Social Engineering
Social Engineering is an art of human exploitation. Exploiting the human itself to gets sensitive information. Social engineering play very big role in the hacking and penetration testing. A good needs to be a good social engineering. Social engineering is a vast topic itself. If a hacker is good at social engineering, hacking a thing is not a big deal for him.
An attacker manipulates the user in order to get sensitive information using social engineering. Social engineering may be human based or tool based. Both kind of social engineering may be an important role. If an attacker is able to manipulate the customer services or receptionist of a company, he can get some sort of sensitive information from there. Hence social engineering is a vast field, by which simply manipulate a target, an attacker can compromise and gain much of sensitive information to perform further hack. There are varieties of books available on social engineering itself.
Social engineering can be performed online or live in persons. Now a days, fake emails, fake mobile calls and messages, etc. are used to get the information from the target. For ex, an attacker calls the target and says hello, I am from XYZ Company, You have things. They ask for your personal information in order to avail this money. Now at last sometimes they give you a number to call and avail you lottery amount. During this they already have performed social engineering attack and gained your personal information. Many scammers who try to thug a person to get benefited. Hence it is advised to be aware before acting to a particular thing.
A human is the weakest part of any company. Exploiting the human by manipulating can give tons of sensitive information and sometimes even access to the network of company. There is no solution to fix the level of human manipulation. Hence the whole corporate network is vulnerable. Simply manipulating a person can provide huge information disclosure, the person may be directly or indirectly related to the company, may be the peon or clerk or maybe an officer at higher post.
There is no such role of post in the social engineering. Social engineering totally depends upon the manipulating skills of an attacker, if he is good at manipulating or convincing a person, he can compromise into the whole network, without actually performing Hack.
A. hacker-----------------------------> Social Engineering
Process of Social Engineering:
1. Analysis:
Analysis is one of important factor at any stage of life as well as in penetration testing. If an attacker wants to perform social engineering attack at any corporate structure, first requirement is to analyse the human behaviour of employees and officers. Once the attacker successfully performs the attack. Hence before targeting any random human, an attacker needs to analyse the whole target structure.
2. Selection:
After careful assessment, the now attacker selects the most, vulnerable human with he can perform social engineering and can get some sensitive information. While selecting sometimes the attacker chooses the medium or least vulnerable person if the position of that person is higher. Hence for a successful attack, an attacker needs to choose the target person very carefully.
3. Maintain relationship:
Once the attacker knows his target he tries to ma ake good relationship with the target. Directly or indirectly attackers come into contact with the target and try to take his faith and trust. In this phase, the motive of the attacker is to gain the trust of the target. Once one starts believing in an attacker it becomes quite easy to perform social engineering attacks.
4. Attack:
This is the ultimate phase in the phase an attacker performs an attack which may be an in-person or live attack. The attacker tries to gain sensitive information from the target for the sake of faith and trust. If the attacker is able to maintain a good relationship, he can easily exploit and gain access to sensitive information.
These are the simple process which is followed by an attacker while performing. A hacker never goes off the track. he follows the process because if something got missed, there are chances of being caught.
Computer-Based Social Engineering
1. E-Mail :-
E-mails are widely used for information exchange. Hence it is a major way by which social engineering can be done. An attacker can send malicious files like Trojans or viruses and which and exploit the target. Generally, spammers send infected emails or emails containing infected files to the target. Once the target opens the mail or attachment, the virus or Trojan associated with it gets executed into the system of the target and remotely spying the target system. Hence the attacker can gain the information of the target's system.
A receives an email with an attachment, now the email seems to be from a reputed company and hence A opens the mail. Now there is an attachment which is named x.docs or may be of any type. A download and opens the attachment for viewing. In the background, a malicious application gets executed and now tracks every activity of A's system. Sometimes product sell emails are also sent to the users stating that get a particular product at 80% off or some other sort their detail.They won't get any product but their information has been disclosed there are chances of identity theft.
2. Ads and Pop-up screen:
While surfing over internet user generally sees some sort of ads like a discount on cloths or mobiles. These are some strategies that are used to make the user fool and gain their personal information. Usually, the ads are related to the recent search history of the user because of the tracking by search engines, websites, and internet service providers.
While downloading or visiting a website, sometimes a pop-up window occurs showing some interesting things which attract the user to follow the pop-up and ultimately they end up giving their information to the attacker. More or less again there is a huge chance of identity theft Data collected is generally sold out at higher prices and this data is misused.
3. Phishing:
Phishing is one of the oldest but working techniques of social engineering. In phishing generally, an attacker creates a fake webpage or fake login page which looks exactly the same as the original page. Now once the page is made the attacker targets a user and manipulates him to log in on that. Once the user logins, his credentials are recorded into the attacker's database.
Nowadays, phishing has been extended. Phishing can be done by making fake page, by fake e-mail or fake applications which resembles the original one.
Phishing can be easily identified by checking the URL. The phishing link will contain a URL that will not resemble the original URL.Although users generally don't pay off much attention to this and easily get victimised of it.
For-Ex:
A person receives an email that XYZ Company is launching an application. Apply for the beta-tester of the application and there is al ink present to login and download the application Users generally gets happy by seeing that he got a chance to test the application for everyone. Now, once he opens the link and registers successfully, the page shows some message like "oops...."!! you missed the chance, We have already closed the beta-tester application". Generally, the user ignores and takes it as consequence but actually, he is victimised of phishing and social engineering.
Phishing Process:
1. First an attacker creates the replica of the original website and check whether there is anything which can be easily detected. After the successful creation, sometimes for the surety attacker runs the phishing site on localhost using software like "camp".
2. Once the phishing site runs with zero error on the local host attacker register for a fake domain and fake hosting provided fake information. An attacker tries to keep the domain look similar to the original one.
Forex: the original domain --xoxoxo.xxv. Now attacker tries to keep a fake domain like x0x0x.xv etc which is not easily noticed by the user.
3. Once the phishing site is live, the now attacker targets the users and sends phishing links via mail or over chats in such a way that the user gets manipulated and opens the link. Once the user login to the link, his credentials are recorded.
Types of phishing Attacks:
1. Man in the middle attack (MITM):
In MITM, the Attacker sits between the source and destination Attacker monitors and sniffs the activities of the target and tries to get the credentials. MITM can be performed over HTTP as well as HTTPS. Generally, the user is redirected to a proxy server and a real proxy is not used which makes this attack more successful. The proxy may be of any type but the attacker avoids the user using a real proxy.
2. Cross-site scripting(XSS):
An XSS attack is generally performed by injecting code injection in the URL parameters or input data field. Generally, XSS is carried out by URL formatting. Xss may be persistence or DOM-based. CSS is counted in the top 10 vulnerability list according to owasp to 10 2013.
3. URL Redirection:
The attacker shares a link to the target user which on opening redirects to the phishing page attackercker tries to keep the link as similar as the original so that there are fewer chances of being caught. This is one of the traditional methods of performing phishing attacks. Generally, user shares such links over personal chats or emails.
4. Site Cloning:
Site cloning is generally performed directly by the Social Engineering Toolkit (SET) which comes pre-installed in Kali Linux. It creates the clone of the site on the local IP of the attacker. When the target & attacker both share the same network, site cloning is useful.
5. Keylogger or malware Based:
An attacker can inject malware into the target system by the means of e-mail or any method or installs the keylogger which tracks every activity of the target and anonymous sends the data record to the attacker when the target system goes online.
Bayside these attacks there are some other types of phishing attacks that also play an important role. Some are:
- Fake Search Engine
- Client-Side Attack
- DNS Redirection Attack
Social Engineering Toolkit(SET)
The social engineering toolkit is one of the powerful packages which contain tons of social engineering tools.SET comes pre-installed in Kali Linux. Set can be downloaded into other operating systems too. SET is an open-source framework that is freely available.
Social Engineering toolkit has the ability to perform various attacks like tab napping, site cloning, mass mailing, Arduino-based attacks, and much more. Website attack vectors are generally used to perform phishing-type attacks. Here is a screenshot that shows the attack vectors present in the Social Engineering toolkit:
