This article was written with the aim to help many of my friends who want to do pen testing for relatively secure IT systems but IT Security policies or hardware stop them. This article is a guide to social engineering to be trusted and use trust to get through IT security barriers. We will study the bad practices and weaknesses in many apparently secure IT systems so you can see what are good IT policies and practices. The key concepts covered in this set of articles are:
• First Steps - what is social engineering, Sony learned the hard way by losing 77 million accounts.
• Who is Doing Social Engineering - it is widespread and very easy to get results, US attacked by USB Malware.
• Planning your Attack - you have gathered so now attack, successful social engineering attacks by Iranian hackers.
The first step is to understand the types of problems that exist previously and then develop the types of strategy needed for each problem. Then we study some important examples which have been successful to bypass good security of IT.
Maybe first question is this: What is IT security and how it will stop me to access things? Well the first question must be this: "What do you want?" If you say I want to deface or DDoS a website then this article may not be interesting for you because I have a bigger goal in mind. Most more or less well maintained networks will give access depending on their function. For example a mail server lets mail traffic and a webserver lets web traffic etc.… but don’t let anybody access to the internal network without password and this is where you can reach the most useful and maybe also valuable information.
Why do we want to access the internal network? Imagine that you want to find out about which persons work for a company or perhaps what projects is the company working on and then what if you could download their data and sell it or use it against them. Does that sound like it is crazy? Maybe you didn’t see these news:
Hackers steal 15 Million T-Mobile Customers' Data - wired.com
Sony's PlayStation Network 77 million accounts hacked with over 12 million credit card details, passwords and emails csoonline.com
KT Corp - contact information and plan details of 8.7 million subscribers, over half the total customer base, were hacked and sold for $877,000 - informationisbeautiful.net
The 3 examples above may be the most famous but they are still examples of how getting data means getting power and that is what I will focus on in next articles. There are weaknesses to IT systems that we can exploit but generally I will focus on big companies which do have IT security policies and maintained system administration. Most weaknesses probably will be patched but always there is one element that is always the weakest point even if policies are very strong and security is very good and this weak element is called the human element!
In next part of article we will see which people are doing social engineering.
Who does Social Engineering?
Before we look to the methods that are used for social engineering we will think about who is already doing it to us now. The answer is that social engineering maybe more widespread than you think because it is used as an important method of communication in everyday life. However, we are interested in more specialized types of social engineering that are used to create identities, build trust and exploit accesses. Start point for this type of activity is to get or try to get information which will unlock your main goal is a better description.
Harvesting information is normally one of key ways for gaining access to a network and this can be done by lots of ways:
• USB with malicious payload
• Business and personal websites
• Linked In and Facebook (Social Media)
• Forums/ Hobby Lists
• Port Scanning
Maybe you recognize the following well known examples of this type of activity:
Phishing remains the easiest and most productive attack vector - http://www.csoonline.com/article/3036837/security/phishing-remains-top-attack-vector-for-criminals-both-novice-and-professional.html
US Power Plant infected by USB Malware - http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
Planning Your Attack
Once you have gathered enough data then you can start to plan your attack methods with a view on what can be the most effective depending on the type of information you have obtained. A good way of attack is to convince your target that either you are someone that is offering them a deal that they cannot pass or that you are an official organization that requires a response. It is important to stress that the convincing them is a very important tactic which takes time to do. For example a person who doesn’t like his job that is looking for a new job. We prepare him for an approach by a friendly and positive recruitment consultant and he will definitely be happy to communicate if we offer him good job.
This type of fake recruitment offer needs to use the information we got in previous stage of getting information in order to decide what type of job the person might accept. Several successful attacks have been done in this way with fake personas being used as recruitment officers or officials from related companies. Following links are showing how Iranian hackers have been especially skilled at this type of attack.
Iranian cyber group uses a dozen fake personas on social networking sites:
Iranian-based hacker group creates a network of fake Linked In profiles:
Are you impressed or scared? The social engineering approach from the above articles can be admired because in both cases the following points are highlighted:
• Used a lot of time and effort to make the personas
• Network of genuine and established personas
• Iranians using fake profiles on Facebook, Twitter, Google+ and YouTube
• Getting log-in credentials
• Spear phishing messages
• A lot of social content was compromised
The successful plan of attack is a mixture of different techniques but what can be seen clearly from the examples above is that a lot of time and work is used to achieve the goal. Successful social engineering attack will be good if a lot of time and effort is used to plan and develop a convincing network of personas.