Hackers commonly use social engineering attacks against organizations for initial or elevated access. Social engineering can encompass various techniques that all have greatly improved success rates based on information gathered beforehand. This is not a necessary step in the process, as blind phishing attempts can have some success, but usually, these will get stopped much faster. Attackers must look carefully at the people or company they are attacking to find relevant information.
How Attackers Find Victims
There is a lot of information that people commonly leave exposed on the internet that attackers can use when preparing attacks. A lot of this information can be publicly exposed on social media accounts. This especially applies when attackers are targeting individual people. These attacks can be used as a stepping stone to get access to an organization’s resources or can be meant to target the person directly. This type of attack will usually be an attempt to extort the victim for money.
Scamming through phishing usually involves attackers acting as someone else to deceive the victim. A common example of this is the car warranty scam calls that many people receive. These scammers aim to defraud users by getting them to purchase a fake extended warranty. Victims get targeted through public phone information or data breaches. The attackers will buy massive lists of phone numbers and work down the list. Numbers that have previously answered will also be placed on a higher priority to target.
These calls can seem pretty convincing based on how much research the scammers do. They will often purchase information from data collection companies about the victim, including their name, personal information, and details about their car. A large tell that the call will be a social engineering attempt is the caller placing massive urgency on the problem. This reduces the amount of time that the victim has to think over what is happening and can force them into a bad decision.
Posing as an Insider
When targeting a larger organization, hackers will often call posing as a member of the company to deceive an employee. This can be something such as pretending to be a staff member who forgot their password and calling the I.T. department asking them to reset it. In this example, the attacker will amass as much information as possible about the user before making contact. This can help to convince the target that they are who they are pretending to be and answer any questions they may have.
A similar attack can be done in the opposite direction. Hackers will often send out massive email campaigns posing as someone within the company, seeing how many users they can compromise. Emails will often be gathered through tools such as Rocket Reach that are meant to assist in driving sales. This will often be something such as asking users to reset their passwords through a malicious website. Once the user inputs their password on the fake website, the hackers on the back end will store the credentials and begin using any captured logins across the network to gain and elevate access.
Hackers will usually need to gather some information from open sources before making their attacks. For attacking individuals, this can include social media information, historical data breaches, and information purchased from data collection companies. Similar data can be useful when targeting organizations as well. Additionally, it can be helpful to gather information about what tools and technologies are in use at the company. This can make phishing campaigns seem more realistic if it is emulating a service that is actually in use. Lots of this information can be gathered through attacking information disclosure vulnerabilities, or even more discreet methods, such as looking at job listing requirements.
Preventing Social Engineering Attacks
Unfortunately, it can be difficult to hide all of the information that can assist hackers when performing these attacks. Most people and organizations have some sort of online presence, and this can always be exploited. One thing that can greatly reduce the risk of attack is user training. Teaching employees to spot malicious emails and other forms of outreach can prevent social engineering campaigns from being successful. Another important step to take is proper multi-factor authentication implementation. This ensures that even if an attacker can compromise credentials or other information, they still might not be able to get anywhere with it.
Test Your Organization’s Phishing Awareness With Blue Goat Cyber
We emulate attackers using the latest tools and techniques to create realistic social engineering campaigns. Our team can create custom-tailored campaigns and emulate life-like scenarios to evaluate your organization’s security posture. Contact us to learn more.