Social Engineering Penetration Testing – Part II (Attack Vectors)
Social Engineering – Attack Vectors
The target/victim is manipulated with the appearance possessed by the attacker that he/she represents a legitimate source. The victim receives emails from the fraudulent but appeared to be a prominent source with the intention to leverage or obtain personal /professional information. For example, an attachment in an email that executes malicious contents likes malware, Trojans, RATs etc. onto a computer or a mirrored website that can deceive the victim to capitulate personal information. Nowadays, the attackers are evolved and identified numerous ways and means approach the victim and lure them into the traps.
URL and Email Manipulation
It’s a general behavior of humans to trust the email/messages appear to be from a trusted entity or look-a-like from a legitimate source. The attackers take this as an advantage, manipulate the victim by supplying an email or URL appear to be from a reputed source, and lure them into the trap. A normal user may not pay attention to details of an email or URL provided by the trusted entity. Hence, the probabilities are very thin for them identify or circumscribe what is safe and not. By utilizing the domains that are like the legitimate entity, the intruder fakes the email or website, and trap the victim by spoofing the legitimate ones.
Familiar Phishing Vectors
The attackers maintain the image of a trusted entity, mostly they possess the identity as a representative from following institutions or a most common service consumed by the end-users.
• Customer Support / Technical Support
• Financial Institutions
• Government Entity
Attackers also leverage and take advantage of force majeure, public events, current affairs, and charity foundations. Possessing these identities or representing an entity/event/domain which the victim may have interests in, the malicious intruders utilize the opportunity to exploit them.
A refined technique that aims a specific group of victims with the custom content emails intended only to the targets is known as Spear Phishing. This focus group must have something in general or access to specific content or information that the attacker has interest in. The attacker will spend a considerable amount of time (OSINT: Open Source Intelligence) to mine and profile their victim to the extent where smallest amount information available. They profile and dig deep into their social media, make direct and indirect contact possessing as a known ally without raising any suspicion. By utilizing the information collected, a carefully crafted email that articulates and favors the interest of the victim makes this method more successful.
The target audience in Whaling is mostly an organization or an institution. A targeted and focused attack engineered to “phish” high-value individual, and if the phishing is successful, the entire business is jeopardized. The target victim is chosen specifically because of the access/authorization they within the system.
Whaling attacks are more complicated and exhausted due to its secrecy, nature of the target, and it’s a one-time attempt to phish. Attacker spends serious amount time to research and profile to determine the potential interests of the victim(s) to develop, cultivate and craft the right Phish for the intended target. The ultimate goal of the attacker is to phish the target and leverage information/access and they are determined to stop at nothing irrespective of the heat magnitude they need to go through.
Vishing focuses to extract and obtain or persuade the victim/target via the telephone. The purpose of “vishing” is to elicit estimable information which can compromise an organization by misusing someone’s readiness to help. The attacker spoof or forge their phone number to a trusted entity, and pretend as an authority, support staff (technical/customer support) or a fellow employee. Sometimes they even use voice modulation devices to ensure the credibility and conceal the identity to elicit delicate and sensitive information. Vishing is a commonly used technique in corporate espionage, proven to be one of the most well-off techniques to gain the information required to penetrate an organization/institution.
Unlike all other methods, the intruder pretext as another person with the intention to gain valuable information or to obtain access to an individual, organization or a computer network. A large amount of research, planning, and reconnaissance required to impersonate. Most common attack vectors are to impersonate as a delivery person or customer / technical support representative.
Someone dressed up with right uniform and identical credentials of a reputed local/international parcel/postal services provided admission to most of the areas in an organization with few questions asked. Same way, an intruder posing as a technical support staff can gain physical access to computer systems with no question asked, which can have disastrous effects on an organization.
SMiShing traps the target/victims through text messages (SMS) to force them to download and execute malware, open a malicious website or calling a swindling phone number. The messages are articulated in a such a way that forces the victim to action without thinking twice and ends up supplying the classified or personal information to the attacker. SMiShing leverage the fear or greed of humans such as a message from a law or financial institution, extending a holiday discounted package, lottery or awards.