It's always amazing how little attention social engineering attacks get when discussing enterprise information security risks. After all, it's usually easier to get an unsuspecting employee to click on a link than it is to find an exploitable vulnerability on a reasonably hardened webserver. Social engineering attacks come from many different angles: from targeted e-mails, phone call pretexting, or acting like a service technician or other innocuous person to obtain access to the IT resources and data they seek.
But how do successful social engineering attacks happen in reality, when conducted either by ethical hacker penetration teams or criminal attackers? To get an answer, we reached out to a number of security professionals and ethical hackers who face, or perform, social engineering attacks as part of their job.
"Social engineering is one of my favorite types of engagements," says Chris Blow, technical consultant at Rook Security, who has conducted many ethical social engineering attacks over the years.
How do social engineering attacks get started?
Often, the attackers first turn to social media sites, Internet searchers, and even jump into a few dumpsters to sort through documents to learn as much as they can about the target company. They'll take the info that they learned and then employ that knowledge in some form of targeted attack, either in email, phone, or in person.
Mike Buratowski, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, knows these tactics. "When we do breach assessments for companies, we often find proprietary information on the Internet. These might include a staff listing featuring personally identifiable employee information, who each person reports to, plus his or her job responsibilities and purchasing authorization. In those cases, companies are giving a social engineering attack legs, making it that much easier for attackers to tell a believable story," says Buratowski.
That "believable" story is core to a successful social engineering attack. "At the end of the day, that's what social engineering is all about — getting your victim to believe you and take an action, whether that's opening an email or attachment, clicking a link, or even just plugging in a supposedly forgotten USB to find its owner," Buratowski adds.
Blow recalls a penetration test in which the client asked for an email and phone social engineering aspect to the engagement. "During the pen test, I found his SSL VPN gateway. For the social engineering aspect, I revisited the gateway webpage to see if there was anything special about it. There wasn't. So, I copied that page and hosted it with a very believable URL. The email that I wrote coincided with the fact that this area was having one of the worst winters in quite a long time:
Sign up for MIS Asia eNewsletters.