course_notes

SCT Topic 7: Social Engineering

SCT Topic 7: Social Engineering

Strategies and Principles

“The easiest way to get the information you want is always by asking the victims themselves:)”

Definition: Social engineering
Social engineering is the practice of manipulating people into revealing confidential or sensitive information about the organisation, or to perform certain actions, such as:
  • open an infected attachment via email
  • click on a URL of a compromised website
  • divulge information over the phone

Instead of utilising the vulnerabilities we have seen previously, social engineering relies on non-technical strategies to exploit the weaknesses of human psychology.

It is very similar to some ‘marketing’ purposes, which often involved ‘acting skills’, it requires social engineers to be confident with themsevles, and this sense of confidence will then naturally psychologically transfer also to the victim.

“Pretending not be afraid is as good as actually not being afraid. —-David Letterman”

Key principles

There are six key principles of influence that correspond to human behaviours heavily exploited by social engineering, identified by Professor Robert Cialdini, Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University, which originally from marketing’s purposes.

Principle 1: Reciprocity
People tend to return a favour.

People usually do not trust free lunch, they would be more delight to take the benefit by doing a favour also to the attacker.

Principle 2: Commitment and consistency
People are willing to be honour to the ideas and goals they committed which fits their self-image, e.g., particular charity activities,recyling, vegetarianism.

This a mental shortut we use to simplify our decision-making: we tend to simplify our decision making by using a post decision as reference for subsequent related choices. Consequently, we act in ways that are consistent with our intial action our thought, so that when we commit to something or someone, we stick to it.

Principle 3: Social proof/consensus
People are tend to follow the crowd.

For example, if attackers can convince the victim that their colleagues, friends or family already done that, the victims will be more willing to click the malicious link.

Principle 4: Autority/intimidation
People tend to obey authority figures, even if they are asked to perform objectionable acts.

The attacker can try to impersonate some senior members in their organisation or from government organisation, which the victim may not know personally.

Principle 5: Liking/familarity
People are more easily persuaded by people who seems to be familiar with themselves.

The attackers could establish a link between them and victims by calling their first name, nickname, or throw some topics they may interesting (e.g., hobbies, sports).

Pirnciple 6: Scarcity/urgency
Perceived scarcity will generate demand, and it may induce urgency in the victim.

In this kind of scenario, victim could more easily to lose their judgement. Like a time-limited demand of work from the boss.

Attack Phases

Reconnaissance Phase

Aims to
Appear credible and lure the victims into revealing sensitive information or perform dangerous actions
Goals
Learn about roles or key figures in the organisation, and find organisation contact details and finally choosing victims.

Passive and Active reconnaissances can explore the tactics to identify hosts, networks, and users of interst, see more details in previoius post about reconnaissance.

Victim Approach Phase

  • Goals?

    Establish a confidential relationship/feeling between attackers and the victim, by

    • Exact victim’s positions in the company
    • Use of nicknames known only in the company
    • Praising the role of the victim (e.g., knowing what they do)
    • Belonging to some mailing list
    • Personal interests of the victim

  • Who?

    Usually, Not senior members, but who closely tied to them (e.g., secretaries, collaborators)

  • Where?

    Phone, e-mail, social network (rarely done in person or face to face)

  • How?

    Spear phishing : Spear here is used to differentiating with traditional phishing, which is crafted for a specific victim. Send a targeted email to the vicitm, to lure them into clicking a link, opening an attachment, or revealing some sensitive information.

    Vishing : Make a voice phone call to lure the victim into believing there is a demand for revealing sensitive information or performing attacker-desired actions. The attacker could impersonate a manager/senior member of the organisation, or pretending to be a colleague in need, which use the principle of “Principle 4: Authority/intimidation”.

    Smishing : The attacker choose the most trusted communication method, and sending a text message to victims.

    Tailgating : Instead of getting information from the victim in previous stragies, tailgating is aim to enter a restricted areas, it can be realised by following people with access, or pretending to be someone with access, for instance, a courier.

    Quid Pro Quo : The attacker offers something in exchange for following his orders.

     For example, the attacker may call the victims and pretend to be a technician, then convince the vicitm to follow commands to grant him access or which lead to malware installation.

 Occssionally, the attacker may already have pre-install malware which slows down the PC, then try to contact the victim to provide some help.

Watering hole attacks

https://www.ncsc.gov.uk/collection/supply-chain-security/watering-hole-attacks

Watering hole attack is a social engineering attack, aims to exploit websites which frequently visit by target organisation for distribution of malware.

Predator animals are used to wait those preys who will come to watering hole for water.

  1. find a target organisation or group
  2. find their frequently visited/viewed websites
  3. find the weakness of these websites
  4. Inject scripts which could trigger driven-by download attack
  5. Victims visit the website and trigger the download attack
  6. Malware could be a Remote Access Trojan which can gain remote access to target’s system

Countermeasures

The core of social engineering is people, companies need to make regular security training for employees in all roles, to make them be aware of the potential strategies of attackers.

Some strategies to check if you are being a victim of social engineering include:

  • asking for the correct spelling of their name
  • asking for a number where you can return the call
  • asking them why they need this information
  • asking them who has authorised the request and let them know that you will verify the authorisation.

In general, if you suspect a social engineering attempt, report incidents immediately to the company’s security teams. Be skeptical and aware of risks.

Look for emails with urgent requests of sensitive information or delicate actions, and typosquatting e-mail addresses.

comments powered by Disqus
© 2022 Under The Ginkgo
Cogito, ergo sum
Built with Hugo
Theme Stack designed by Jimmy