Different Types Of SE'ing

 



The Different Types Of Social Engineering Attacks.

If you're a dedicated reader of this blog and have sifted through countless posts when navigating from one section to another, you'd well and truly realize that almost every article pertains to one particular type of social engineering- namely "company manipulation and exploitation". Although this form of SEing has been around for quite a while, It's still referred to as "the new breed of human hacking", for the fact that methods that're used to support every attack vector, continue to expand. What this means, Is that SE'ers of all shapes and sizes (myself Included) either fine-tune existing methods to fix flaws and apply a more effective formulation, or create one of their own that will also require a few tweaks at some later point In time.

As a result, It's Inevitable that changes continue to take place with the way methods are utilized, and prepared against the target In question- being retailers to the likes of the largest eCommerce company named Amazon, and of course other commonalities such as Zalando, Currys PC World, Walmart, Nike and the list goes on. Each and every one of these companies Is susceptible to exploitation with a very high success rate, however they too, Implement changes here and there with how they assess and process claims, hence the reason why "the new breed of human hacking"  will continue to be labelled as such. On the grounds that you've just started your career In social engineering  and you're actively Involved In an SEing community on a large scale, I'd say It's very safe to assume that you're only familiar with what you've just read, correct? I thought as much.

If you're happy and content to keep hitting online stores and prefer to remain within that environment, that's entirely your choice, but In order to be proficient In every facet of human hacking, It's paramount to have sound knowledge of the "different types of social engineering attacks"- which Is precisely the objective of this article. So If you're part of this equation, then this tutorial Is for you. Now because social engineering covers a wide range of manipulative tactics, It's categorized under many different titles such as (but not limited to) "Tailgating/Piggybacking", "Spear Phishing", "Phishing", "Quid Pro Quo" and Pretexting". I will not be addressing each one by title, for the reason that they all require the same thing to get the job done, which Is "manipulation", but performed In a different fashion to SEing companies. 

In other words, they're just a "name" that brands the gateway of attack that they relate to, but In reality, It's simply  "manipulating" the target to achieve the goal, regardless of whoever It was that created their fanciful names! For example, "Pretexting" Is to build a trusting relationship with the victim. This can be done over the phone by pretending to be the IT support guy In the head office who's doing a routine security update, and to complete the task, the victim's login credentials are required for authentication purposes. A "Quid Pro Quo" attack offers the victim a service In exchange for Information. Again, this can be done by calling the victim as though the SE'er Is an IT expert who needs their antivirus software disabled to Implement the latest operating system patches. Instead, he'll Install a keylogger and grab the login credentials.

All In all, both the "Pretexting" and "Quid Pro Quo" attacks Involved Impersonating an IT specialist, and tricked the victim Into performing something to allow the social engineer access to their login details. So what's the difference between "Pretexting" and "Quid Pro Quo?". I'll answer It for you- "nothing". It's only the "name"  that distinguishes one from the other for no reason whatsoever. This Is why I will not discuss them by name, but rather their true definition which falls under the title of "old-school social engineering". Why I've classed It as such, Is because It's been around for centuries, but wasn't recognized as social engineering back then. The other type of SEing Is obviously "company manipulation and exploitation", thus only these two types exist, no matter what you happen to read on the Internet! Before I cover each one, I'd like you to have a clear understanding of the true meaning of social engineering, so without further delay, let's get this started.

What Is Social Engineering?

There's no doubt that you've come across the question of this topic's title many times during your SEing activities, and gathered some useful details about how It's used and what to expect from the attack. However, If you've relied on various articles on the Internet as a "complete source of Information", I can confidently say that you've been Ill-Informed of what "truly defines social engineering". That's the main reason that prompted me to write this topic- to clear all doubts and confusion, thereby "provide you with Its true meaning", and not what many so-called security experts have documented on their website. For Instance, If you hit a Google search by entering the keywords "What Is social engineering", It'll return countless pages- some of which are plagiarized, and others giving their own thoughts based on what they believe Is correct.

I've just performed a quick online search using the aforementioned keywords, and a very popular cyber security software company named Webroot says: "Social engineering Is the art of manipulating people so they give up confidential Information". Moreover, another company of similar nature named Avast thinks It to be: "social engineering Involves manipulation to obtain sensitive Information". Really? Do they honestly believe that It's solely relative to this alone? Sure, what they've stated Is true, but It barely covers the basics of what social engineering entails as a whole. I've been SEing for over 30 years and to this day, I'm at a loss as to how major security firms fail to comprehend precisely what human hacking Is all about. That's where I come In with Its real definition as follows, so pay attention to every word you read. 

"Social engineering Is all about manipulating a given entity Into performing an action that they're not supposed to do". Be It grabbing usernames & passwords from the accounts manager of a Fortune 500 company, walking Into a rock concert without paying a single penny by Impersonating a staff member, or tricking a representative at Amazon to Issue a replacement Item free of cost- they all relate to one thing- "social engineering". As you can see, each attack vector has a different goal with what the SE'er Is aiming to achieve, but you must realize that "the end result"  has no significance to social engineering. It's "what's used to achieve the end result", that's classed as SEing. That Is, "manipulating the person to do something that he wasn't meant to do". Okay, now that you understand Its denotation, we'll checkout both types starting with "old-school social engineering".

Old-School Social Engineering:

As you're aware, old-school social engineering Includes (but not limited to) Phishing, PretextingQuid Pro Quo, Spear Phishing  and Tailgating  that's also known as Piggybacking. I'll briefly explain each one at the end of this topic. All of them are used to "provide access" to the target In question, thus to the contrary of what you read on the net that categorize them as types, they're simply a "gateway" to manipulate your victim. Here's what I mean by using "Phishing" as the example. 

Almost every online resource defines "phishing" as a "type" of social engineering attack, when In fact It's nothing of the sort. The truth of the matter, Is that It's "a gateway" to execute the attack and achieve the objective of the SE'er thereafter. Although this Is also done using text messages, for the most part It's performed "over the Internet"  via chat communications, creating a spoofed website that duplicates the original source or shooting off emails. The Intention of each of these attack vectors, Is to steal sensitive data such as login credentials, bank account Info or perhaps the victim's personal profile to get their full name, date of birth, address, phone number etc.

Did you notice "the channel"  that's designed to get the job done? That's right, It's purely through the Internet, hence "they all require the same gateway to succeed-  which Is an online connection". That Is, phishing Is simply "an online gateway"  to execute the attack, Irrespective of how It's done- via chat, spoofed website or email. Its "type" Is classed as "old-school social engineering". Understood? Good! I'm sure you're wondering how SE'ers utilize each of the above-mentioned gateways, so here's a breakdown that's very brief and straight to the point. I've also specified the type of gateway used for each attack.

Pretexting  

This Is done by pretending to be a trusted figure that the victim can relate to, such as a customer service representative of his credit card provider. The SE'er will call his victim and say that he's noticed an unauthorized transaction of $1,258.67 on the account. In order to reverse the charge and for verification purposes, the SE'er will ask for the credit card number, full name, address and date of birth. Given the magnitude of the (seemingly) unauthorized charge worth thousands of dollars, the victim will have no hesitation In giving out the details as requested. I don't need to explain what the SE'er can do with his victim's personal credentials!  

Gateway used for the attack: Digital/Online communication.

Tailgating

Also known a "Piggybacking", "Tailgating" Is used by SE'ers to physically SE a given person Into allowing access to a restricted building, or any other property. For example, the SE'er will pretend to be employed by the company and will first research It to see what's required to gain entry. He will then dress accordingly, such as a suit and tie as though he's part of the office department

He'll arrive at the building In the morning, and walk behind the office staff as they're making their way to enter the premises and when one of them opens the door by entering his 4-digit PIN code, the SE'er will kindly ask him to hold It open for him. Due to the SE'ers hands being full with his cell phone In one hand and a briefcase In the other, the worker obliges and the SE'er has walked Into the building thereafter. It doesn't get much easier than that.

Gateway used for the attack: Physically/In person.

Phishing

There are a few ways that "Phishing" attacks are executed but to keep It simple, I'll only use one particular technique being a "phishing web page", that replicates the original website with the Intention to steal your victim's login details. Do note that phishing Is (generally) not personal to the SE'er, but rather aimed to target anyone  by sending a large number of random attack vectors. Here's how It basically works purely as an example. Every man and his dog (so to speak) has a Facebook account, so we'll say that you've created a fake login page that looks exactly the same as the real deal

You'd then send the link (of your fake web page) to your victims via email, or any other gateway of communication by pretending to be someone from Facebook Help Center who's noticed unusual activity on the account. In order to verify, update and secure It you'll ask your victims to login and the moment they do, their username & password will be sent and stored In a text file  on the web host of your phishing page. You can now sign Into their account and do as you please.

Gateway used for the attack: Online/Internet.

Spear Phishing

If you've paid attention to the topic just above, you would've noticed that It refers to victims In "plural", meaning more than one and the reason for this, Is because there Is a difference between "Phishing" and "Spear Phishing" attacks. Both are very similar In the way they're executed, but there Is one major distinction as follows. Phishing Is used to target anyone by sending mass emails to thousands of recipients, therefore each message Is universal and not based on anything personal. On the other hand, Spear Phishing specifically targets someone who Is known to the social engineer, hence the attack Is crafted to suit the nature of the victim. 

The SE'er will (usually) already have a few details, such as his victim's place of employment, their first & last name and hobbies & Interests- all of which are easily obtained from their Facebook profile or any other social media platform they're registered with. Such details are used to carefully prepare the attack, as though the SE'er Is a well-known and trusted entity. Spear Phishing Is performed In the same manner as Phishing, but on an Individual basis and given you've just read about the latter, there's no point In repeating the process.   

Gateway used for the attack: Online/Internet.

Quid Pro Quo

I've already briefly discussed the "Quid Pro Quo" attack at the beginning of this article, but nonetheless, It's needed to conclude this entire old-school social engineering category. As mentioned, "this attack offers the victim a service In exchange for certain Information"For Instance, the SE'er calls his victim and pretends to be an ISP (Internet Service Provider) support technician who's noticed a significant performance drop In connectivity due to a recent outage In the area and to sort out the Issue, he'll provide his expert services "In exchange for the login credentials"

In other words, "the SE'er offers to fix the problem and requires the victim's username & password to authenticate and complete the task". To avoid raising suspicion, the SE'er will assure his victim that the matter will be resolved within 30 minutes or so, and will also offer a small compensation by crediting 50$ off the next bill. See how powerful human hacking Is when formulated and executed effectively?  I've just made up the whole scenario as I was writing this guide- all In under 5 minutes. That's finalized old-school social engineering, so It's now time to quickly checkout "company manipulation & exploitation"

Gateway used for the attack: Phone communication. 

Company Manipulation & Exploitation:

As per the topic, this Is the second type of social engineering. Now on the grounds that you've been hitting online stores by SEing their representatives to refund your account for the full price of the purchased Item, or Issue a replacement at no extra cost, you'd be well and truly aware of what It takes to push your SE to Its limit and achieve a successful outcome. As such and given you've stumbled across this blog, there's no doubt that you've familiarized yourself (to some degree) with the art of "company manipulation and exploitation", so I won't bother going Into too much detail from this point onward. If you're new to the scene, I recommend reading my tutorial named Beginner's Guide To SE'ing and when you're done, you can continue where you left off In this topic. Okay, this type of SEing Is completely different to "old-school social engineering", for the reason that It relies on one particular commodity to get the job done- named "methods".

Put simply, methods are the backbone of every social engineering attack vector  and without having one In place to support It, your SE will fail before It has the chance to begin. Think of It as a set of Instructions, that ultimately allows you to achieve the task at hand. Here's an analogy that you can relate to. If you've purchased an entertainment unit from IKEA In Its collapsed form, you'd need "the assembly Instructions"  to put It together and If they're missing or happen to belong to another unit, you cannot complete your project. The very same principle applies to SEing- the "assembly Instructions" Is the "method", that's used to put together your SE In readiness to execute your attack against the company you're planning to social engineer.

There are many different methods like the "DNA" (Did Not Arrive), the "missing Item/partial method", the "wrong Item received", "boxing", "sealed box", "faulty Item" and the list goes on. Now It's way beyond the scope of this article to cover each and every one, so I'll briefly elaborate on what they're designed to do as follows. Apart from the "DNA" which Is classed as a "universal method", that can be used with just about any Item of reasonable size & weight by saying that you did not receive your package from the carrier driver, "the rest must be suited to the nature of the Item". For Instance, you cannot use the "missing Item method" on something that weighs 2Kg. Why? Well, If the company opens an Investigation and cross-checks the weight with the carrier, they'll Identify the weight (at 2Kg) and conclude that It was In fact picked, packed and dispatched correctly.

Another very simple example, Is the "boxing method". The rep/agent will ask you to return your Item for a refund or replacement and when he receives It, your claim will be approved thereafter. Obviously you have no Intention of sending It back, thus you'll "box the company" by making It seem as though your Item was stolen during transit. To do this, you'd cut the box on one side and seal It with different colored tape and when the company receives your package, they'll see It's consistent with tampering and assume that someone ripped It open, stole your Item and tapped It to cover their tracks. Your claim should work In your favor, yes? Not quite. If your Item was too heavy to box, then an Investigation would've deemed that you didn't send It to begin with! Can you see the Importance of "Item & method compatibility?". Good. Now this type of SEing, only has two gateways- Online/Internet and In-Store/physical, so we'll have a look at each one respectively. 

Online Social Engineering

You don't have to be a genius to see that this gateway Is purely through an Internet connection, and Is done by SEing companies who offer a delivery service  and use their carrier(s) to dispatch & receive packages from consignor (sender) and consignee (receiver). In terms of the "new breed of human hacking", that Is, company manipulation and exploitation, this Is by far the most popular and preferred gateway for all types of SE'ers- beginner, Intermediate and advanced. There are a few reasons why social engineers opt for this, ranging from a choice of communication channels such as email messages, phone conversations and (where available) live chat and of significant value, "Its flexibility with the array of methods at the SE'ers disposal".

For example, If you've only recently started your career In SEing and you're somewhat hesitant to use the "DNA method" on a pair of AirPods that're scheduled to arrive In the next day or so, you can choose the "missing Item method", which only Involves calling the company and saying that they were not enclosed when you opened the box. With the DNA, you'd need to try and avoid signing for the package, or locate a "drop address" (a vacant house not belonging to you) and sometimes having to deal with the driver knocking on your door or calling your cell phone, questioning why you claimed you didn't receive your package. The missing Item method totally avoids all that. But what If you're not comfortable with the missing Item method?. Well, select another one, namely the sealed box method which Is suited to SE'ers of all shapes & sizes. They're just a few alternatives that are readily available with online social engineering but with regard to "In-Store SEing", you'd need to tackle It a little differently, so let's check It out now.        

Gateway used for the attack: Online/Internet.   

In-Store Social Engineering 

As the title of this topic Implies, the gateway used for In-store social engineering Is "In person", by physically attending the store and dealing with the employee face-to-face at the customer service counter. The concept of this gateway of SEing, Is very similar to ordering goods from online companies and manipulating their reps/agents for refunds & replacements. The main exception, Is that your attack vector Is solely executed "In person" and because your communication with the employee Is Instant, you've only got one shot to get It right- one wrong move, and your SE will fail there and then. For that reason alone, a lot of SE'ers prefer online social engineering, whereby they'd shoot off emails and take all the time they need to think of the appropriate response, and also have the option of asking for help from fellow SE'ers.

Another drawback of In-store SEing, Is that It's limited to only three methods being the "wrong Item received", the "missing Item/partial" and the "sealed box method". Why? Well, evidently a carrier service Is not utilized, so the "DNA" and the "boxing" methods are out of the question- both require shipment of goods for the SE to take place. There's other methods that're also Incompatible, but for the sake of simplicity, I'll leave It at that. Now social engineering In a physical environment, certainly has Its upside when used In a strategic and calculated fashion. This article has exceeded Its reading time by a lot more than what I anticipated, so I'll keep It short and straight to the point as follows.

For the purpose of this guide, I'll use the sealed box method. Be sure to click the link and thoroughly read my tutorial, prior to moving forward with the rest of this post. Okay, now that you're familiar with the method, the "timing of the attack"  Is of the utmost Importance, so the objective Is to attend the store "late on a Friday just before close of business". As a result, their workers are exhausted from the working week, are not as alert and In a hurry to balance the day's takings and go home In readiness for the weekend. "Observation"  Is also an Integral part of the SE, so If you notice (for example) a young female In her teens who appears stressed due to the Influx of customer claims, then that's who you'll target

Begin by giving her compliments on her beautiful hair or nails (thus distracting her attention away from the job) and at the same time, purposely knock over the EFTPOS machine- leaving her to pick up the pieces. Given mixed emotions of stress, compliments and agitation are going through the mind of the female worker, she's not focusing on the job at hand. As such, she accepts the box, Immediately scans It without verifying/checking Its contents and Issues a full refund thereafter. Clearly, you can see how your methodical approach using all the above elements, resulted In a successful outcome. 

Gateway used for the attack: Physically/In Person.

In Conclusion:

What you've just had the pleasure of reading throughout this entire article, Is mostly examples of attack vectors relative to their respective categories, yet "truly defines social engineering as a whole". I'd like to reiterate the fact that there are only two types of SEing- "company manipulation and exploitation" and "old-school social engineering".

 All the gateways  of the latter, are simply names that're just like any other SEing attack- manipulating the person to perform an action that they're not supposed to do. It's as simple as that. Whoever came up with their titles of "Pretexting", "Tailgating", "Phishing", "Quid Pro Quo" and "Spear Phishing" deserves a fanciful Imagination of the year award! There are a few more gateways, but I cannot possibly cover the lot In a single article. 


Comments