10.2: Techniques of Social Engineering

Last updated
Save as PDF

Page ID: 91391

$ \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $ $ \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} $$\newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\kernel}{\mathrm{null}\,}$ $ \newcommand{\range}{\mathrm{range}\,}$ $ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$ $ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$ $ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$ $ \newcommand{\Span}{\mathrm{span}}$ $\newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\kernel}{\mathrm{null}\,}$ $ \newcommand{\range}{\mathrm{range}\,}$ $ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$ $ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$ $ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$ $ \newcommand{\Span}{\mathrm{span}}$$\newcommand{\AA}{\unicode[.8,0]{x212B}}$

In the vignettes above, did you notice that all but one of the examples required the attacker to get the target to install malicious software? One of the things that is so scary about social engineering is that you don’t necessarily need technical prowess; you just need to be good at getting people to trust you.

That is not to say that social engineering does not rely on technical skills - indeed many attacks do. But social engineering is certainly a good way to start an attack. I have an affinity for social engineering because it is a bit of a cerebral attack. Any script kiddie can download software and launch an attack. But it takes a refined, sophisticated, clever mind to successfully perpetrate a social engineering attack.

OSINT

Typically an attacker will start with OSINT (open source intelligence). OSINT is information that is openly available. For instance, an attacker might electronically “case the joint'' as their first step. Let’s say they want to compromise the CEO of a company. Well, a good first step would be to visit the CEO’s LinkedIn profile. Who are some of the employees at the company? Who else outside of the organization does the CEO communicate with? Next the attacker might look for an Instagram feed. Unlike Facebook (where you need to be friends), Instagram allows attackers to get a lot of information on the target. Does the victim go on vacation at the same time every year? Is there information in the photos that indicates where the victim spends time? What hobbies does the victim enjoy (hobbies are an easy way to artificially engage in conversation)? Check out Network Chuck’s quick demo on Osintgram!

OSINT is not just social media. Most towns have public tax rolls that list home addresses and property tax information. Perhaps the target is on a board of directors or the school board - their name (and ideas) will appear in published minutes from meetings. Maybe the victim has been in the local newspaper. Maybe the victim has a criminal record. Maybe the victim hasn’t changed the default settings on some of the apps they use so things like their Venmo transactions, Strava runs, or Amazon Wish Lists are visible. Heck, there is even a book entitled “You Can Find Anybody!” by Joseph Culligan (licensed PI) that contains hundreds of resources where you can find information on people (an aggregation of thousands of public databases). There are plenty of OSINT tools that social engineers can use (like Maltego, Creepy, theHarvester, SpiderFoot, metagoofil, and TinEye) and we’ll be using Sherlock and Social Engineering Toolkit in this chapter. There are also some really neat OSINT Search Bookmarklets you can put into your browser.

Techniques

After gathering information on a target, there are plenty of techniques a social engineer can use to trick the target.

Authority	Attackers assume an authoritative position. This could be as simple as wearing an outfit (like when a thief stole an ATM disguised as a repairman) or appearing important, knowledgeable, and trustworthy.
Baiting	Luring marks into compromising situations. This can be done with USB drives (that’s how Stuxnet was brought into Iranian centrifuges) or clicking on malicious links.
Dual reality	A technique where two (or more) parties are experiencing the same thing but how they internalize the event is different.
Dumpster diving	Going through the trash of a person or organization in an effort to gain inside information. A social engineering firm went dumpster diving in the trash of a company they wanted to infiltrate - they were able to find the names of the tech support team for the company and used that to craft a successful infiltration.
Phishing	An attempt to lure a victim into a trap via a fraudulent email crafted to look like a legitimate opportunity. In 2016, $78 million was stolen from Crelan Bank in Belgium because of a phishing email.
Pretexting	This is a stage of social engineering that takes place before the attack; it lays the foundation by creating a plausible situation where the attacker earns the trust of the mark. For instance, in the iconic movie Home Alone, Harry and Marv convince everyone in the neighborhood that they are police officers and will keep an eye on all the houses as families travel for the holiday season.
Quid pro quo	Giving something to someone in return for something else. Brian Brushwood talks about the Coke study, but this technique is used as a vector of attack (for instance, Office Depot offered a PC Health Check, but would inform the customer that their computer was broken and charge them $180).
Scareware	“Your computer may be infected!” - you’ve probably seen this before. It’s a scare tactic intended to drive users to pay for software to protect their computer (though there is no actual issue). In 2021 reports of the Cryxos trojan increased; the software scares users with pop-ups declaring that a virus has been found - but you can remove it by calling a number and paying for tech support!
Shoulder surfing	Looking over the shoulder of a victim as they enter their keycode into a keypad on a door or their PIN number at an ATM.
Smishing	Phishing via SMS (texting). Texts that evoke urgency, texts that suggest you’ve won a prize, and texts that suggest unusual account activity that needs corrective actions are all suspect. The “Zelle Fraud Scam” is a great example of creating urgency and lending authority - and it tricks the victim into surrendering their six digit 2FA number!
Spear phishing	Pointed phishing that usually requires reconnaissance on the target. One step of the reconnaissance is OSINT (open-source intelligence).
Tailgating	Unauthorized access into a facility perpetrated by following authorized people. Wearing a uniform (delivery, for instance) can help sell the tailgating endeavor. Standing outside a building and smoking/vaping where everyone else in the building goes to smoke is a good way to tailgate.
Urgency	A method of social engineering where the attacker pressures the victim by time-boxing them (“This offer is only good for 19 more minutes!” or “This is your bank and you need to confirm your personal information immediately!”).
Vishing	Phishing via voice. Recently a UK energy company was scammed out of $243,000 because of a vishing scheme (it happened to use a deep fake voice), but urgency was a key ingredient.
Whaling	Whaling is spear phishing high-profile or high-ranking personnel (like the CEO of a company).

New attack methods

Bad actors are constantly developing new tools to attack our systems. Not surprisingly, social engineering is always at the forefront of innovation because of two things - it’s cheap and it’s effective. Oftentimes emerging social engineering trends are low fidelity and easy to implement.

Browser in the browser

One of the more clever forms of social engineering and phishing has just emerged. Known as browser in the browser attack, the website uses Javascript to craft a Single Sign On (SSO) modal window that looks just like a bonafide SSO window). The catch is that the window that pops A screenshot of an SSO modal box. Is it legitimate or fake? up will harvest your credentials if you enter them. This is almost impossible to detect, and most people are used to single sign-on which might increase victimization.

Consider this image - can you determine if the single sign-on modal is legitimate or an imposter?

The easiest way to determine the validity of this modal is to test to see if it is in fact a standalone browser window - which it should be or a Javascript-created box. Try minimizing the browser tab (in this case, Canva). If the SSO box is still visible, then it is a window and it is not a BitB attack. However, if the SSO box vanishes when you minimize the browser, then it is likely fake and you should be cautious.

QR Codes

Some might argue that QR codes are not a social engineering scam but they do fit squarely into the social engineering space. People trust them (authority), they pray on our need for immediacy (urgency bias and convenience), and they are easy to distribute. However, unlike robbing a cryptovault, there typically needs to be boots on the ground to implement.

QR codes were introduced in 1994 but didn’t gain widespread adoption until 2011. During the pandemic, QR codes gained even more momentum as they were used as a mechanism to provide contactless services (such as downloading a menu at a restaurant). Evidence of the popularity of QR codes was given during the Superbowl in 2022 when cryptocurrency company Coinbase aired a sixty second ad that was nothing but a QR code. More than 20 million people used their phone to scan the code, breaking the Coinbase app! The scary thing is that 20 million people pointed their phones at a QR code not caring about the risks.

In January 2022, the FBI warned that QR codes are the “perfect example of people exploiting a daily exercise.” The FBI released a public service announcement the same month:

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

They also suggested a list of tips to protect yourself.

Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
Do not download an app from a QR code. Use your phone's app store for a safer download.
If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

Even without malware, failing to be vigilant with QR codes can be disastrous. In some cities in Texas, parking meters have a QR code and instructions to pay with your phone. In February 2022, someone printed their own QR code stickers and slapped them over the existing one. When patrons scanned it with their phone, they were directed to a fake website that looked just like the real parking website. Patrons were instructed to enter their credit card information and then assured that the meter fare was paid.

Not surprisingly, the credit card information was abused and many people probably wound up with parking tickets!

In an even more flummoxing case, QR codes have started showing up in phishing emails and online ads. One rationale might be that QR codes can probably sneak through spam filters easily. But the reality that people who are in front of a computer will take out their phone and snap a QR code is troubling - that’s one critical reason why it’s important to train people about the hazards.

Old and New Social Engineering

CSO Online published an article laying out five old social engineering attacks that are still popular today - as well as four emerging trends.

Five popular social engineering attacks

Official-looking email
“Here’s a free USB stick”
The office gift card scam
“You have a voicemail” email
“There’s a problem with your package delivery”

Four new social engineering attacks

“Here are your legal documents from DocuSIgn”
The “aging accounts report” scam
- Someone from accounting gets an email from (allegedly) a company executive curious about outstanding balances from customers. Once the attacker has this information, they craft emails to their targets with specific information on how much is owed and where to send it. Spoiler alert - they are not sending the money they owe to the company they owe it to.
“There’s a problem with your bank account. Click here to resolve the issue”
Phishing by phone