Social engineering, as per Wikipedia, is the psychological manipulation of people into performing actions or divulging confidential information. In simpler terms, social engineering is taking advantage of a victim’s natural tendencies and emotional reactions. Social engineering is more interesting than it sounds! It involves various techniques including tricking the victim into sharing the OTP, Debit Card PIN, or their computer passwords. There have been attacks in the past where the attacker simply called up the data center, posing as a high-ranking official of the company, and manipulated the data center administrator into telling him the exact models of the servers residing in the data center.
Social engineering can be done at various steps of hacking, but typically, it is done at the time of information gathering or the reconnaissance phase. In the above example, the attacker may have likely got the server details like model number and maybe the operating system running on it. Once the attacker has this basic information, it is very easy to find the vulnerabilities in the OS and hardware using online sources like NVD (National Vulnerabilities Database) and CVE (Common Vulnerabilities and Exposures by Mitre).
In this article, we will briefly look at what is ethical hacking to set the context for social engineering, various steps of ethical hacking and then take a deep dive into various techniques of social engineering. We will have a look at some recent data breaches where social engineering was used and finally some tips to safeguard your organization and yourself from social engineering attacks.
Hacking is a word which raises eyebrows every time someone mentions it. A hacker is not a person with a hoodie, sitting in a dark room, with multiple screens in front of him. That is what we see in the movies, right? In real life, a hacker is an individual with deep domain expertise of the domain he works in. So a cyber hacker is a person with deep domain expertise on computers and related infrastructure like networks, servers, etc.
Hacking a cyber system would involve overcoming the security mechanisms deployed to protect the confidential data by exploiting various vulnerabilities present in the system or network and gaining unauthorized access to the confidential information.
To understand social engineering, we need to first understand the various steps of hacking. Any hacker would follow these steps in order to successfully penetrate a system.
Scanning – After the attacker has some basic details, he or she starts scanning the network and websites of the target much more intensively and gathers information like active hosts, OS running on them, open ports and others which could be used to launch an attack.
Gaining Access – Now the attacker has a lot of information like the IP ranges, key people of the organization, OS running on key servers, active hosts. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) to get into the network of the target. This is generally done by using some social engineering techniques like phishing.
Maintaining Access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. He would generally do this by creating a backdoor, which no one else is aware of. This backdoor will ensure that even if the main gate has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.
Covering tracks – Once the attacker is in the system and has access to all the data, his next step would be to remain undetected and anonymous. This would generally be done by deleting the logs and using a VPN or a Virtual Private Network to access the target network and systems.
Taking a deeper dive into Social Engineering
As we briefly discussed in the sections above, Social Engineering is getting information from the target by manipulating them. However, information gathering and social engineering goes hand in hand. Throughout this section, we will have a look at various techniques to gather information about an organization via online tools and social engineering methods.
With all this information, you will at least know the contact number and the address of company where the domain is registered.
Command Prompt (Terminal for Linux users) – You must be thinking why we are talking about a Windows utility. Try and do this on command prompt, “ping knowledgehut.com”. What do you see? 4 packets sent, 4 received, but you got the IP address of the website. This is a very useful information when you are targeting an organization.
You get an option to choose a name and email ID you want to send an email from. For demonstration purpose, you can use the name Alex Johnson, and the email ID firstname.lastname@example.org. You get advanced features like “reply to”, priority setting and even encrypting the email. What “reply to” will help us do, is, once the victim (whom we are sending this fake mail for a phishing attempt) replies, we get the mail in a legitimate email box (not a fake one!). This will ensure that the email sent looks like a legitimate mail even though it is a fake and you still get a reply.
This fake mailer is largely used by attackers to lure job candidates into sending fake offers from an email ID which looks authentic and seek money for jobs. Attackers can also send a legitimate looking mail from the company HR and ask the users to fill in sensitive information.
Temp Mailers – This is another tool on the internet widely used by attackers. This utility allows anyone to create a “temporary” email, which is valid for a very short duration (10 mins to 30 mins, depending on the website). You get an email address with a temporary inbox. People also use this to register on different websites where they do not want any promotional material landing in their personal mail boxes. Temp-mail.org is one such domain, you can find hundreds of such domains online.
What all information did you get to know about Anne from this image?
Possible security questions and answers (remember setting up a few security questions in your bank account or even FB account?)
Address: from the link!
When is the house vacant: 18th March 2016, Half term
Other miscellaneous information: changing house, marital status (divorced), two sons, etc.
Now you understand the humongous amount of information we have on our social media. Not to forget our regular social media updates, be it on Facebook, Instagram, Snapchat, Telegram or WhatsApp!
Fake Calling – Something very common these days, where you get a call from a person posing to be a bank official. They generally try to get the OTP or the One Time Password from you, Credit card or Debit card PIN or CVV. This is among the most common types of social engineering attacks and is commonly referred to as phishing attacks. They are categorized as frauds under law.
Phishing, as defined by Wikipedia, is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. It is generally done by using one or more techniques we discussed above. Let us take a few examples:
Cybersquatting is a fraudulent act of registering, selling or using a domain name which has resemblance to a known brand with an intent of profiting using the name of the already established brand. For example, creating a website goggle.com which is similar to google.com. This could have a serious impact if you register a website as annazon.com (notice the double n) instead of amazon.com. They look alike in the first glance. Now imagine 20% of the traffic of amazon.com going on annazon.com. It’s a huge loss for Amazon!
Sending SMS on mobiles with links to upgrade the PayTM app or entering a lucky draw or even changing your “expiring” bank account. These links will either ask the victim to enter some confidential information like banking details or OTP or install an app or a software in the background. Now the installed app or software is designed to spy on the victim’s mobile device and send confidential information like SMS, photos, bank credentials, etc. to the attacker.
Simple answer is, not much. Social engineer, as the title of the article says, talks about exploiting the weakest link in security, which is us or the user. Unless the user is vigilant and aware, no amount of investment in the security tools and technologies can save the organization or the individual data from hackers. Organizations generally run Information Security Awareness campaigns, mandate the user to attend trainings, and even carry out phishing assessments. This gives the organization a direction to enhance its security program and train users to be better protected against cyber threats. As a part of this article, let us have a look at how we can detect a fake email.
Email header analysis helps us identify whether the mail is authentic or not. It is very simple to analyze an email header in Gmail.
1. Open the email for which you want to analyze the header. Click on “Show Original” as shown below in the image.
2. Copy the header to clip board.
3. Open and paste the header.
4. Click on analyze header. You will get all the details like email domain, sender, who will get the replies, SPF values, etc. Now you can actually know whether a mail was sent by an authentic domain or by a fake mailer service like emkei.cz!
fThe Sony Pictures Hack – November 2014
Social engineering, coupled with information gathering is one of the easiest and efficient way of doing reconnaissance. Attackers make use of these techniques to make sure they are equipped with enough knowledge before they carry out any attack. User awareness and due diligence is the only way to prevent an organization or individual from a social engineering attack.
Your email address will not be published. Required fields are marked *