Difference between revisions of "Social Engineering"
(Initial) |
(Phases) |
||
| Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
Description what this documentation is about. | Description what this documentation is about. | ||
== Requirements == | == Requirements == | ||
In order to execute a social engineering attack you need to understand the basis of social engineering described below. There are also tools to understand and execute these attacks on a practical level. There are many pre-defined attacks which show how easy it is to perform such attacks. You can read more about that in [[Social Engineering Toolkit]] | |||
In order to execute a social engineering attack you need to understand the basis of social engineering described below. | |||
== Description == | == Description == | ||
Social Engineering is the art of collecting information with some kind of human relation. The goal of social engineering is to guide a person into a certain direction preferably in a volitional one. This leads into spying on someone's personal environement to achieve a definite goal e.g manipulation of elections, retrieving information, stealing money and many more. | |||
Social Engineering is the art of collecting information with some kind of human relation. The goal of social engineering is to guide a person into a certain direction preferably in a volitional one. This leads into spying on someone's personal environement to achieve a definite goal e.g manipulation of elections, retrieving information, stealing money | |||
=== Phases === | === Phases === | ||
In Social Engineering there are a few necessary steps to complete an attack and gain the information you are after. These steps are categorized mainly in 4 phases: '''Information Gathering''', '''Getting in Contact''', '''Explot the Attack Vector''' and '''Vanish Traceless'''. | |||
==== Information Gathering ==== | ==== Information Gathering ==== | ||
This is the most important part in an attack. This is the key element of success or failure in order of achieving your goal. It requires a lot of reseach and knowledge to know whom to pick as your target. It defines how easy or diffcult it will be. As an example it will be easier to target an elder person without any prior knowledge of internet and its dangers, rather than a more educated person with a better understanding of scam attacks. "Know your Enemy" by Sun Tzu, The Art of War cannot describe it clearer than that. | |||
==== Getting in Contact ==== | ==== Getting in Contact ==== | ||
This step aims to message the vicitm in any kind of way. This is possible over common communication channel e.g. E-Mail, SMS, Facebook, WhatsApp, Telegram, Discord and so on. Than you have to establish a connection with the target and invent a believable story. You should create a certain mutual trust with the target and influence the victim on an emontiona level. This should help to lure out sensitive information of the vicitm. An example would be that you lost something very valuable and you are not able to pay it on time. This most likley would give you the information you want. | |||
==== Exploit the Attack Vector ==== | ==== Exploit the Attack Vector ==== | ||
With all the information gathered from the previous phases you are now able to abuse the information and orchestrate your attack. How you attack your target is most often depened on the information you gained. Most of the time you try to gain access to an account and try to accomplish your objective. | |||
==== Vanish Traceless ==== | ==== Vanish Traceless ==== | ||
The last step concludes the attack and is the last time you should ever communicate with this person. This is very important because if you keep in contact you will probaly get chaught sooner or later. A recommended step is removing any trace that you have left like removing login emails, hide transaction, ... . | |||
== Attacks == | == Attacks == | ||
| Line 42: | Line 42: | ||
=== USB Drop === | === USB Drop === | ||
== Prevention == | == Prevention == | ||
Revision as of 18:38, 21 December 2021
Summary
Description what this documentation is about.
Requirements
In order to execute a social engineering attack you need to understand the basis of social engineering described below. There are also tools to understand and execute these attacks on a practical level. There are many pre-defined attacks which show how easy it is to perform such attacks. You can read more about that in Social Engineering Toolkit
Description
Social Engineering is the art of collecting information with some kind of human relation. The goal of social engineering is to guide a person into a certain direction preferably in a volitional one. This leads into spying on someone's personal environement to achieve a definite goal e.g manipulation of elections, retrieving information, stealing money and many more.
Phases
In Social Engineering there are a few necessary steps to complete an attack and gain the information you are after. These steps are categorized mainly in 4 phases: Information Gathering, Getting in Contact, Explot the Attack Vector and Vanish Traceless.
Information Gathering
This is the most important part in an attack. This is the key element of success or failure in order of achieving your goal. It requires a lot of reseach and knowledge to know whom to pick as your target. It defines how easy or diffcult it will be. As an example it will be easier to target an elder person without any prior knowledge of internet and its dangers, rather than a more educated person with a better understanding of scam attacks. "Know your Enemy" by Sun Tzu, The Art of War cannot describe it clearer than that.
Getting in Contact
This step aims to message the vicitm in any kind of way. This is possible over common communication channel e.g. E-Mail, SMS, Facebook, WhatsApp, Telegram, Discord and so on. Than you have to establish a connection with the target and invent a believable story. You should create a certain mutual trust with the target and influence the victim on an emontiona level. This should help to lure out sensitive information of the vicitm. An example would be that you lost something very valuable and you are not able to pay it on time. This most likley would give you the information you want.
Exploit the Attack Vector
With all the information gathered from the previous phases you are now able to abuse the information and orchestrate your attack. How you attack your target is most often depened on the information you gained. Most of the time you try to gain access to an account and try to accomplish your objective.
Vanish Traceless
The last step concludes the attack and is the last time you should ever communicate with this person. This is very important because if you keep in contact you will probaly get chaught sooner or later. A recommended step is removing any trace that you have left like removing login emails, hide transaction, ... .
Attacks
Common Attacks
Phishing
Pretexting
Tailgaiting
Ransomeware
Dumpster Diving
Pop-Up Window
Pharming
USB Drop
Prevention
How to mitgate or prevent social engineering attacks
Clarify Attacks
Set Security Standards
Implement Security Tools
References
- https://www.sciencedirect.com/science/article/abs/pii/S2214212614001343?via%3Dihub
- https://link.springer.com/chapter/10.1007/978-3-642-22424-9_4
- https://www.mdpi.com/1999-5903/11/4/89
- https://www.researchgate.net/profile/Hugo-Barbosa/publication/315351300_SOCIAL_ENGINEERING_AND_CYBER_SECURITY/links/599c43430f7e9b892bafc0df/SOCIAL-ENGINEERING-AND-CYBER-SECURITY.pdf