Social engineers use new techniques daily to gain unauthorized access to private systems and servers. But while new tactics are ever-arising, many “tried and true” techniques remain consistent. After all, when something works, why change it?
These common hacking techniques — and some of the “next-generation” techniques used by Mitnick Security in Red Team engagements — are important to stay informed of in order to protect your organization from today’s threat landscape.
Here are some of the top techniques used by social engineers to breach corporate and home networks alike:
1. Spear Phishing
Instead of mass sending phishing emails — wherein a cybercriminal hopes an employee clicks a link before IT gets wind of it — a more successful social engineering technique is spear phishing.
In a spear phishing email, social engineers use Open Source Intelligence (OSINT) to craft highly-personalized, highly-convincing narratives that fool users into believing the request is legitimate. This tactic gets its name from the old fishing technique of piercing a single fish with a spear since this attack method is focused on one user at a time.
Now, only 10 or 15 emails can be sent out to specific employees where up to 90% or more will click the link thinking it is part of their new hire onboarding.
Read more about how social engineers use your digital footprint against you here.
2. Social Scouring on LinkedIn & Social Media
Social media outlets make a lot of information about individuals and companies publicly-accessible to anyone with an internet connection. Social engineers capitalize on this public intelligence, using it to build trust or impersonate a trustworthy source.
LinkedIn in particular can be a valuable research tool for gleaning information about a company. Details such as job titles, locations, hours of operation, and events are frequently updated on social networks. Social engineers can then determine the structure of how departments are organized and compile a list of individuals new to the company.
Someone who has only been on the job 2-4 weeks, for example, could be easier to fool in a social engineering scheme, given they don’t know much about others within the company structure. Their access level may be high enough for a social engineer to get one foot in the digital door and compromise an entire network at large. Click here to see real-life examples of social media social engineering scams.
3. Phone Calls (Vishing)
Calling an employee and pretending to work in your IT department is a classic phishing scam. And, yes, this is still a great way for social engineers to acquire login credentials. After all, who really knows all the IT personnel at their place of work?
Someone calling to fix an issue you currently have or who needs to reset something on your account may be what you need now. But the person that just called to help and wants to log in with your password to complete the task may not be from your company…
Here’s a pretext for some perspective on the classic phone call social engineering trick. When Kevin called Pam the Motorola Project Manager in the 90s, he got a message that she was away on vacation. On her voicemail, she left a contact number to reach another person in her absence. Kevin called the contact, Aleesha, and asked if Pam left on vacation yet to create the illusion that he and Pam had connected prior, making his story all the more believable. He then told Aleesha that Pam promised him she’d send him the Motorola Ultra Lite source code but said that if she got busy before leaving, Aleesha was able to send it. So, Aleesha sent Kevin the code. Why wouldn’t she? It seemed like a logical request and she was probably excited that her boss had entrusted her to do it.
4. Fake WiFi Connections
If you are at a Starbucks and see a couple of Wi-Fi connections to connect to, which one do you select?
- Starbucks Wi-Fi
- Starbucks Guest Wi-Fi
With a quick glance that guest Wi-Fi seems like the logical one to connect to, but by doing that you may be connected to the person next to you and his Pineapple Router. While everything seemed fine,you are now sending all traffic to him and allowing him to collect all passwords, sign-ins and keystrokes you use for the next hour or so. This stresses the importance of always requiring employees to use a VPN or hotspot to login with while on the go and following these remote vulnerability tips.
5. Proxy Session Attacks
Social engineers will send out phishing emails, stating it’s time to re-login to your applications so that you do not lose access. The message may seem legitimate, with familiar branding for the site it’s claiming to be from. After clicking the link, you may even notice the login screen looks fine and lets you authenticate through multi-factor authentication, as you normally would.
However, what you do not know is that clicking the link and entering your information allowed the bad actor to execute a session hijacking attack that allowed them to capture your Session ID. This gets around the need for knowing passwords to multiple applications. It’s crucial to think before you click and realize that even multi-factor authentication can be compromised.
Stop Threats in Their Tracks
Social engineers use a variety of techniques, some old and others new, to compromise devices and data.
Are you prepared to combat highly-contextual cyber phishing attacks? Download our 5-1/2 Easy Steps to Avoid Cyber Threats to find out — and to strengthen your best defenses instantly.