We are regularly conducting social engineering penetration tests for our clients.
Our pentesters (security experts) tried various techniques, scenarios and pretexts.
We have learned lessons from our experience, and our clients shared with us what they learned too. We are sharing them now with you.
Social engineering in a nutshell
Before starting, let’s remember what social engineering is:
Social engineering consists of manipulating people to obtain sensitive information or to make them do actions that could lead to a security incident.
Most of the time, people don’t notice they have been manipulated, or when they do, it is too late: the information has been given, the access has been obtained, etc.
Social engineering attacks exploit the workings of human behaviour to reach the goals of the attackers, which can be various:
- steal confidential information,
- gain access to the IT system,
- take control over servers,
- launch financial flows to their benefit,
- etc.
Attacks conducted during social engineering security audits
To be effective, scenarios are created to each specific context. Social engineering attacks challenge the awareness of teams to security risks through realistic scenarios, using various techniques and tricks.
a/ Phishing – spear phishing
Harder to spot than a pretended inheritance or winning the lottery, current phishing seems to be coming from a colleague within the company, from a trusted supplier, etc.
One current trend is to create a fake e-mail exchange history between members of the company and then send it to a third employee. This email can either directly ask for an action (e.g. “Please pay this invoice asap”) or arouse curiosity with a document (“Information about annual bonus”), which contains a malware.
➔ From our clients’ perspective: Phishing can take multiple forms and are now harder to spot than before. Teams have to remain suspicious of anything that deviates from the procedures.
The danger of phishing attacks is often underestimated: they can be very effective to gain further access to the IT system or to collect confidential information
➔ From our ethical hackers’ perspective: Most employees don’t fall for phishing emails, but one person is enough to make the attack success. This article gives you the keys to detect suspicious emails.
b/ Vishing – voice phishing
Similar to phishing, the scenarios of phone attacks are adapted to each situation. The creativity of the attackers is the limit for the attacks.
A classic attack is calling employees impersonating someone from the IT team. The attacker explains that due to the implementation of a more secure connection service in the company, they need to know their current password to create the new account, otherwise they won’t be able to access the service anymore [an important service for the target].
➔ From our clients’ perspective: In order to prevent vishing, people must remember to never give sensitive information by phone. In case of suspect phone call, it is recommended to ask to call back the person in 2 minutes or to ask elements to be sure who is on the line.
➔ From our ethical hackers’ perspective: Vishing enables to collect sensitive information as most people don’t dare to say “No” to assertive questions. Vishing also prepares targets to receive a suspicious email that they would not have opened otherwise, because a call builds trust.
c/ Combining vishing, phishing, impersonation & email spoofing
The techniques of social engineering are more effective when combined together. For raising staff awareness, it is interesting to conduct trainings with realistic scenarios which combine different social engineering techniques, in order to toughen the attack and to complicate the detection.
After having collected information about a company, a relevant scenario could be:
- Attacker calls the reception, pretending to be a potential customer.
- Reception transfers the call to a Sales Manager. Attacker asks the Sales Manager for their email address in order to send a fake mission statement about the needs.
- Attacker sends an email with a fake mission statement containing a malware which infects the computer of the Sales Manager when downloading the document. Attacker gains access to the network of the company. The Sales Manager realises to have been hacked but prefers not to report the incident to avoid public shame.
- Attacker also spoof the email of the Sales Manager to send an email to the financial department, asking them to quickly pay an invoice for booking entry tickets and flights for a fair.
- The invoice attachment contains a malware which infects the computer of the Finance Manager. The attacker gains access to very confidential information.
- Eventually, the invoice is also paid to the attacker.
➔ From our clients’ perspective: Preventing elaborated social engineering attacks requires a strong collaboration between all people in a company (Management, team leaders and all staff). It is also important to create a no fear culture to allow people dare to say when they have been tricked. This is the number 1 condition for allowing the company to quickly respond to a security incident.
➔ From our ethical hackers’ perspective: As information systems of companies are becoming more secure; social engineering is becoming more relevant to attackers. Some attacks are almost impossible to detect unless staff get regular awareness campaigns in order to keep their reflexes and to know the latest threat trends.
Social engineering penetration testing can be adapted to different objectives, different types of companies, and different organisational specificities.
In addition to the risk measurement aspect, this type of audit allows security awareness training to the company’s employees: indeed, seeing the concrete ‘consequences’ of attacks that worked is striking. Most people will not fall into the same traps when they’ll face similar threats again, because the psychological impact is much stronger than with traditional risk training.