Man
Professional
- Messages
- 2,965
- Reaction score
- 488
- Points
- 83
Social engineering is a field that every self-respecting hacker must understand.
Hello everyone, dear friends!
Social engineering is a field that every self-respecting hacker must understand. Today we will examine the most important concepts of social engineering.
These attacks play a major role in the information security industry and the hacker community, but we regularly encounter examples of similar behavior in our daily lives.
For example, sales and marketing departments often use social engineering tactics. A salesperson calling potential customers may try to influence the people on the other end of the line by offering solutions to their problems. Children often invoke the “cool kids” to get what they want from their parents, while parents may exaggerate the negative impact of a child’s misbehavior (remember the consequences adults used to scare you about if you ate too many sweets).
OSINT can make or break your social engineering efforts because you often need to know important details about the target company and its employees to be successful.
The optimal ratio of time spent collecting OSINT data to time spent on actual penetration ranges from 30/70 to 70/30.
Typical phishing emails are not targeted at a specific recipient. Instead, they are sent to large lists of email addresses purchased from dark forums or obtained independently. This means that you can send an email to a large number of people without collecting any information about them. For example, with little knowledge of the victim’s context, you can send out a one-size-fits-all email that attempts to trick the user into either logging into a fraudulent website or downloading a file. When victims open the file, it can open a remote command shell on their computer or install malware. Once the hackers have launched a remote shell or installed malware, they can interact with the system interactively and perform attacks, launch exploits, and escalate privileges to further compromise the system and network.
Spear phishing is the number one vector in targeted attacks. 71% of organized groups, including national intelligence agencies, cybercriminals, and hacktivists, use spear phishing to achieve their goals.
The best way to start such an attack is with OSINT investigations into the target company or individual. For example, you could get information about the service providers they use. Then, create a phishing email that says you are an insurance company and want to get some details. You would insert the insurance company logo into the email along with language that is typical for such companies, and then send the victim to a clone of the real company website to try to get their credentials or get them to download a file.
Imagine your target is the CFO of a company. You might try crafting a whistleblower letter from HR to establish additional rapport with your potential target. You might personalize the letter by mentioning their name and title, or by touching on other key details about the target company that only the recipient or HR would know. Or you might need to use an entirely different scenario, involving a trade organization or professional group to which your target belongs. OSINT can be a source of jargon to help you get the word out.
You can load fake documents onto a USB drive or a special device that hackers call a Rubber Ducky, then put the device in a package with an attractive inscription like “layoff/promotion list,” “bonus payment,” “report to the CEO,” and drop the bait in the parking lot of the target company’s office or in the hallway.
For this type of reconnaissance, you will likely have to pretend to work for a trash company and make up a story to get to the local dumpster. Once there, the first step is to gather up a few bags of trash, take them outside the office, and quietly examine the contents.
You will probably want to wear gloves and a respirator when going through the dumpsters. You can even boost the local economy and hire high school or college students to do the dirty work. Take notes on what you find, read any written materials, and glue back together any torn up documents. What you find could be the final target for your infiltration, or it could be a stepping stone to something bigger.
Hello everyone, dear friends!
Social engineering is a field that every self-respecting hacker must understand. Today we will examine the most important concepts of social engineering.
What is social engineering?
Social engineering is any attack that uses human psychology to influence a target into either performing a desired action or providing sensitive information.These attacks play a major role in the information security industry and the hacker community, but we regularly encounter examples of similar behavior in our daily lives.
For example, sales and marketing departments often use social engineering tactics. A salesperson calling potential customers may try to influence the people on the other end of the line by offering solutions to their problems. Children often invoke the “cool kids” to get what they want from their parents, while parents may exaggerate the negative impact of a child’s misbehavior (remember the consequences adults used to scare you about if you ate too many sweets).
Important Concepts of Social Engineering
Pretext
In the social engineering world, pretexting is the act of pretending to be someone else. You might wear someone else's uniform, tell a fictitious backstory, or create a fictitious reason to contact them. I use the term to refer to any pretext you have for talking to your target. For example, if you told the security guard at the gate that you worked for a trash company, were holding a notepad, and were wearing the company uniform, that was a pretext.Open source intelligence
Open source intelligence ( OSINT ) is the gathering of information about your target from publicly available resources. OSINT sources include newspapers, search engines, documents from various regulatory agencies, social media, advertising, and review sites, to name a few. OSINT can help you come up with a reason to contact.OSINT can make or break your social engineering efforts because you often need to know important details about the target company and its employees to be successful.
- What virtual private network (VPN) do they use?
- What other technologies do they use in their work?
- What is the physical layout of the organization's building?
The optimal ratio of time spent collecting OSINT data to time spent on actual penetration ranges from 30/70 to 70/30.
Phishing
Phishing is the sending of fraudulent emails with the aim of influencing or tricking the victim into providing information, opening files or clicking on links.
Typical phishing emails are not targeted at a specific recipient. Instead, they are sent to large lists of email addresses purchased from dark forums or obtained independently. This means that you can send an email to a large number of people without collecting any information about them. For example, with little knowledge of the victim’s context, you can send out a one-size-fits-all email that attempts to trick the user into either logging into a fraudulent website or downloading a file. When victims open the file, it can open a remote command shell on their computer or install malware. Once the hackers have launched a remote shell or installed malware, they can interact with the system interactively and perform attacks, launch exploits, and escalate privileges to further compromise the system and network.
Spear phishing
Spear phishing is a variation of regular phishing where the social engineer focuses on a specific target. If you were a fisherman using a spear rather than a net, you would likely need to know how each type of fish behaves and how to approach them. Likewise, as a hacker, you will need to gather, combine, and use OSINT about your target company or person to properly lure them into a trap.Spear phishing is the number one vector in targeted attacks. 71% of organized groups, including national intelligence agencies, cybercriminals, and hacktivists, use spear phishing to achieve their goals.
The best way to start such an attack is with OSINT investigations into the target company or individual. For example, you could get information about the service providers they use. Then, create a phishing email that says you are an insurance company and want to get some details. You would insert the insurance company logo into the email along with language that is typical for such companies, and then send the victim to a clone of the real company website to try to get their credentials or get them to download a file.
Weiling
Whaling is phishing that targets the “big fish” – typically the top managers of a company. These people are more trustworthy than their subordinates. They also usually have more access rights than the average user. For example, they may be local administrators on a company’s system. You need to approach attacks on these people differently than you would phishing or spear phishing, because these people have different motives and interests than, say, the rank-and-file support or sales staff.Imagine your target is the CFO of a company. You might try crafting a whistleblower letter from HR to establish additional rapport with your potential target. You might personalize the letter by mentioning their name and title, or by touching on other key details about the target company that only the recipient or HR would know. Or you might need to use an entirely different scenario, involving a trade organization or professional group to which your target belongs. OSINT can be a source of jargon to help you get the word out.
Vishing
Vishing involves the hacker calling the victim and talking to them over the phone. Vishing is often more difficult than phishing because it requires improvisation. While phishing gives you time to think about what you want to say before sending an email, vishing requires you to compose the conversation on the fly and constantly keep it in your head, down to the smallest detail. You can also run into a lot of problems: the victim doesn’t answer the phone; you misunderstood who reports to whom at the company; you accidentally called on behalf of the person who sits in the same office as the victim, or you used the wrong accent or gender. The advantage of vishing is that you see the results of your attack right away. With email, you have to wait for the recipient to open the message, click on the link, and enter their details. While this takes longer than phishing (especially when there are many potential victims), you can do much more damage in a shorter period of time with a successful vishing campaign.Bait
Sometimes, to get the victim to perform the desired action, you can use a bait. Traditionally, USB drives were used for this purpose, but now you can use a more modern option in the form of a QR code to get the victim to download the malicious code.You can load fake documents onto a USB drive or a special device that hackers call a Rubber Ducky, then put the device in a package with an attractive inscription like “layoff/promotion list,” “bonus payment,” “report to the CEO,” and drop the bait in the parking lot of the target company’s office or in the hallway.
There are advantages to using the Rubber Ducky. With this device, you can download malicious scripts to the device along with legitimate files. When someone plugs the Rubber Ducky into a computer, it bypasses any data loss prevention tools (software or hardware solutions that prevent files from being moved off the computer via a USB drive, email, or a protocol such as FTP or SCP) because it impersonates a USB keyboard. If you use a regular USB drive, you may be stopped by the data loss prevention software installed on the victim’s computer. In contrast, the Rubber Ducky will open the file and deploy the payload (a script or tool that helps you achieve the desired result).
Trash bins
Perhaps the least sexy social engineering technique is to rummage through trash cans or bags of trash collected from the target company's office, then take them off-site for analysis and information gathering. You can learn a lot about the organization and find exactly what you were looking for. Think about the things you throw away. Some of them are extremely personal. However, the trash bags may be filled with scraps from the office cafeteria that have no connection to company secrets.For this type of reconnaissance, you will likely have to pretend to work for a trash company and make up a story to get to the local dumpster. Once there, the first step is to gather up a few bags of trash, take them outside the office, and quietly examine the contents.
You will probably want to wear gloves and a respirator when going through the dumpsters. You can even boost the local economy and hire high school or college students to do the dirty work. Take notes on what you find, read any written materials, and glue back together any torn up documents. What you find could be the final target for your infiltration, or it could be a stepping stone to something bigger.
