The Art of Social Engineering – Sounds Phish-y?

Introduction

You may have heard about phishing attacks, but what about social engineering? Don’t worry, they are essentially the same thing. Although people tend to use these terminologies interchangeable, try not to get confused with what they are. Social engineering is the art of manipulating people to perform actions that would benefit an attacker. In layman terms, it means tricking victims to do something that they did not intend to do. Resulting in an attacker gaining some form of benefit. It is common for attackers to gain sensitive personal details, but in extreme cases, it may even include financial information such as bank details.

Social engineering has always been a severe threat to the general public. This is probably the case because it requires human interaction. Some bad guys can be really good at it because of their confident and charismatic personality, and with accurate information at hand, they can make their case sound extremely convincing. This will increase the chances of a victim falling for this kind of attack. I bet you have heard stories or have experienced this yourselves in the past, where you get a call telling you that you were involved in a car accident and is eligible to make a claim. This is just a classic example, if I were a bad guy, I would tailor my approach to each individual depending on what kind of information I have on my target.

This does not stop at targeting individuals. In my experience, social engineering is very commonly used to gain a way into an organization’s internal network. In our industry, we call it initial foothold. Once a bad guy gains an initial foothold on a corporate’s internal network, additional attacks can then be performed to further their campaign.

This blog post aims to shed a light on the processes involved in a social engineering campaign, and what you can do to help prevent this kind of attack.

Objectives Gives Motivation

Let’s start with the objectives. Why would the bad guys do this? That’s a silly question Joseph, for financial benefits of course! It’s illegal, and a breach of the Computer Misuse Act. Nobody would want to put themselves at risk being chased by law enforcement for no good reasons, am I right?

For the ease of explaining, I would split all my sections and examples into individuals and businesses. Although the motives and data reconnaissance methods are similar, the exploitation methods could be different.

Reasons to targeting individuals with this attack are pretty straightforward. Classic but not limited examples are:

• • Information an attacker has on you is enough to conduct a convincing campaign
  • Someone has a massive grudge on you, and wants to cause you harm
  • You are a high value target, either reputationally, or financially
  • You are simply a stepping stone to get to someone or something else

As for motives in targeting businesses, it includes everything mentioned above with the addition of competitors and to exfiltrate sensitive personal data. Competitors that have always been living in your shadows, or have always been following the trends you set could try to gain an edge over you. They could aim for things like marketing plans, future business directions or even your latest product designs.

The other motive could be exfiltrating sensitive personal data, an attacker can look to leverage the information gained, and subsequently perform phishing attacks against your customers. Your competitors could also try to steal your customers by offering them a better deal. They could sell the information off to gain a profit, or they could do a combination of everything mentioned so far. Whose to stop them? We’ll never know, but either way, it would be a breach of the Personal Data Protection Act (PDPA), and it would cause your company a large amount of financial impact via fines. My previous blog post has discussed this thoroughly.

Note that, if an attacker is targeting your organization, this automatically puts every employee you have at risk. It only takes that 1 single person to click on a phishing email, downloaded and ran a program to allow an attacker into your network. This could then allow an attacker to spread ransomware within your company network, encrypting all your files, crippling your business and demanding a large amount of money before they decrypt your files. Bear in mind, that even if you paid the ransom, there is no guarantee that the bad guys will live up their end of the bargain and give you the decryption key. SophosLabs did a press release in May 2020 detailing that the average cost of recovering from a ransomware attack for a company was $1.4 million USD if you paid the ransom demand, and its $730 thousand USD if you don’t pay. Hold on, why does it cost more if you paid the ransom demand? The press release also mentions that attackers normally encrypt your files with different keys. That way, you won’t be able to decrypt all the files with one single magic key. Taking this into consideration, decrypting your files will be a labor-intensive process that costs resources. Either way, your company will suffer financial impact, so there is no winning this. Unless you have procedures and measures in place to ensure you don’t rely on paying ransoms in order to get your files back.

Scary right? Even insurance companies are telling victims to pay the ransomware demands. I promise I am not making this up, ProPublica did a press release detailing this. This is all the more reason why you should do your very best in preventing this from happening to your organization. Additionally, you can even take the worst-case scenario approach, by making sure you are prepared when a ransomware attack does happen. How? We’ll discuss this in the recommendations section, so read on!

Reconnaissance Phase

I’m done with storytelling on how much harm a successful social engineering campaign can be, let’s move on to some of the more interesting things. Reconnaissance has, and always will be the first thing to do in a social engineering campaign. The bad guys will turn every stone they can find about their targets. Mapping out their habits, interests, daily routines, who are their friends and family, personal details, contact information and keep them well documented. After they have all the information they need, they will be in a position to launch the campaign.

How do the bad guys gather your information? This is obvious, it’s the Internet! This will include any accounts you have, from personal social media accounts such as Facebook, Instagram, LinkedIn or even your email boxes like Gmail or Outlook accounts. For high valued targets, they may even look for news releases to learn about your involvement within the community. But Joseph, all of this just sounds like something a jealous boyfriend or girlfriend would know how to do, it’s nothing special! Great, you know how to Google search, but the websites you see and surf every day is what we call the surface web. This only covers approximately 4% of the Internet. The rest of the ~96% is made up of the deep and dark web, where illegal marketplaces are hosted to sell drugs, guns, credit card details and anything else illegal that you can think of. Note that these websites are not accessible by well-known search engines such as Google, Yahoo or Bing, so you’ll never find them! It’s the whole Titanic iceberg situation here, illustrated in the image below.

A skillful and determined attacker will include searching the deep and dark web in their reconnaissance phase. Well, at least this is what I will do if one of our clients commissioned us to perform a social engineering campaign for them. I won’t be diving into this topic any further, otherwise, I’ll be writing a bible. I might write another blog post to go through deep and dark net stuff, so keep an eye out on our blog page if you’re interested.

Performing reconnaissance on businesses do typically include everything discussed above. However, it gets complicated as we will need to draw a bigger roadmap to get into your organization, documenting more things as every single employee within your company will become a target. It is similar to what our Threat Intelligence service will include, with extra sections to include high value targets in your company as well. This typically include members of the board and C level employees.

I’ll let you in on a little bit of a secret we have in this industry. If you don’t already know, there are databases on the Internet that stores leaked credentials. Some of them are available to the public so anyone can access it, and some of it requires a subscription. So, for a small price you pay per month, you get access to collections of credentials that have been compromised in the past. Obviously, I am not going to tell you how to find them, because they are trade secrets, but you can always speak to us about our social engineering service if you are interested. Saying that, you could always Google it, and you’ll come across the haveibeenpwned website. This is a good website to find out if your account has been compromised, I would strongly suggest checking your staff’s email addresses and changing them if the search result comes back as “Pwned”.

With all of that information in mind, imagine the damage an attacker can do if you become a target of a social engineering campaign.

Common Exploitation Paths

So, what happens after the bad guys collect your information? They’ll use it to their advantage and make their case sound so convincing that you think they are the official authorities. They know your siblings, your uncle/aunt, which area you live in, which gym you go to, what kind of things you do during your free time. Here are some examples of social engineering:

Phone Calls

To date, the only data leak in Malaysia that made the headline of news press worldwide is the one that happened in 2017. I have also discussed this in length on what kind of risks Malaysians could be facing in my previous blog post.

I am not going to point fingers here, but this goes out to the people who have engaged in buying properties in the past. How do you explain the sudden rise of telemarketing phone calls you received from alleged lenders offering you loans at “better price” after your success in purchasing a property? I’ll leave it to your imagination, but here’s a suggestion. If you think your personal data has been leaked or sold without your consent, feel free to report this to the official government portal. An investigation will be launched by the authorities and fines will be issued if the culprit was found guilty.

Emails

Performing social engineering via emails typically involve sending you a link asking you to either login at a portal, or install a program on your computer. The portal will be a fake one that looks legitimate, and the program will just be malware. As for the content of the emails, they are normally customized for each individual target, depending on what kind of information the bad guy has on you.

Emails addresses are really easy to find nowadays. Every email you send and every action you do on the Internet leaves a digital footprint. These will be at risk and the bad guys will be there to harvest it. This is more so for businesses. There are numerous websites out there that offers services to find email addresses of employees belonging to specific companies. Plus, the cyber security community has free and automated tools to collect this for us anyway, so any slightly technical bad guy could harvest these as well.

Physical penetration tests

As mentioned in my previous blog post, cyber security does not end with technology. Physical penetration test is also a form of social engineering. It involves testing the physical security of your assets. If the bad guys wanted to get into your offices, their reconnaissance phase will include information gathering on your office layout. Offices that are in a shared building tend to be more at risk. Since your landlord will publish blueprints of the office layouts to try and attract further tenants. It doesn’t have to be the blueprints of the floor your office is on, even information like where the corridors or stairwells are could be beneficial to them.

I don’t know about other penetration testers, but I tend to find this type of penetration tests more exciting. It is probably because I’m more athletic than the typical computer geek you know, and I prefer being physically active rather than staring at my computer the whole day. I once applied for a job interview as a firefighter with a client of us just so I have legitimate reasons to be in the building. Once the bad guys get into your office environment, they can do loads of things to further their campaign. For example, they can plug a network device into an ethernet cable socket. All they need to do is find one that no one is using, plug a network device in so they can connect back into your internal network when they get out of the building. This is a classic way the get an initial foothold we were talking about earlier, but it is not the only thing an attacker can do. They could plant a listening device in conference rooms so they can listen in on confidential meetings, or drop USB keys everywhere and hope that somebody picks them up and plug it into their workstations. That way, they can try to install malware or spread ransomware within your network. Conclusion is, if an attacker gets into your office building, they are already half way to a successful physical penetration test. As for how they further their campaign, their creativity is the limit.

Some Recommendations

There is nothing wrong for being sociable and active on the Internet. It can get additive, and I personally understand. However, be mindful for what kind of information you make available to your followers. The bad guys can use your social media presence to profile you. This includes learning about your habits, hobbies, where you live, where you normally go for meals, who your friends and family are, and the list goes on and on. This doesn’t stop at social media accounts; this includes email accounts too. Be aware of your surroundings when you check your emails. If someone is standing behind you in a coffee shop or in a busy bus or train ride, they can read all your confidential emails. Other that than, an obvious suggestion I’m going to give you would be security awareness. Start questioning things if your daily routine looks different. Does your computer normally open a command prompt every time you log in? Does this email you received look suspicious? Is it asking you to install a program? What kind of information some random guy who called you claiming to be working for the authorities is asking you?

As for businesses, I mentioned in earlier sections of this blog post that you should always try your best to prevent your organization from falling victim to such attacks. How? Attack simulations and staff training can go a long way, which by the way, we here at JJO Pentester can provide. These are our social engineering campaign and workshop services to help you improve your staff’s cybersecurity awareness. Alternatively, you could do a Threat Intelligence service with us to figure out what kind of information are floating around about you or your organization. We scour the Internet covering the surface, deep and also the dark web. If you are taking the worst-case scenario approach assuming you have been hit by a ransomware attack, we’ll have solutions for you as well. Get in touch with us and let’s start talking!

As a start, you could run your email addresses through this website. It will tell you if your email accounts have been compromised in the past. If the search results come back as “Pwned”, I would highly suggest changing your passwords to make sure your accounts are safe.

Conclusion

Well, this is me trying not to give away too much, and it is time for me to wrap this up. There are too many elements that could affect the outcome of a social engineering campaign. It is more so because human interaction is a major part of it. I have mentioned this before, but I must stress it again. Social engineering has always played a big part in a full compromise of even a well-established organization. Hacking doesn’t have to be an extremely technical thing. If you have done enough homework, you’ll know enough about your target to do a social engineering campaign. Now that you know more about social engineering and its risks, you must ask yourselves some questions. How prepared are you in preventing social engineering attacks? Are your employees security aware enough to not put your organization at risk?

If you are interested in finding this out, feel free to get in touch with us!