All tagged social engineering

​Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.  

While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a *weaponized* document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.

Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of *product samples* might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely. 

​On a rather interesting project, I spent an hour trying to convince the assistant of a CEO (the AA) I was targeting  to open a PDF that contained important information that I needed the CEO to consider. It was important to me that she open it while I was on the phone because I needed to verify that I had a connection to their network via the code I embedded in the weaponized PDF. 

She wouldn’t have it. She kept on saying that she would open it later when she was free. Not good. Eventually she got tired of me (I was using every trick in the book to convince her!) and she said: “Fine! I’ll open it.”

Social engineering is the art of hacking people. People are essentially good and are willing to help; social engineering exploits that.

It’s a great skill to have in the world of red teaming and information security, and while it’s not a new thing we’ve been hearing a lot about it lately: in the RSA, Lockheed Martin and other attacks recently the technique used was something the infosec world likes to call spearhead or phishing attacks. Essentially a form of social engineering via email or phone in which you convince an unsuspected target to open a document (that has been weaponized with a piece of malware) or by redirecting them to a malicious website where another piece of code is waiting for them.