The business need for Social Engineering
Most businesses tend to focus on traditional security services and products such as firewalls, IPS, and anti-virus.
While each one of these technologies can help, they can all be taken of the equation by a skilled social engineer.
Many companies hire social engineers to test their security.
They mimic attacks and help companies prevent the danger of being hacked.
According to business insider, they make between $84,000 and $135,000 on average.
Information is king.
And here are the best tools that will help you learn more about your target:
The Corporate Website
When searching for information for any business, their web presence is a good place to start.
So, what kind of information can be useful for a social engineer?
Purpose: Knowing what a business does, and how it operates can give you ideas on impersonating a staff member or even make a guess about the systems they use.
It can also provide hints on how much resistance you will face during an on-site visit.
For example, if the company is dealing with government or military agencies then you will face highly trained individuals.
Clients: Often, organizations publish a list of clients on their website. And this might be a perfect pretext for a call.
Calling the help-desk while impersonating a client will probably help you get useful information.
Employees: Most of the websites have blogs or news articles written by employees. You can also search on LinkedIn to find exactly what they do.
Photos: A photo of ID badges can help you recreate a new one.
Websites and Tools
The Harvester: This tool finds email addresses, employee names, hosts, and sub-domains. It’s included in Kali Linux by default.
suip.biz: It generates domain variations for URL hijacking and phishing.
SpiderFoot: It is an open-source tool that provides a wide range of information such as web servers, netblocks, email addresses…
You can download the program from the official website for Windows or Linux.
To run a new scan, you need to provide a name, a target, check the modules and click “Run Scan”.
An example of the information you can find:
FOCA stands for Fingerprinting Organisations with Collected Archives.
A group of Brazilian hackers created FOCA in 2010 and it’s the best tool we have so far to find metadata and hidden information in the documents.
Now go to Elevenpaths.com and download it.
After extracting the file, go to the “bin Folder” and then open the FOCA application file.
Click “New Project” and fill in the details- name, domain, the folder where you want to save it, and click Update.
Now it will show you all the files and hidden information for that domain. You can also choose a file and download it on your computer. (Click on Image for a better view)
You can find more data that are stored and indexed by search engines. These methods are used by ethical hackers, security professionals, and black hats…
Let’s see if we can find phone numbers about the professors at MIT.
On the front page, we see this number- 617 is the area code and 253 is the phone exchange prefix used by the University.
Now we search, intext: 617253
Often you’ll find the phone numbers and email addresses.
You can also use Google Advanced Search
Google Search operators: Using these operators can help you find exact information.
Google Hacking Database
GHDB was started by Johnny Long, who also wrote many books on this topic. It is a compiled list of common mistakes web/server administrators make, which can be easily searched on Google.
It’s commonly used by social engineers to collect sensitive and non-sensitive information.
And it has two key elements:
1. Plausible situation
The SE designs a sequence of events to not raise suspicions.
The plausible situation includes the SE to play a role much like an actor.
You should consider:
– The body language
– What equipment would carry on?
– How well-spoken they can be?
– What sort of vocabulary they would use?
– What kind of accent? But you need to really be an expert on this one because a weak accent will raise suspicions and it’s also insulting.
– What skill sets would this person have?
If you don’t think about these basic elements, then you will fail.
The inconsistencies in the impersonation will probably draw attention. And it will lead to a validation check.
They can ask you to provide contact or photo identification. Of course, you need to have a backup plan if that happens.
This technique is easy to understand but very difficult to make it work.
You apply pressure to the target in the form of a negative emotional state then you present a clear solution that would remove the emotion.
We want to trick an employee into browsing to a malicious website.
Pressure: The receptionist is contacted by the IT department, who says “Hi Anne, unfortunately, we’ve detected that the computer you’re working on has been used to browse, well let’s say… indecent websites?”
Normally, Anne will say something like, “How dare you! It wasn’t me”.
Solution: We respond with “Hmm… well there are filters that should block any sites like that, perhaps your PC has been compromised? Could you browse a few company sites for me so I can check the traffic and find out what’s going wrong?”
Working at the target company
If you can get a job at the target company, then everything becomes easier for you.
Often social engineers apply for a cleaning role which has two advantages.
First, it doesn’t require any specific qualifications.
Second, it is very unlikely for a business to do thorough research on applicants due to the low privileges of that job.
The irony is that the cleaners have more access to the building than other employees.
I understand that it will take a great deal of time but the payoffs are high and the risk is low.
Experts say that most of the security breaches happen because of human error.
Often the breach won’t be intentional but sometimes it is.
An employee might hold grudges against the company and they might have no choice but to stay there. And the managers might not know this.
An unhappy employee can be a great help for the attacker.
They could establish network backdoors, provide legitimate passes or give business data to the attacker directly.
You can meet with employees in smoking areas, local cafes, or even on public transport they take.
Then you can start a conversation and focus on work-life in general.
It’s sending emails to someone with the purpose of seeking unauthorized access.
For example, you can target someone who deals with a large volume of e-mails daily, such as a recruitment consultant.
You can send an email having a malicious CV attachment.
They receive similar emails regularly and are more likely to open it.
You can state that you’re looking for a job and ask your CV to be kept on record in case a position becomes available.
Or if you need to send a phishing email to someone in the sales department, then your bait could be a promising lead.
I don’t have time to follow up this lead so do you want it? The client is very interested in our services. And it sounded like a great opportunity.
If the bait is good enough, the target won’t think about the legitimacy of the message as long as the rewards are too good.
It’s simply going through the target’s trash looking for information that might be useful:
Employee info: Any information that can help the attacker pretend like an employee such as name, department, and employee number.
Network Maps: Information about the structure of the internal network can be very valuable such as IP addresses and ranges, server names, operating system, distribution and vendor names.
Billing documents: It reveals the clients. And you can pretend to be a business partner or a client.
Signatures: Especially those of CEOs, department heads, accountants and office managers.
Shredded Paper: When the paper is fed into the machine and it wasn’t mixed then the paper strips stay in proximity to one another.
On the other hand, shredded papers from different documents can be more difficult to put together and it takes lots of time.
But you can use “The Unshredder” – A commercial document reconstruction tool.
Electronic Media: USB, DVDs, old Hard Drives, CD, Floppy disks.
In most places in the US and UK, you can go through the trash cans without worrying about breaking the law.
However, most corporate dumpsters are located in private land.
They might not have strong security but you should treat it seriously.
Your goal should be to get in and out as fast as possible.
Bring a couple of large bags, take what you can carry, and do the analysis somewhere else.
Tailgating is following an authorized person into a building.
Here’s a real-life example from the excellent book “No tech hacking” by Johnny Long.
Years ago, I was tasked with a physical assessment against a state government facility.
The facility was split into two areas: an open area for public and one restricted area for employees.
Both areas were connected but there was an armed guard. The front door of the restricted area had also one guard.
To make things worse for my team there were armed guards in marked vehicles patrolling the parking lots.
We’re discouraged by the heavy security until we saw a group of employees chatting while having a smoke.
I immediately knew we had found our way in.
We headed to the nearest gas station and bought a pack of cigarettes and a lighter.
I was prepared to come in as a phone technician. I wore a white T-shirt with a phone, wore cruddy jeans and work boots. And I had a company badge clipped at my collar.
Now approaching a group of smokers would have been a bad idea. If they watched me coming from the parking lot, they would consider me an outsider.
But, If they came out of the building and find me there, they would assume I had come out of the building for a break.
After the group of smokers headed back inside, I hurried to the side of the door and lit up a cigarette.
Then two employees came out and were conversing to each other.
I nodded casually and joined their small talk. They were talking about company politics and I was making sure to blow up the smoke to convince them I am a smoker.
I grunted about how the phone system had been acting out lately. They laughed and agreed.
As they put out the cigarettes, they swiped their badges to return inside.
I did the same thing and held the door open for them. They thanked me for the kind gesture and I filed right behind them.
4 famous social engineering attacks:
1. The RSA breach
In 2011 attackers were able to access highly restricted areas of RSA’s network.
They were able to hack RSA by combining social engineering and hacking techniques.
At first, they sent phishing emails to low-privileged staff members of RSA containing an MS Excel attachment labeled “2011 Recruitment Plan”.
Four employees opened the attachment. Obviously, it was malicious and also exploited a flaw in Adobe Flash.
And it created a backdoor onto the recipient’s computer.
This allowed the attackers to go farther into the network and gain access they needed.
2. Sony Pictures
In 2014, Sony Pictures was preparing to release The Interview, a comedy about two men trying to assassinate the leader of North Korea.
Then a group of hackers called The Guardians of Peace were able to hack the company network and were in possession of 100 terabytes of stolen data.
It began when several Sony executives got an email that requested they verify their Apple credentials.
The attackers had checked executives’ LinkedIn accounts and guessed that one of them used the same password for both Apple and Sony accounts.
It was probably the largest corporate hack in history.
3. Associated Press Twitter Account
In 2013, the Syrian Electronic Army hacked the AP Twitter account.
An email was sent to the employees of the AP that appeared to be coming from other employees of AP.
It included a link where they entered login information for the twitter account. Then the group posted a tweet stating:
The tweet was public for only 3 minutes but it had a big negative impact on the financial market.
DOJ dropped 150 points and Standard & Poor’s 500 Index lost more than $136 billion.
4. The Buckingham Palace breach
On 18 November 2003 President George W Bush visited Buckingham Palace.
The Royal Guard and the US agents believe they have taken every precaution to ensure the trip runs smoothly.
Every branch of British security is involved to protect the President.
Every rooftop that might help a sniper is checked.
They had told officers to look out for anyone acting suspiciously.
And inside the palace, there are armed guards.
In the evening, the Queen, the US president George W Bush, and PrimeMinister Tony Blair will eat dinner together.
The security is at the highest level, except for a minor detail…
Two months before, Ryan Perry a journalist from Mirror, was able to find a job as a footman after replying to an advert on the official Buckingham Palace website.
He provided fake references on his CV and didn’t mention he was a journalist.
During these two months, no one checked his background.
And he could walk freely around the Palace taking pictures and serving food.
Ryan commented that “Had I been a terrorist intent on assassinating the Queen or President George Bush, I could have done so with absolute ease.”
Obviously, this wasn’t an attack, but it’s an interesting story- how a journalist found a flaw in one of the most secured buildings in the world.
Social Engineering Penetration Testing by Gavin Watson, Andrew Mason and Richard Ackroyd
More helpful guides: