Social engineering part 2 (human based attack)
Social engineering part 2 (human based attack)
ghost | 7401 Reads | - There are several types of Impersonation so I will list them and explain them.
- Think about this before you try anything.
- Real Life Example:You call random numbers at a company claiming to be calling back from technical support. Eventually you will hit someone with a legitimate problem. Them being grateful that someone is calling back to help them cooperates. You "help" solve the problem and in the process have the person type commands that give you access and/or launch malware.
Human based SE
Phishing:
I hope everyone knows what this is. but just in case you don't go to this link.
http://en.wikipedia.org/wiki/Phishing
You can use emails to gain information about a network or a person. Lets say you send an email to someone pretending to be Amazon.com saying their account is going to be deactivated unless they click on the link provided and update their credit card information. Once they click on the link they are sent to a fraudulent page where they unwittingly submit their credit card information.
This can be useful to gain information on the target such as SSN, DoB, Address, Full name, and Phone number.
Impersonation:
There are several types of Impersonation so I will list them and explain them.
Pre-Texting
Pre-texting definition:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Example:
say you call a company and you want information about a person so you can use it against them. obviously the company is going to have security measures about to stop just anyone from accessing this information. if you have the persons SSN and their DoB you can do a lot as most companies in the US only require this. So if you call with this information you can most likely pretend to be them and gain further information about the person. this is not easy for some people to do as it require good bullshitting techniques.
Real Life Example:
A man calls a company help desk and says he's forgotten his password. In a panic, he adds that if he misses the deadline on a big advertising project his boss might even fire him. The help desk worker feels sorry for him and quickly resets the password unwittingly giving the person clear entrance into the corporate network.
This is a good example of using peoples good and caring nature against them.
In December 2006 the United States Congress approved a Senate sponsored bill making the pretexting of telephone records a Federal Felony with fines of up to $250,000 and 10 years in prison for individuals (or fines of up to $500,000 for companies).
Think about this before you try anything.
Quid pro quo:
aka something for something.
This is when you offer someone a service in order to gain what you want. Sometimes it is apparent and some time it is not.
apparent:
There a instances where you can come straight out and say "If you give me your password to your computer at work i will give you some chocolate" sorta like baiting them. This may be a dumb example but you can explore the possibilities of how to modify it to get what you want.
Not apparent:
Real Life Example: You call random numbers at a company claiming to be calling back from technical support. Eventually you will hit someone with a legitimate problem. Them being grateful that someone is calling back to help them cooperates. You "help" solve the problem and in the process have the person type commands that give you access and/or launch malware.
Reverse Social Engineering:
A more advanced method of gaining illicit information is know as reverse social engineering.
This is when a you create a persona that appears to be in a position of authority so that employees will ask you for information rather than the other way around
The three parts of reverse social engineering attacks are sabotage, advertising and assisting.
Just think of what you can do to a company if the people you are talking to think you are an administrator. you could tell them to do things that would be detrimental to the company and possibly make them lose money.
Curiosity:
You can take advantage of persons curiosity.
If you were to leave an infected disk or USB drive on the side walk, in an elevator, or in the bathroom and put a label on it that says something like Financial records 2007 or something creative. It is almost guaranteed that someone will be curious as to the contents of the disk or drive and put it on their computer not knowing they just ran a virus and now their computer is infected.
Example:You want to bring down this company. So you make a CD with malware on it and leave it in the bathroom on the floor. someone who works there picks it up and is curious as to the contents and puts the virus on their computer in the network. you now have a way in to doing what you want. But what if a good samaritan picks up the disk and turns it in to the front desk. Well if you have a creative label on the disk and perhaps some company logo the company might think it is their CD and it would be given to the appropriate employee or perhaps even an administrator of the company. In the end you win either way.
ghost 15 years ago
Curiosity killed the cat…. or network.
Aside from my poorly crafted joke, This was very good. I never knew that the people could be manipulated in such ways.
ynori7 15 years ago
pretty good. i get a lot of people from nigeria trying to use some of those techniques on me over yahoo, and south africans trying to phish me, but they're really bad at it. sometimes it's fun to turn it around and mess with them.
ghost 15 years ago
this was a pretty good read. I never thought about the curiosity one before but it's actually a pretty good idea.
ghost 15 years ago
Awesome article. I'd really like to see you produce more going into each of the topics you mentioned more in depth. :happy:
ghost 15 years ago
its hard to go into depth with SE becuase its so open. nothing is set so you can change everything.
ghost 15 years ago
But there are alot of elements to social engineering and psycological manipulation which can be applied over and over again. Even though the applications vary they come from the same roots. Good luck with future articles. :)
Uber0n 15 years ago
The last part (about curiosity) is an almost bulletproof method to infect other computers. If you want to target a special person, you can also send the disc to them in a mail (with a label like: your beta version of Doom 4, hot XXX videoz, company secrets etc)
ellipsis 11 years ago
About the last section. It's not really SE. It's an infection technique. And you don't even need to put an inviting label on the flash drive. An unlabeled flash drive is much more inviting than one with a label like "Financial records 2007." LOL! You leave it somewhere obvious in a place of business, like on the counter next to a computer. You could even give it to someone and tell them that somebody left it in the bathroom. A curious employee will check the contents and once that autoexec works its magic, your job is finished. You should also be aware of cameras if you are just going to drop and run. You can get away with the "somebody left this in the bathroom" thing only if somebody other than you and the employee used the bathroom before you presented your malware. So obviously, the best time to do this would be between afternoon and evening hours. Points being: use a normal flash drive without a label and be smart about your infection technique.