Even as organizations harden their network security, hackers are using social engineering to exploit softer targets, such as employees and management, to gain access via insider threats. With insider threat incidents on the rise, and with an uptick in remote working due to the COVID-19 pandemic, social engineering attacks could become even more prevalent.
Ben Goodman, offensive security certified professional at Avertium, helps assess the vulnerability of customers through social engineering services. We sat down with Ben to talk about the most important lessons he has learned during these assessments.
Ben Goodman: I’ve been most successful with email phishing and telephone pretexting. I’ve also had success with USB drops, although not as often.
The type of phishing we use most frequently would technically be identified as spear phishing, as we target the specific organization in our engagements. I like to do a lot of research on the target organization and get as much information as I can on the most trusted individuals such as human resources, procurement, or IT personnel. A lot of this information is readily available on social media sites, such as LinkedIn or Facebook.
I also try to get as much information as I can on any third-party vendors that an organization uses such as benefit providers or office supply companies. From there I will craft a message, posing as one of the trusted individuals, to specific employees with the organization. The message will state that unless action is taken, such as clicking a link or filling out a form online, the recipient will lose out on payroll, benefits, or recently ordered supplies. The sense of urgency coupled with the spoofed identity of the trusted individual usually leads to clicked links.
This is a valuable exercise since this type of phishing is how most ransomware is spread.
Telephone pretexting engagements typically start out the same way. I try to get as much information as I can on the target organization, but this time I also need to do more intensive research on the target individuals and departments. Social media is also a big help here because I can get an idea of a target’s hobbies and interests to drum up small talk and build trust. I used to work in helpdesk/IT support so it’s easy for me to pose as a member of an IT team and get that person to visit a fake web page and enter login information.
One engagement comes to mind when I posed as an outsourced web developer testing a new webmail portal. I informed the IT employee that the IT director wanted me to call and have the login form tested. The login form was a website I created that captured the person’s username and password. When questioned, I pressured the employee by saying I would report directly to the director (I had the director’s name from LinkedIn). The employee quickly asked for the URL of the website and provided network credentials.
BG: Developing a better security culture through user awareness and training is the most critical factor in defending against social engineering. If you receive a suspicious email from a trusted individual, contact this person to verify. The same verification is needed with pretexting: Caller ID is often spoofed, so one thing you can do to verify is informing the caller you will call the displayed number back before giving any information or following any instructions.
Another thing to consider is being mindful of your organization’s presence on the Internet and how much information is out there for public view. In one previous engagement, I was tasked with calling directly to a call center attempting to elicit customer data. This organization had enabled public reviews on its Facebook page. This allowed me to grab a handful of customer names and, after a little research, gather additional public information on these customers such as mailing addresses and phone numbers. With this information, I was able to bypass the call centers customer verification process and get more sensitive information such as social security numbers and dates of birth.
BG: One technical defense I would note is following the principle of least privilege. Ensuring users only have access to information required to do their job will limit the impact of a successful social engineering attack. This should also include high privilege users such as IT administrators and HR personnel.
The technology can always improve as time goes on, but in my opinion, social engineering will always work because you’re hacking the weakest link —the human— not the technology.
To learn how to harden your organization’s defenses against social engineering, reach out for a conversation. #ShowNoWeakness