The article is intended for white hats, professional pentesters, and heads of information security departments (CISO). Today, I want to share several methods of social engineering that can be used in targeted attacks, that is, in cases where a specific victim (person or company) is selected.
Targeted attacks take a lot of preparation time. During mass attacks, it is easier to make several people click your link, but mass attacks are not well suited for penetration tests. Pentester cannot allow himself to rely on probability theory and distribute his mousetraps to all employees of the organization in the hope that someone will get caught. One or two vigilant users will definitely notify the security manager, and the pentest will fail. Careful preparation is needed for each new company and infrastructure. Methods of a social engineer should be non-standard.
Security rules are always written post factum, and therefore they are inert and weakly protect against new threats. The need to rob banks with weapons has already gone. Today email is enough to penetrate most organizations. However, in many, even big companies, old stereotypes are still present. They place great emphasis on physical security, considering digital less important.
IT professionals are not tired of constantly repeating that social engineering is the biggest evil in the world of information security. At the same time, many “security guards” continue to believe that certain security software and once written instructions for employees are enough to withstand hacker attacks.
This method of social engineering will not be effective with attentive employees, but if all users were attentive, then social engineering would not exist as such.
For those who are used to watching what comes right after https:// when verifying if the URL is safe, a link like this: https://firstname.lastname@example.org will not lead to anything good.
All valid characters for URLs are documented in RFC 1738. The @ character is used in the URL as a special separator when you need to give permission to access the page directly in the URL. It is intended to look like this: https://<login> <password>@<host>. So, you can put anything before @. The browser will still send the user to the host specified after @.
Let’s add to our URL several Arabic or Hebrew characters encoded in UTF-8 > HEX so that it begins to look incomprehensible to humans and seems safe at first glance:
When you hover the mouse over the encoded URL, desktop browsers decode the characters, but this does not happen with the Outlook email client and browsers on mobile devices.
You already probably know that the real file extension can be hidden by using the Windows built-in restriction conspiring the length of the extension line. Something similar may be used with URLs. Evil links, for example, may look like this:
Instead of eeee and nnnn, you may put different keywords that are usually used on the original site.
In Firefox, such long strings get shortened in the middle, and so the part with hacksite.com is not seen. You can see only those many characters that do not look suspicious:
Different browsers treat long URLs in different ways. There are tricks for Edge and Chrome. The exact method is selected when the victim’s browser is known.
If the victim holds an executive position in the target company, you can try to use his sense of self-importance. A fake site is created that is designed like a conference, business event, business forum, etc. Now you need to make the victim visit that site. Why not sending a paper letter? Here you will definitely get around all the digital protection mechanisms and even the neural network firewall in the form of a secretary because, in her opinion, if she throws such a letter into the trash, her boss will not be happy.
The envelope and letter have a professional design. The content sounds very attractive - an invitation to participate in a pathos event as a speaker or jury member, laureate of a prestigious award, etc. At the end of the letter, it is proposed to fill out the participant registration form. There can be a printed QR code or website URL.
The following several methods of social engineering relate to attacks on the organization using information about the personal life of a particular employee. Talking about protection against social engineering, all people should follow the safety rules not only for the sake of the organizations they work at but first of all for their own security.
If you are looking through a user's accounts on social networks, pay attention to places where he has been relaxing recently. If you spot a hotel name, feel free to write on behalf of the hotel administration and demand a surcharge for the service. In the letter, add a note that this message is generated automatically, and for the answer, you need to use the form on the official website in the customer support section. After giving a fake link, invite the victim to sign in. Who knows, maybe he uses the same loin/password on other sites.
If a potential victim prefers to fly Southwest Airlines, write that he urgently
needs to activate an additional program of bonus miles to double his total number.
Has the victim recently attended an event? You may ask him to sign in (using your link) to get additional important conference materials and a discount on participation in the next even.
So, that the victim does not suspect anything after signing in, he can be redirected to the 404 page saying that something went wrong or redirected to the homepage of the real website.
Here several phishing methods were described. This is often enough. True mischief, however, will not stop there and will use browser vulnerabilities and malicious files to infect the victim’s device, but that is already a technical part, not a social one.
Let’s see how, using phishing, you can get access to the employee’s online services protected by multi-factor authentication.
An employee is sent an SMS with a request to do something in his mobile carrier’s cabinet. It is better to choose a scary reason (or play with greed) to make the victim go there right now and not to give time to call technical support. You just need to know which carrier his phone number belongs to and give a suitable phishing link. After gaining access to the mobile account, a person with malicious intent sets his own phone to receive SMS in the section “Message Forwarding.” Most mobile service providers offer flexible rules for setting up redirects. For example, you can specify specific time frames for redirects to happen.
Finally, I will provide some more tips:
1) Send a letter to a targeted company corporate email address, get a response and see how the message is formatted. Then copy this message design for your phishing messages on behalf of this company.
2) Having heard the message of the answering machine that the employee is on vacation, you can write letters on his behalf to other employees (supposedly from a personal, non-corporate email), as well as make posts on social networks from his “secondary account.”
3) A new trend in social engineering is called Find Trap. It is a way when a victim is given an info-bait and starts to search for additional details using search engines. The victim finds your website since everything is designed to display your site on top of search results.
You probably know a lot about technical protection mechanisms against hacker attacks. Unfortunately, they are not enough. No matter what security technologies you use, everything becomes meaningless if employees open suspicious attachments, click on phishing links, or use weak passwords. So, it is crucial to systematically train your employees not to fall for the tricks of social engineers.
About the Author:
David Balaban is a cybersecurity professional writing for TechShielder.com. His key competencies include malware analysis, online privacy, and software testing. Additionally, he does his best to stay current with the e-threat landscape and keep tabs on the evolution of computer viruses.
With 15 years of experience under his belt, David knows how security works and how important it is to maintain privacy on the Internet.