Social engineering: A hacking story
In this article I am going to discuss social engineering attacks, starting with the questions: “What is social engineering?” and “What are the types of these attacks?” Apart from this, the interesting thing I will describe is the techniques of social engineering attacks used by real-time hackers, a very different approach that does not use tools like the Social Engineering Toolkit. My goal is to show the skills of a potential hacker against his target and in how many different ways an attacker can compromise his target.
Social engineering, in the context of information security, is the art of manipulating people so they give up confidential information. This is a type of confidence trick for the purpose of vital information gathering. It is a term that describes a non-technical attack that relies on human interaction and tricking people to break normal security procedures. Criminals use social engineering tactics because it is comparatively easier that other attacks. It is one of the most successful attacks, because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize will be used to attack a computer network. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.
Security is all about knowing who and what to trust: Knowing when, and when not, to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea.
Types of social engineering attacks:
Social engineering can be broken into two common types:
1. Human based—Human based social engineering needs interaction with humans; it means person-to-person contact and then retrieving the desired information. People use human based social engineering techniques in different ways; here I am sharing the top popular methods.
a) Impersonation—In this type of social-engineering attack, the hacker pretends to be an employee or valid user on the system. A hacker can gain physical access by pretending to be a janitor, employee, or contractor.
b) Posing as an important user—In this type of attack, the hacker pretends to be a VIP or high-level manager who has the authority to use computer systems or files. Most of the time, low-level employees don’t ask any questions of someone who appears in this position.
c) Being a third party—In this attack, the hacker pretends to have permission from an authorized person to use the computer system. It works when the authorized person is unavailable for some time.
d) Desktop support—Calling tech support for assistance is a classic social-engineering technique. Help desk and technical support personnel are trained to help users, which makes them good prey for social engineering attacks.
e) Shoulder surfing—Shoulder surfing is the technique of gathering passwords by watching over a person’s shoulder while they log in to the system. A hacker can watch a valid user log in and then use that password to gain access to the system.
f) Dumpster diving—Dumpster diving involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information.
2. Computer based—Computer-based social engineering uses computer software that attempts to retrieve the desired information.
a) Phishing—Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. A message might come from a bank or other well-known institution with the need to “verify” your login information. It will usually be a mocked-up login page with all the right logos to look legitimate.
b) Baiting—Baiting involves dangling something you want to entice you to take an action the criminal desires. It can be in the form of a music or movie download on a peer-to-peer site or it can be a USB flash drive with a company logo labeled “Executive Salary Summary Q1 2013” left out in the open for you to find. Then, once the device is used or downloaded, the person or company’s computer is infected with malicious software allowing the criminal to advance into your system.
c) On-line scams—Emails sent by scammers may have attachments that include malicious code inside the attachment. Those attachments can include keyloggers to capture users’ passwords, viruses, Trojans, or worms. Sometimes pop-up windows can also be used in social engineering attacks. Pop-up windows that advertise special offers may tempt users to unintentionally install malicious software.
Now we will move on to the real stuff. So now assume that my target’s name is a Mr. Victim (not actual name) and we will start by searching for this person using a very simple method: Just type the name of your target in Google search and look at the results.
From the above result we can see that a lot of information can be collected from a simple Google search. You can find a target’s Facebook profile link, LinkedIn profile, Twitter handle, websites related to that name, and images also.
Another way we can use social networks is to gather as much information as we need. We know that nowadays people are using social networking sites such as Facebook, Twitter, Orkut, LinkedIn, etc. Every person is using social networking , making online friends of strangers, chatting with them, and other things. People think that these social networks are helping them to make a network among them. But my point of view is different: I realized that these social networks are the world’s largest human identification database. Suppose you want to gather information about a particular person. Now you can find that person on Facebook with his photo, and personal information such as his address, educational background, family members, etc. Not only that, but you can also guess at the character of that person and learn more about the potential victim’s personal life from his/her Facebook profile, such as what type of status is used to update.
After finding the accurate profile of a target, we will look for his friend list and make a list of his all friends; this will help in your social engineering attack. You can also clone his whole profile by downloading all of the pictures and the information that he has shown in his profile. After creating a fake profile, you can send friend requests to all from the people on his friend list and start to communicate with them. In that way, you can get some juicy information about the target and maybe about his girl friend. There are lots of fake profiles in Facebook and sometimes it is difficult to find which one is the genuine profile of the target. I use my own technique; I realized that if we search a person by giving the target’s name in the Facebook search bar, Facebook doesn’t crawl its own database for the user’s profile name. It works with a username that is in your Facebook profile’s URL, like this: http://www.facebook.com/victim; here “victim” is the username of the target.
This username also helps the attacker to predict the target’s email id. How? Let us see. For example, I have a username puja.kothari.796. Now I open the Facebook login page, click on “Forgot password” and get this kind of option:
After giving username in search option click on “Search.”
Now we have the name of our victim and also what email service he is using. The email looks like this: “firstname.lastname@example.org.”,We can see that there are six stars between “p” and “h” so the attacker can guess his name which is Puja Kothari and the attacker will verify whether the email exists or not. There are some online services for email id verification, such as http://verify-email.org/
LinkedIN is a different kind of service. We can’t consider it as a social network; it is a professional network. Here we can find about the target’s working background and qualifications also. You can identify which company your target is working with now and his past employment.
We see how this service is used for gaining personal information about the target.
There are also some tools available like Maltego, Harvester, Creepy, etc., that are used for information gathering.
After doing all this stuff, we have some information about our target. Suppose we have this following information:
Name: Mr. Victim (Not Actual)
City: New York (Not Actual)
Profession: Web Developer
Email id: email@example.com (Not Actual)
Now we know what kind of work he does and in which city, so if we will offer him a job from a big company, I think that he will not refuse this opportunity. First we will search for a company related to web designing in New York City and send him an email offering a position as a web developer with a good salary.
In the above figure we can see that I searched for a web development company in a particular city and I got many companies in that location. Now I select any company and I go to the website to look for the human resources email id or other email id where the applicant can apply for any position. There are many fake mailing services are available that we can use for sending a fake email in the name of a company’s HR. Let’s see an example: Suppose my selected company name is XYZ Private Ltd., so the HR email id will look like this firstname.lastname@example.org
Now send this email to the victim and let us see how it looks in the victim’s email:
After getting this kind of mail, many people will forward a resume to the address and we know that from any person’s resume we can get all kinds of sensitive information.
Another method of getting a resume if the target does not send his resume via mail is to send him an online job application form via a link from the email so, when he fills out that form and submits it, all the information will stored in your email id. This technique is very interesting and you might be curious about that online form that sends your form data to the attacker’s email address, so let us see how it works. Here I am using an online form builder service that creates an online html form. But I am not disclosing the name of that service.
In the above figure we can see that I created here a very simple form asking for Name, Address, Work Experience, and Contact Information. You can add a lot more things: on the left-hand side of the figure we can see all the tools available there. With payment tools you can also add the Paypal payment mode. After creating the form, the attacker will integrate it with the attacker’s email id. Just click on the “Integration” option and it will show some options for integrating this form with the attacker’s email id.
Here I integrate this form with my Google drive. Now if someone fills out that form, all the information will be stored in my Google drive. After integrating with an account, click on “Embed Form” and it will give you a link to the form like the one shown in the figure below:
We now have our form link. All we have to do is just send a fake mail with the HR name and this link. When the victim opens this link, he will get this form.
After filling out the form, click on the “Submit” button and it will redirect the victim to a “Thank You” page.
Now let us check the attacker’s Google drive to see whether the information is stored or not.
We can see here that a spreadsheet has been created; now open the sheet.
Voila! All information is in the sheet with the victim’s IP address.
We have now learned the various methods for information gathering. Now we will see a malicious method of social engineering. Suppose we have a target email id and our intention is to hack the user’s email id and vital information from the target system. Malicious hackers used to send malicious programs like keylogger, RAT (remote administration tool), etc., via email. We will now see how they send these malicious programs. For example, we can see in the figure below that there is a malicious exe file named conhosts.exe and a Microsoft word file.
We will make a self-extracting archive with these two files by using Winrar. Select both files and right click “Add to archive”; after that, we will get a window that looks like this:
In the figure above, we can see the name of the archive keylogger.exe. We can change it; then select “Create SFX” archive and click on OK.
Now go to the Advanced tab and click on “SFX options.”
A new window will prompt with advanced SFX options. On the General tab we can see the path to extract option is given as C:ProgramDataMicrosoft. Our malicious file will be stored in this folder.
Now go to the Setup tab and give those two file names under “Run after extraction.”
Next, select the “Hide all” option on the Modes tab.
Now select the Text and Icon tab and choose “Browse” from the Load SFX icon for the file. I have a collection of some icons for pdf, ppt, Word, etc., documents, so I selected a Word icon here from my hard drive.
Next, move on to the Update tab and select “Extract and update” files under Update mode. Then select “Overwrite all files” under Overwrite mode and click on “OK.”
All SFX settings are done now, so we can check our all settings from the Comment tab.
Everything is fine here and we are ready to create our SFX with the icon of a Microsoft Word file, click on OK. Now we can see that our malicious Word file is ready.
Now the attacker can send this malicious Word file in various ways by using email or any chatting application.
Prevention of social engineering attacks
The most important thing that you can do to prevent being a victim of an attacker is to be aware of common tricks like those I have shown in this article.
Never give out any confidential information or even seemingly non-confidential information about you or your company—whether it’s over the phone, online, or in person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your credit card rather than speaking to whoever called you.
Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone. Also, make good use of your shredder and dispose of your digital data properly. As we saw recently, some (poor) security systems can be bypassed with just the info found on a pizza delivery receipt.
You can protect yourself from phishers, scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or someone manages to convince a company they’re you. You can, however, take a couple of preventive measures yourself.
- Use different logins for each service and secure your passwords: Never use the same password for all services. And make sure your passwords are strong and complex so they’re difficult to guess.
- Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised.
- Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters into uppercase and lowercase and use numbers also to create a leet word to make sure only you know those security answers.
- Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers.
- Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Google Alerts as an identity theft watchdog.
- Remove your info from public information databases: Sites like Zabasearch and People Finders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource.
These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself.