SOCIAL ENGINEERING CAMPAIGNS
Social Engineering Campaigns
- Phishing campaigns
- Physical penetration tests
Phishing Campaigns
This is a type of campaign where malicious attackers continuously send scam emails to phish users. Depending on what the outcome desired by the attacker is, this could range from creating a fake login portal to harvest credentials or ask victims to download malicious software such as ransomware. This could then allow attackers to log into organisation intranet or mail portals, leading to an exposure of confidential information. Additionally, attackers gaining valid credentials would then gain an initial foothold within the internal network and can perform attacks to further compromise the organization.
Phishing campaigns could also involve attackers performing phone calls, imposing as other employees within the organization and trick victims for personal gains.
Physical penetration tests
This type of test involves human to human interaction, where our consultants will be sent onsite to the target organization. Our consultants will then perform an evaluation of the physical security of the company building. Attempts of breaking into the office area will be performed. A successful compromise of the physical building will allow an attacker to install malicious appliances such as audio listeners in conference rooms.
In the many years of experience we have in this industry, most of the complete compromise of an organization started with social engineering campaigns. As this would provide attackers an initial foothold within the internal network, lateral movements can then be performed to reach the ultimate goal of information leakage for a victim organization.
Defend mechanisms against social engineering campaigns have always been tough for organizations to implement. This is due to the fact that elements of human interaction are required to successfully exploit social engineering campaigns. Although certain software configurations can be implemented to minimize the risk of this type of attacks, cyber security awareness of individual employees is the most important factor to fully mitigate the risks.