Social engineering attacks revealed

Phishing

You receive a message while browsing:

“Alert!! Virus found!” or “JavaScript alert!! Your phone XYZ (model) has been infected with a virus. Click the ‘ok’ button to scan and remove the virus.”

Often accompanied by annoying high-frequency beeps that the human ear designates to be unfriendly (more than 5000Hz).

What do you do?

Many people do not understand what JavaScript or just a ‘script’ is. In fear and ramshackle, they often go for the bait (like a bull to a butchery).

But behind the button?

                 Button.onclick (“execute/install /run x”);    //that had to be in layman.

X being, in most cases, ransomware or a remote administration tool (RAT) such as RootKit.

Phishing in action

Consider this hack that stole the hearts of many unsuspecting Kenyan Facebook users, 5006, to be precise.

“The hacker created a website that looked aesthetically similar to Facebook and posted it on random users’ pages, inviting them to view their friends’ latest photos. Users who clicked on the link were asked to provide their login details afresh to proceed. Once they did this, their usernames and passwords were collected into a database.” said William Makatiani, the managing director at Serianu.

The captured log-in credentials were then used to take over a user’s social media page. They went on to solicit money from the account owner’s friends while masquerading as the real user (the victim). Owners of the compromised Facebook accounts were also contacted and informed that their accounts would be deleted if they declined to pay money ranging between Sh5,000 and Sh100, 000

To ensure this succeeded, the fraudsters posted malicious and alarming messages such as the above on breached Facebook pages. Serianu estimates that victims of the attacks may have lost up to Sh50 million in the scam.

The examples above illustrate phishing in action. An attempt to acquire sensitive information or to make somebody act in the desired way by masquerading as a trustworthy entity in an electronic communication medium.

They are usually targeted at large groups of people. Phishing attacks can be performed over almost any channel, from the physical presence of the attacker to websites, social networks or even cloud services.

According to Verizon’s Data Breach Investigation Report [4] for 2016, phishing was involved in 9576 data breaches (916 of them have resulted in confirmed data disclosure) out of about 100000, or roughly 10% of the considered data breaches were caused by phishing.

Phishing is often used as an initial attack vector, and usually, more elaborate technical methods are used once the attackers have infected an initial PC inside the organization’s network.

Another interesting metric is the open rate for phishing emails – per the same report, 13% of users clicked on the link or attachment in a phishing email. Combining a phishing campaign with a zero-day vulnerability (as is commonly the case with APTs, e.g. the Secure ID breach) means that all the aforementioned users will have their PCs infected.

Common types of phishing.

Spear phishing

Spear phishing is a wordplay on ‘spear fishing’, a fishing technique where the fisherman targets the fish he wants to catch (with a spear) instead of waiting for it to catch the bait.

Another possible analogy is sharpness – while standard phishing campaigns operate by using strength in numbers and sending millions of messages, spear phishing sends only a tiny fraction of the traffic and is, therefore, much harder to notice as a pattern on a large scale.

A spear-phishing attack is similar to normal phishing in its technical principles. The difference is, however, in the degree of information gathering done before the attack. It requires the attacker to first gather information on the intended victims (most probably you), but the success rate is higher than in conventional phishing.

To be more precise, spear phishing is much more targeted – it involves selecting a target and tailoring the messages to the particular victim – e.g. using the actual names of employees in the “From:” field, following a similar structure and tone to in-company communication, etc.

Check the below messages (trapping desperate Kenyans);

“CONGRATULATIONS! From LOTTO! You are the lucky winner of KSH100, 000. From LOTTO!! Contact (07xxxxxx947) calling hours 7:00AM to 7:00PM.DO NOT PAY ANY.”--/*poor English, full of unnecessary repetitions, were you supposed to pay ANY :)? But it works! In fact, I also received the same message, and it stole my heart. Lucky, I caught on in time. */

“PLEASE nirudishie hiyo pesa kwa 07xxxxxxxx. I mistyped hiyo number ya mwisho.”  which translates to, "PLEASE refund me that sum to 07xxxxxxxx. I mistyped the last digits." /*very convincing especially if your numbers almost look similar.*/ 

“DEF Enterprises, We are advertising for vacant positions in bbbb (position)...Salary is KSH.20, 000 a month. Free training is available. For more information, call 07aaaaaaaa”

Or you receive a call from a very noisy (like SpongeBob) woman with a weeping child, claiming-“Hebu tuma hiyo pesa! mtoto wako ni mgonjwa sana! Atanikufia kwenye mkono! ...” which translates to “can you send that money, your child is very sick! He will die poorly in my hands.” If you have ‘another’ kid, you might fall for it.

Soft Targeting

Soft targeting is a type of phishing attack that sits somewhere between standard phishing and spear phishing: the email messages are targeted, but not towards a certain individual or an organization, but rather towards a profession or occupation.

This allows the attackers to use the ‘strength in numbers’ paradigm by sending millions of messages while still having a higher success rate than completely generic phishing messages.

Soft targeting is particularly popular at this time, as it is used as the main distribution vector for ransomware – the malware ‘trend’ of 2016 [35].

Consider the sample email below;

From: Kenya Revenue Authority

[mailto:[email protected] ]
Sent: Tuesday, March 21, 2017 9:47 AM
Subject: [SPAM: #] Get your tax refund now
Importance: High

After the last annual calculations of your account activity, we have determined that
you are eligible to receive a tax refund of Ksh.20, 000.
Please submit the tax refund request and allow us 2-6 days to process it.

A refund can be delayed for a variety of reasons.
For example, submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here http://e-gov.kenya.ra.co.ke:84/www.kbc.gov/.

Note: Deliberate wrong inputs will be prosecuted by law.

Regards,
Kenya Revenue Authority.

A good citizen will surely tell this to be a fraudster. I mean, look at the link you are being sent to.  If you do not know the website of the Kenya Revenue Authority, then you will be caught by the whirlwind.

If a phishing attack is aimed at high-profile targets in enterprises, the attack is referred to as whaling.

The social approach explained.

This is still the perfect style. Phishing mostly goes for fear and necessity, but this; is for what I call ‘inbuilt responses in you’ all.

Let's discuss the ingredients in the recipe for this meal.

Elicitation is the general name for all these ingredients. Elicitation was defined in the previous article.

Appealing to someone’s ego

Attacker: “Ow! I have always wanted to be a developer. I hear you teach not only your colleagues but even the Boss. That’s cool, men, can I be your student?….”

Target: “Really, that is nice of you to say. Who might have told you that? I only…”

Take care of subjects of discussions with strangers. The above conversation may escalate to the point that the target shows, if not all, most of their skills. With the bring your own device (BYOD) scenarios in modern offices, the attacker will most surely get hold of the victim's machine (all in the attempt to prove “knowledge is my brother, we walk together”) and use it as a free gate to the corporate’s system.

The method of appealing to someone’s ego is simplistic but effective.

Take note! The engineers are usually trained not to overdo it; because they know; over-stroking someone’s ego or doing it without sincerity just turns people off. Hold that as a weapon (ensure they turn you off early enough; be a pond instead of the sea).

Expressing a Mutual Interest

Consider this mock scenario:

Attacker: “Wow, you have a background in ISO 9001 compliance databases? You should see the model we built for a reporting engine to assist with that certification. I can get you a copy.”

Target: “I would love to see that. We have been toying with the idea of adding a reporting engine to our system.”

Expressing mutual interest is an important aspect of elicitation. This particular scenario is even more powerful than appealing to someone’s ego because it extends the relationship beyond the initial conversation.

Making deliberate false statements

Delivering a false statement seems like it would backfire off the top, but it can prove to be a powerful force to be reckoned with.

 Attacker: “Everybody knows that XYZ Company produced the highest-selling software for this widget on earth.”

Target: “Actually, that isn’t true. (Overstuffed with ego, the target may even stand up if they were seated. Imagine their next gesture) our company started selling a similar product in 1998, five years before the wretched XYZ showed up, and our sales records have beaten them routinely by more than 26%.”

These statements, if used effectively, can elicit a response from the target with real facts. Most people must correct wrong statements when they hear them. It’s almost as if they are challenged to prove they are correct. The desire to inform others, appear knowledgeable, and be intolerant of misstatements seems to be built into human nature.

Volunteering information;

War is ninety per cent information.—Napoleon Bonaparte.

“Did you hear about Ruth? I heard she just got laid off from work (why didn’t she just say ‘sacked’? they are after setting the mood) and is having serious problems finding more work.”

Of course, most of the time, you will get, “Wow, I didn’t hear that. That is terrible news. I heard Lewis is getting divorced, and they will lose the house, too.”

As Hadnagy says, the sad aspect of humanity is that we tend to live the saying “misery loves company”—how true it is in this case. People tend to want to share similar news. Social engineers can utilize this propensity to set the tone or mood of a conversation and build a sense of obligation.

You will most surely fall for it. Study who you are talking to first.

Assumed knowledge.

If someone has knowledge of a particular situation, it’s acceptable to discuss it with them. That’s what I would assume, and so would most of you.

An attacker can deliberately exploit this trait by presenting information as if they are in the know and then using elicitation to build a conversation around it.

They then can regurgitate the information as if it were their own and continue to build the illusion that they have intimate knowledge of this topic.

Pretexting

Pretexting is better defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit.

Pretexting encompasses everything you would imagine that person to be. It is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action.

It is more than just creating a lie; in some cases, it can create a whole new identity and then use that identity to manipulate the receipt of information.

Social engineers can use pretexting to impersonate people in certain jobs and roles that they never themselves have done. Below, I give the story of Mark Rifkin.

Stanley Mark Rifkin is credited with one of the biggest bank heists in American history.

In October 1978, he visited Security Pacific, where bank employees easily recognized him as a computer worker. He took an elevator to the D-level, where the bank’s wire transfer room was located. A pleasant and friendly young man, he managed to talk his way into the room where the bank’s secret code of the day was posted on the wall. Rifkin memorized the code and left without arousing suspicion. Soon, bank employees in the transfer room received a phone call from a man who identified himself as Mike Hansen, an employee of the bank’s international division. The man ordered a routine transfer of funds into an account at the Irving Trust Company in New York—and he provided the secret code numbers to authorize the transaction. Nothing about the transfer appeared to be out of the ordinary, and Security Pacific transferred the money to the New York bank. What bank officials did not know was that the man who called himself Mike Hansen was Stanley Rifkin, and he had used the bank’s security code to rob the bank of USD $10.2 million.

The bank’s wire transfer policies seemed secure. They were authorized by a daily numerical code that was only given out to authorized personnel. It was posted on a wall in a secure room to which only “authorized personnel” had access.

Shoulder surfing

Direct observation techniques to get information, such as looking over someone's shoulder at their screen or keyboard. Hard to succeed, it may seem, but what if spying binoculars are involved? Tense not, but they do happen. Know how you sit in your space. Carefully applying geometry, an engineer can even reflect light on your desk (in your short absence) from far away. You know what is next. “Nothing happened in my absence,” back and running.

Baiting and dumpster diving had already been discussed in the previous article. Water-holing is mostly effected during phishing, but here, the attackers compromise a website that is likely to be of interest to the chosen victim. The attackers then wait at the waterhole for their victim.

I hope the article gave you starter information into the world of social engineering. Leave a comment if you feel educated.