Written by Stuart Peck
In the previous blog post we
covered the fundamentals of social engineering, from Cialdini’s 6 Principles of
Influence through to how attackers leverage social engineering. In this article
we will cover the techniques and tactics used to profile a target using Open
Source Intelligence, and how this information can be used to generate highly
effective pretexts. We will also briefly cover some of the other types of social
engineering attacks. In the final article we will cover how you can detect and,
more importantly, protect yourself from a range of attacks that use social engineering.
What is OSINT?
To understand how
attackers build profiles on their targets, we must first dive into the
wonderful world of open-source intelligence or OSINT.
“Open-source
intelligence (OSINT)
is data collected from publicly available sources to be used in an intelligence context. In
the intelligence community, the term ‘open’
refers to overt, publicly available
sources (as opposed to covert or clandestine sources). It is not related
to open-source software or collective
intelligence.” -Wikipedia
There’s a saying that goes, “if you have
nothing to hide, you have nothing to fear.” The reality is that everyone has
something they want to hide from the general public or, more aptly, an attacker.
The key is identifying what form this information is in, how well protected it
is, and if compromised, what the personal / professional impact would be.
Attackers are constantly profiling targets,
looking for potential weaknesses in security and, from personal experience, it
can take less than 1 hour of online recon using manual and automated OSINT techniques
to gather enough information on a target to learn their:
·
Full Name
·
Location
·
SSN / NI number
·
Date of Birth
·
Email Accounts
and Passwords
·
Mother’s Maiden
Name
·
Online Digital
Footprint
·
Employment
Information
·
Financial
Information
·
Mobile / Work
Telephone Numbers
·
Social Media
Information / Posts
·
Family / Friends / Colleagues
·
Interests
·
Work ID / Passes
·
Online
Usernames for Third Party Sites / Forums
Armed with the above information, a motivated
attacker could do some serious damage – especially as many people reuse
passwords, and the same email as a login for multiple web apps or use an
email / username that can identify something about you, such as year of birth.
A lot of the aforementioned information can be
gathered with ease by using Google (or DuckDuckGo, Bing, etc.) but combine
this with a powerful set of Open Source tools, it can be automated to perform
at scale, even with manual verification. Below is a diagram depicting the tools
and methodology for performing recon on an organisation.
All this information is extremely useful in the hands of a skilled social
engineer, as it can be used to create a highly effective pretext or provide
context for building an ongoing campaign against an organisation and its key
employees / stakeholders.
What Is Pretexting?
Pretexting is a form of social engineering where the attacker uses
information already obtained through OSINT or other sources to build a
fabricated scenario to convince a target to disclose information or perform an
action that is not in their own best interest.
Capable social engineers will often convince their targets to perform
actions that enable the attacker to gain unauthorised access to information or
physical access to restricted areas of a building. There are many times where I
have gained unauthorised access to buildings in a range of industries such as
financial services, e-commerce, gambling, pharma, and retail by using very
simple pretexts and plenty of confidence. The key to good pretexting is in the
research conducted beforehand and looking / sounding the part; without this any
decent security guard or employee will easily see through the scenario and deny
access.
There are many case studies on pretexting, but the most notable is the cybergang
group Crackas With Attitude (CWA) who, in 2016, used social engineering to impersonate
their victims by calling their cell phone carrier using basic verification such
as the last 4 digits of the victim’s social security number. CWA were able to
gain access to sensitive information, including emails, using this to further
compromise their targets. In more than one case they accessed secret
information from the CIA and FBI, and even John Brennan’s (the then CIA
Director) personal email, and cell phone accounts. It was reported that the attackers
also leaked information about 20,000 LEA (Law Enforcement Agency) officers,
though this was never fully proven.
Although the attackers were caught and then subsequently prosecuted, it
shows how effective vishing using basic pretexting and OSINT can be, even in
the hands of high school kids.
Pretexting utilises most of the core principles of influence, but is
weighted more on Authority and Social Proof, to build
credibility with their targets.
What is Baiting?
Baiting, as the name suggests, is used to exploit a target’s
peaked curiosity; an attacker will offer something (usually free) to lure a
victim into clicking a link or running a malicious application. Classic
examples of baiting include USB drops, or more recently, competitions on social
media where malicious apps are found to steal login tokens or cause information
leakage. Memes are also used for baiting, as many popular memes found on the
internet have been found to contain some form of adware or malware.
If it seems too good to be true, then it probably is.
Baiting is heavily weighted on the use of Social Proof and
Scarcity / Urgency to manipulate targets.
What is Quid Pro Quo?
In the simplest term possible, quid pro quo means “something for
something” in Latin; today this means the exchange of goods or services, or a
favour for a favour, and it’s the latter we will focus in on this article.
Today, quid pro quo is used in highly effective marketing campaigns,
especially at conferences, where exhibitors will offer free merchandise,
usually for the exchange of information (say, a business card or scanning a
badge - which will contain valuable contact information). The exchange is
definitely weighted in the favour of the exhibitor, but the attendee is still
getting what they want - the free t-shirt or some branded lightsaber (talking
from recent con experience here).
Social engineering scammers, especially Tech Support scammers, use quid pro
quo to great effect. They call an unsuspecting victim and tell them they have a
virus, but because they are from Microsoft, they can fix the issue. Usually
this is either a free service as the objective is to drop a banking trojan, or
there is a fee payable to have ongoing “support” (because they “fixed” the non-existent
issue). The victim (usually a vulnerable person), then feels obliged to pay for
the service not received.
I know of a close friend whose parents were scammed out of £25,000 using
a similar scam, but under the guise of a BT fraud department working with their
bank. They convinced the victims to transfer the money to a temporary holding,
so they could investigate the compromised router and to protect their bank
account which had been compromised; they felt obliged because the attacker
fixed an issue on the work laptop and router. It was a basic but convincing
scam; unfortunately, the money was lost and unrecoverable by the bank, even
when the victims finally realised the mistake and contacted the bank. The
scammers called for 2+ days even after they scammed the victims, still using
the same pretext.
Attackers using quid pro quo leverage the use of Reciprocity and Commitment in their attacks.
In Summary
There are many types
of social engineering attacks, such as phishing, spear phishing, whaling, and tailgating.
Each attack vector is highly effective given the right amount of research
conducted by the attacker. The attack surface for social engineering is huge
within most organisations. However, defending against these attacks relies upon
a fine balance between training, technology, and the correctly implemented
policies and procedures. This is a
subject that will be covered in detail in our final post in the series.