Social Engineering

A nontechnical type of attack where the attacker is trying to have the victim reveal information or violate a normal security practice through some type of human interaction. To simply put it, instead of targeting a computer, target the user

Social engineers study human behavior and learn about peoples personality traits, able to read body language and even can listen for clues in a persons voice.

Social engineering can take many forms:

Phone, email, and SMS phishing for credentials or access
Impersonation of vendors, staff or other trusted individuals
Dumpster Diving
USB thumb drive drop

Why does Social Engineering work?

Humans by nature are trusting and wish to help people in need out. This issue cannot be fixed using technology as depending on the skills of the social engineer it might not be easy to detect. Another reason social engineering could be successful is that there are a lack of policies in place or lack of employee training.

Phases of Social Engineering

Research

Gather details about the target:

Dumpster diving
Phishing
Websites
Employees/coworkers
Company tours
Relates back to OSINT

Develop

Get closer to your desired target (specific individual or a group).

Form a relationship with intended victim this helps to build trust.

Exploit

Exploit the relationship and get the desired information.

Complex

This seems like a complex process, but it doesn't always need to be. It could be as simple as crafting an email to an intended target or dropping a USB drive labeled "Employee Payroll Data." People are trusting and want to help, so they might open that well crafted email that looks to be from a higher up asking for help. They might just reset that password for you or someone might want to know what their coworkers are earning and plug that USB drive into their computer launching malware and giving you access.

Passwords

You can try and crack a password, but isn't it easier to just ask for it? This is where social engineering comes into play.

Preventing Social Engineering

We can be victims of social engineering. We will want to prevent this to help protect our data. The best way to not be a victim is to be aware and know what is out there about you.

Be careful what you post on social media. People post all sorts of information:

Personal information
Photos
Location
Friends
Business Information
Likes/Dislikes

This can help someone build a profile and understand who you are.

Social Engineering Tool Kit (SET)

SET is an open-source penetration testing framework that is created for social engineering attacks. SET provides a vast amount of social engineering attacks that can be used to assess the security awareness and resilience of a company/organization. This is a tool that you should beome familiar with and luckily we will gain some experience with it while performing a lab.