Social Engineering

Social engineering refers to the manipulation and exploitation of human psychology and trust to deceive individuals or gain unauthorized access to systems, networks, or sensitive information.

People are easily manipulated through:

  • Impersonation

  • pretexting

  • emotional pull

  • urgency

  • free stuff

  • blackmail/extortion

  • quid pro quo

Common tactics

  • phishing

  • watering hole

  • baiting (leaving around USB pen drives, people are curious to check what they hold, so they plug them into their pcs)

  • physical access

How to prevent these attacks?

  1. user awareness and training

  2. security controls, which are enabled by user awareness (if people know they can be manipulated and how, there's a higher chance they can spot these attempts and report them)

  3. defense in depth: the right privileges granted to a user and proper defense mechanisms as firewall or proxies, can minimize the dameges.

Phishing

The most common social engineering attack is phishing, that usually uses a malicious email as vector and aims to retrieve sensitive information from the target by asking him/her to

  • reply with information

  • click on links

  • download and open files

Types of phishing:

  • spear phishing: phishing targeted on a specific set of people (e.g. a company's employees)

  • whaling: a spear phishing that targets high-value individuals

  • smishing: phishing via SMS

  • vishing: phishing via voice calls

Phishing techniques:

  • Pharming: focuses on redirecting individual users to fake websites without their knowledge

  • Watering hole: exploit a vulnerability found in a legitimate website to target a specific group of users who visit that site

  • BCE (Business Email Compromise): phishing attack from a legitimate email address which has been compromised

  • Impersonification/spoofing: pretending to be someone/something you're not (e.g. a manager or a known website)

Gophish is a tool designed to setup phishing campaigns.

  1. Setup the sending profile

After configuring the sending profile accordingly, we can test the configuration by clicking on the Send Test Email button as shown in the following screenshot.

This will prompt you to specify the details of the recipient, in this case we will be sending the test email to victim@demo.ine.local whose mailbox has already been configured in Thunderbird.

  1. Setup the landing page

This will be the page the victim lands on after clicking the link in the email.

You can create a html page or import one you already have (1).

You can choose to capture submitted data (2), which you wanna do if you're asking the victim for something like a password reset.

  1. Create an email template

  1. Setup the user list

  1. Create and launch the campaign

Here you need to choose the various settings you setup before, then launch the campaign.

Launching the campaign will redirect you to the campaign dashboard that will provide you with a summary of statistics pertinent to the phishing campaign.

We can check the emails sent to the target email by opening up the Thunderbird email client.

Previous8 - Clearing TracksNext📒4. Web Application Penetration Testing

Last updated