: Social Engineering
Social Engineering

Using Social Engineering To Bypass IT Security

: Social Engineering
Social Engineering

This article was written with the aim to help many of my friends who want to do pen testing for relatively secure IT systems but IT Security policies or hardware stop them. This article is a guide to social engineering to be trusted and use trust to get through IT security barriers. We will study the bad practices and weaknesses in many apparently secure IT systems so you can see what are good IT policies and practices. The key concepts covered in this set of articles are:
 
•    First Steps - what is social engineering, Sony learned the hard way by losing 77 million accounts.
•    Who is Doing Social Engineering - it is widespread and very easy to get results, US attacked by USB Malware.
•    Planning your Attack - you have gathered so now attack, successful social engineering attacks by Iranian hackers. 
 
The first step is to understand the types of problems that exist previously and then develop the types of strategy needed for each problem. Then we study some important examples which have been successful to bypass good security of IT.
 
First Steps
 
Maybe first question is this: What is IT security and how it will stop me to access things? Well the first question must be this: "What do you want?" If you say I want to deface or DDoS a website then this article may not be interesting for you because I have a bigger goal in mind. Most more or less well maintained networks will give access depending on their function. For example a mail server lets mail traffic and a webserver lets web traffic etc.… but don’t let anybody access to the internal network without password and this is where you can reach the most useful and maybe also valuable information.
 
Why do we want to access the internal network? Imagine that you want to find out about which persons work for a company or perhaps what projects is the company working on and then what if you could download their data and sell it or use it against them. Does that sound like it is crazy? Maybe you didn’t see these news:
 
Hackers steal 15 Million T-Mobile Customers' Data - wired.com

hack tmobile

T-Mobile Hacked


Sony's PlayStation Network 77 million accounts hacked with over 12 million credit card details, passwords and emails csoonline.com

hack sony

PlayStation Network Hacked


KT Corp - contact information and plan details of 8.7 million subscribers, over half the total customer base, were hacked and sold for $877,000 - informationisbeautiful.net
 
The 3 examples above may be the most famous but they are still examples of how getting data means getting power and that is what I will focus on in next articles. There are weaknesses to IT systems that we can exploit but generally I will focus on big companies which do have IT security policies and maintained system administration. Most weaknesses probably will be patched but always there is one element that is always the weakest point even if policies are very strong and security is very good and this weak element is called the human element!

In next part of article we will see which people are doing social engineering.
 
Who does Social Engineering?
 
Before we look to the methods that are used for social engineering we will think about who is already doing it to us now. The answer is that social engineering maybe more widespread than you think because it is used as an important method of communication in everyday life. However, we are interested in more specialized types of social engineering that are used to create identities, build trust and exploit accesses. Start point for this type of activity is to get or try to get information which will unlock your main goal is a better description.
 
Harvesting information is normally one of key ways for gaining access to a network and this can be done by lots of ways:

phishing

phishing


 
•    USB with malicious payload
•    Business and personal websites
•    Linked In and Facebook (Social Media)
•    Forums/ Hobby Lists
•    Port Scanning



Maybe you recognize the following well known examples of this type of activity:
 
Phishing remains the easiest and most productive attack vector - http://www.csoonline.com/article/3036837/security/phishing-remains-top-attack-vector-for-criminals-both-novice-and-professional.html
 
US Power Plant infected by USB Malware - http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/

Planning Your Attack
 
Once you have gathered enough data then you can start to plan your attack methods with a view on what can be the most effective depending on the type of information you have obtained. A good way of attack is to convince your target that either you are someone that is offering them a deal that they cannot pass or that you are an official organization that requires a response. It is important to stress that the convincing them is a very important tactic which takes time to do. For example a person who doesn’t like his job that is looking for a new job. We prepare him for an approach by a friendly and positive recruitment consultant and he will definitely be happy to communicate if we offer him good job.
 
This type of fake recruitment offer needs to use the information we got in previous stage of getting information in order to decide what type of job the person might accept. Several successful attacks have been done in this way with fake personas being used as recruitment officers or officials from related companies. Following links are showing how Iranian hackers have been especially skilled at this type of attack.
 
Iranian cyber group uses a dozen fake personas on social networking sites:
http://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/
 
Iranian-based hacker group creates a network of fake Linked In profiles:
https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles
 
Are you impressed or scared? The social engineering approach from the above articles can be admired because in both cases the following points are highlighted:

•    Used a lot of time and effort to make the personas
•    Network of genuine and established personas
•    Iranians using fake profiles on Facebook, Twitter, Google+ and YouTube
•    Getting log-in credentials
•    Spear phishing messages
•    A lot of social content was compromised

The successful plan of attack is a mixture of different techniques but what can be seen clearly from the examples above is that a lot of time and work is used to achieve the goal. Successful social engineering attack will be good if a lot of time and effort is used to plan and develop a convincing network of personas.

Article rating:

vote(s).

0 Comments

Write a Comment

Comments are locked / disabled for this article.

:
Hosein)root Discovers XSS Vulnerability on Google Earth

On 25 November Hosein)root who asked ICNA publish his true name as Amir Hossein Sharbati on CX...


0 Comments | Read more +
:
35/000 Characters Tweet Shocks German Hackers!

Thinking that a person could send a tweet with more than 280 characters is more or less like a...


0 Comments | Read more +
:
4TT4CK3R Identifies Flaw in University of Tehran Website

Vulnerability researcher 4TT4CK3R discovered on 23 August a cross-ste scripting vulnerability ...


0 Comments | Read more +
: 4tt4ck3r Find Vuln In United Kingdom Government
4tt4ck3r Finds Flaw in UK Government Websites

Iranian hacker 4tt4ck3r has previously found Reflected XSS -Cross Site Script...


0 Comments | Read more +
: TYRANT Ransomware
Iranian TYRANT Ransomware

A new type of ransomware have been discovered on October 16 2017 which appear...


0 Comments | Read more +
: IoT Security Research Expertise
Iranian Expertise in IoT Security Research

Iranian academic security researchers at the ITRC (Information Technology Research Cen...


0 Comments | Read more +
: Mohammad Rezania -LinX64-
Android Security and Forensic Science by LinX64

A good article by Iranian academic is important step forward for people to understand security...


0 Comments | Read more +
: http://offsec.ir/writeups
OFFSEC Team Ice CTF Results

Offsec Research CTF Team: "Thinking out of t...


0 Comments | Read more +
:
Defacement of Hafez Institute of Higher Education by UnSec Team

ICNA was contacted yesterday, 19 October, by UnSec Team member Mostafa Asadi concerning the ha...


0 Comments | Read more +
:
Manoto Defaced by Cluwix

We can see in the picture that website of Manoto TV show "Stage" was hacked by Black Hat Hacke...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Deface Shahrood University of Technology

MR 7KH4T of Iranian hacking group Eagle Security Team is mak...


0 Comments | Read more +
: MR.IMAN
Iranian Black Hat Hackers Mass Deface Iran Sites

Hackers of the team Iranian Black Hat Hackers has make deface of many Iranian...


0 Comments | Read more +
: Iranian Cyber News Agency
New Website

Welcome to Iranian Cyber News Agency website.

New sections now include Vulnerability N...


0 Comments | Read more +
خبرگزاری سایبر ایران

در ب...


0 Comments | Read more +
:
SMS Virus Developed by Iranian Hacker Claims 100/000 Victims in Iran

In recent weeks a story that has attracted attention of many people has been the development a...


0 Comments | Read more +
: Atash Security Group
Atash Security Group Attack Irancell

The hacker and administrator Omid Killer of the Iranian hacker group ...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Hack Saudi Sites

Latest Iranian cyber news from the Eagle Security Team shows that hackers hav...


0 Comments | Read more +
: Lord Hacking Team
Lord Hacking Team Attack Google Telegram & Acunetix

Iranian hackers of Lord Hacking Team is claim attack against:

  • ...

0 Comments | Read more +
: Fake ANF News App
Open Source Research Company Claims Iranian Government Targets Iranian Citizens with Malwareware

Open source research company Check Point Research claims that what it called Iranian governmen...


0 Comments | Read more +
Twitter: Twitter Message
Hackers Take Down Mahan Air Website

It can be seen from Twitter posts that website of Mahan Air was hacked by Iranian group XileRe...


0 Comments | Read more +
U.S-INDICTED MABNA GROUP DIRECTED BY MINISTRY OF INTELLIGENCE

Previous, ICNA has reported on U.S. indictments and accusations of Iranian hackers and other c...


0 Comments | Read more +
A Vaccination Called Filtering

We took this text from the Telegram Channel of Iran Security Team Official Channel (


0 Comments | Read more +
:
IEDB Holds Gatherings Nationwide

In recent weeks and months users and friends of the hardworking IEDB team which has very activ...


0 Comments | Read more +
: Eagle Security Team
Eagle Team

The Iranian Eagle Security Team security researchers is make exposed many SQL...


0 Comments | Read more +
: Kheshtak Security Team
Kheshtak Security Team - Story Continues

More than ever in the 21st century, knowledge is power and information is the force that contr...


0 Comments | Read more +
:
Termint Security Team Have New Website

Although they have history going back a few momnths the Termint Security Team...


0 Comments | Read more +