘2011 Recruitment plan.xls‘ . The attachment contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). The company spent $66 million recovering from the attack, and information about RSA’s popular SecurID two-factor authentication mechanism was compromised.
- Hidden Lynx Watering Hole on Bit9 – In 2013, the “Hidden Lynx” cyberespionage group in China used water-holing attacks to compromise security firm Bit9’s digital code-signing certificates, which later were used to target some Bit9 customers.Watering holes are more subtle than phishing attacks. Malware is injected into a legitimate website that organizations in the target industry are already likely to visit.They accessed Bit9’s file-signing infrastructure, so that they could sign malware and make it seem legitimate. They then used it to attacked Bit9 itself, at least three of its customers, and three defense industrial base organizations that were customers of Symantec.
- AP Twitter Hijack – In 2013, the Twitter account of the Associated Press news wire service reported “Breaking: Two Explosions in the White House and Barack Obama is injured.” AP’s Twitter account had been hijacked by the Syrian Electronic Army. The Impact ? US stock exchange crashed, the tweet was sent at 1:07 p.m. At 1:08 the Dow started the nosedive. It dropped by 150 points before 1:10, when news began to spread that the tweet was erroneous.This was yet another attack that started with phishing, and even a security-savvy user might fall for it.
Social Engineering Techniques
Social Engineering Techniques can not be defined as it will change and adapt as per the current time, It could look like an email that has been designed to seem like it is from an authentic firm, like your message service, Courier or even your bank. But if you open it and click on any attachment , you could be installing malware.At times It could be disguised to look like it comes from someone inside your own organization but if you respond to that email with your user name and password, your computer is easily compromised. SE Techniques are unlimited, excise caution.
Social Engineering Attacks
Social Engineering Attacks are not targeting vulnerabilities in operating systems but in users , they are the weakest link in the security chain. Human factor is the biggest vulnerability to any secure system. Few types of Social Engineering Attacks are :
- Phishing – Phishing or spear phishing refer to that SE Attack where the hacker pretends to be someone else and gets the victim to respond on the fake claims. Such attack can vary as per current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.Even the latest FBI blame game on Russia with their “Hacked Elections” report showed “Phishing” as the type of SE attack. Check out Most Famous Phishing Attack email subjects of 2016/2017
- PreTexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organization or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building. Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
- Baiting is also similar to Phishing. However, what distinguishes them from other attacks of social engineering is the luring tendency of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain online website.
Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.
- TailGating is another social engineering attack type is known as tailgating or “piggybacking” .This Attack involve someone who lacks the proper authentication following an employee into a restricted area.Following common courtesy, the legitimate person will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them. The legitimate person may fail to ask for identification for any of several reasons, or may accept an assertion that the attacker has forgotten or lost the appropriate identity token. The attacker may also fake the action of presenting an identity token.
- Water Holing – Water holing is a targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe to do things they would not do in a different situation. A wary person might, such as, purposefully avoid clicking a link in an unsolicited email, but the same person would not hesitate to follow a link on a website he or she often visits. So, the attacker prepares a trap for the unwary prey at a favored watering hole. This strategy has been successfully used to gain access to some (supposedly) very secure systems.Its a very effective technique and during all my pentesting on authorized organizations I have found water holing giving out most results.
- Quid pro quo is a type of SE attack in which the victim is given something in returns in terms of information. I call my victim and make them believe I am from tech support and might help them fix their computer , doing so I might ask them to install my custom FUD Trojan.It is important to note, however, that attackers can use much less advanced quid pro quo offers than IT fixes. As real world examples have shown, office workers do not mind sharing their passwords with an exchange of a bar of chocolate.
Social Engineering Toolkit
Social Engineering Toolkit or commonly known as SET in hackers community is a set of open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. Success of SET is totally dependent on your Social Engineering Skills. SET offers a vast variety of attack vectors, few of them are :
- Spear-Phishing Attack Vectors
This tool allows you to send e-mails with a malicious file as payload.
- Website Attack Vectors
This tool allows you to create a malicious website link.
- Infectious Media Generator
This tool creates a payload and a .ini file for a usb,cd or dvd injection.
- Create a Payload and Listener
Straightforward just creates a .exe file and opens a listener.
- Mass Mailer Attack
This tool will send e-mails to the target.
- Arduino-Based Attack Vector
For use with a “teensy usb.”
- SMS Spoofing Attack Vector
With this tool you’ll be able to craft sms messages and send them.
- Wireless Access Point Attack Vector
Should be straightforward.
- QRCode Generator Attack Vector
Generates a QRCode to a specific URL.
- Powershell Attack Vectors
This will allow you to use Powershell exploits (powershell is available on windows vista and above.)
- Third Party Modules
Will allow you to browse for more add-ons.
Social Engineering Tools
[sociallocker]Apart from SET another great tool which hackers use to carry out Social Engineering is Maltego. Maltego allows for gathering information based on set of rules you define for a user and it gives out all detailed Social Patterns found on the internet. Maltego and SET go hand in hand.
Social Engineering Books
I have tried my best to explain about SE Attacks and Techniques , this will enable you to understand how SE is done and once you understand you will be able to prevent social engineering attacks on you or your organization. But books are always the best way to fully understand, as it is beyond the scope of this blog post to elaborate old SE examples.I am sharing the best Social Engineering Books and Social Engineering PDF so you may read and fully understand
- The Art of Deception: Controlling the Human Element of Security
- Social Engineering : The Art of Human Hacking
- Social Engineers Playbook : A Pratical guide to PreTexting
Safety from Social Engineering Frauds
To keep yourself safe from social engineering frauds and such activities , as a guideline always follow these steps :
- Hold On – Hackers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; Do no let their urgency influence your careful review and better judgment.
- Research Facts – Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site. Social media verified accounts of companies are a good place to start.
- Financial Information or Passwords – If you get asked to reply a message with personal information, it’s a scam.
- Reject requests for help or offers of help – Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
- DO NOT let a Link Control You – Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land.
- DO NOT open emails in the spam folder or emails whose recipients you do not know.
- DO NOT open attachments in emails of unknown origin.
- Use a reputable antivirus software.
- Perform a regular backup to an external medium (external hard drive or the cloud).
- After backing up, disconnect your drive. Modern ransomware is known to encrypt your backup drive as well.
- DO NOT pay the ransom. Reason why criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional.
In-depth Social Engineering Guidance
This article covers alot about Social Engineering and how Hackers go about it and how end users can keep safe , but SE is such a versatile technique that it can not be explained in one post, if you want to learn more about SE or get more technical know-how, you may Ask Techie! .