Certified Ethical Hacker - Part 8 - Social Engineering

by Riazul H. Rozen
Jan. 3, 2018 0 comments 4 minute read Certifications certfications
Download PDF

Social engineering

Social engineering is a method used by attackers to gather valuable information form susceptible individuals. Personnel such as system administrators and desk officers are usually targeted.

Social engineering

Attackers are able to gain information by -

  • Reconnaissance. This is where they discover everything about the company, especially if the company has valuable information.
  • They target an individual. They choose unsatisfied employees.
  • They gain trust of the target through impersonation.
  • They use this trust against the target.
Social engineering

Social engineering attacks are majorly successful for a varying number of reasons -

  • These attacks are undetectable because they favour a human element. For instance security policies need to be strong to prevent information sharing, but humans could cause weaknesses in the strongest policies.
  • The target is too trusting.
  • The target is ignorant on social engineering and its encompassing dangers.
  • The target acts based on moral obligation towards the attacker.
  • The target is greedy and falls for the attackers trap of offering a bountiful reward for doing nothing.
  • There is no software or hardware that has been developed to tackle this problem.

Types of Social Engineering

There are numerous ways attackers could gather information, and while communicating with the human target seems to be the most preferred, other methods such as: Mobile social engineering which is the use of mobile applications to gain information And computer social engineering which follows the use of computers, exist.

Human Based Social Engineering Through Impersonation

This uses human interaction to gain information. The attackers impersonate someone with authority and legitimacy, after which they reach out to the target individual using communicative methods like phones and mails.

Social Engineering

There are numerous ways to which the impersonation could work:

Impersonation Through Claiming Authorised Positions

Here the attacker could call places such as a help desk personnel and gain information from them. This works because the help desk personnel is required to help.

Another way claiming to be an authorised personnel helps, is through third party methods. Here the attacker gains information on an authorised personnel for instance a name, calls the organisation to request for information on the impersonated person, on the grounds that the person authorised that this information be released.

Impersonation Through Technical Support

The attacker impersonates the target company's software vendor and calls the organisation to request for the employees User ID and Password.

Impersonation Through Technical Support

Impersonation as a Repairman

The attacker could pretend to be a communicative technician, gain entry into company grounds and place a snooping device on these communicative devices. This is where the next type of human based social engineering comes to play.

Human Based Social Engineering Through Eavesdropping

Here interactions between employees in the target companies are intercepted and monitored through phones, mails or instant messaging.

Human Based Social Engineering by Looking Over The Shoulder

As the name implies, attackers watch employees while they work, in the hopes of gaining information on subjects such as PIN, passwords account numbers and so on.

Computer Based Social Engineering

Attackers gather information by using pop-up windows that request for login information, Hoax letters that tell users on a site to download an anti-virus for a dangerous virus in their systems, chain letters that require the receiver to forward the message to a certain number of people for a reward and through spam mail (the attackers send unwanted and unsolicited mail for the purpose of acquiring financial and other information).

Computer Based Social Engineering Through Phishing

An illegitimate mail impersonates a legitimate organisation to gain information from the target. This could be anything from an email from a bank claiming the target's account has been hacked and requesting change of password, to a message from the target's social media account issuing a lockdown on the account, requesting account details to reopen.

Attackers use this messages or pop-ups to redirect the user to a fake website to gain information. Computer Based Social Engineering Through Spear Phishing

This is a concentrated phishing attempt, aimed at one individual or a small group of individuals as opposed to phishing which sends hundreds of generic mails in the hope of a response. This attempt has a higher success rate.

Mobile Based Social Engineering Through Phishing With Malicious Applications

Attackers create apps with similar features as popular apps and place them on app stores. These apps when downloaded become a tool for gathering information.

Mobile Based Social Engineering Through Repackaging Legitimate Applications

The attackers download an app from an app store, installs a malware in it, uploads it on a third party app store. The user downloads the app, and the attacker is able to gain information. Mobile Based Social Engineering Through SMS

The attack sends a message pretending to be an authorised personnel. for instance, a financial institution. The attacker puts a number in the message, requesting the target does so. When the target calls, the attacker extracts information.

Social Engineering Through Social Networks

Attackers can easily gain access through a target company through social media like Facebook, Twitter and LinkedIn. On Facebook, the attacker could create a group for the employees in the target organisation, add a select few and begin interactions with them. It is important to put security policies in place, to prevent employees from sharing company information on social media.

Identity Theft

This is the process of stealing a persons identity i.e Name, credit cards, IDs and others for the sole purpose of being malicious and without the knowledge of the target.

Social engineering can be done through identity theft by gaining acess to their company ID. This enables the attacker to gain physical acess to the target company.

The first step to Identify theft is locating the target, then carrying outtechniques like dumpster diving and stealing emails to gain this like electricity bills. The next step is creating a Valid drivers license through the information gained in the afore mentioned step.

Once the attacker gets the drivers license, other things such as credit cards can also be gotten. In a large company, where security is lax, the attacker can also get a new company ID.

Preventing Social Engineering Attacks

A successful social engineering attack could cause a lot of damage to the target organisation, from economic losses to lawsuits, susceptibility to terrorism, loss of trust on the client's end and most importantly the closure of the company. The severity of successful social engineering attacks need to be countered by preventive measures, and the methods to this madness include:

  • Ensuring the information accessible to the employees are regulated and classified according to priority.
  • Training the employees on various system attack techniques and how to prevent it.
  • Developing strong security policies.
  • Create a guideline as to how the company should respond in the case of a breach.

Published with the express permission of the author.