Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)
Chapter 6: Understanding Social Engineering
Not all vulnerabilities are found within a computer. If you are managing a network of computers and you have made it a point that there is no hole in the security framework and you are repeatedly testing for vulnerabilities, then malicious hackers can go beyond the computer in order to find their way in and launch an attack. More often than not, the way that they find themselves into your network is not by remotely probing your computer for weaknesses. They can simply ask you what your password is to let themselves in.
Social Engineering Explained
Social engineering is the process of getting valuable information about a computer system and its network through the user. You can think of this practice as hacking the people who use the device that they are hacking.
Social engineering hackers typically pose as another person to obtain the information that they need. Once they get the information that they need, they can simply log in into their target computer and then steal or delete the files that they need. Normally, they will pretend to be the following:
1. Fake support technicians
They may pretend to be technicians who would tell you that you need to install or download a program to update any existing software in order to remotely control your computer.
2. Fake vendors
They may claim to represent the manufacturer of your computer or an application that you are using and then ask for your administrator password or the answer to your security question in order to grant themselves access.
3. Phishing emails
These may be sent in order to get passwords, user IDs, and other sensitive data. They may look like an authorized email sent by a company that you are subscribed to, or a web form that may dupe you into putting personal information.
4. False employees
These people may ask to obtain access to a security room or request for access to a computer in order to have physical access to files that they need.
Social engineering attacks can be slow and simple, but they are very effective. They are often designed to avoid suspicion. They only gather small bits of information and then piece them together in order to generate a map of how the networking system works and then launch massive infiltration. However, if a social engineer realizes that his targets can be easily lured into providing information, gaining a password can be as quick as asking for information over a quick phone call or through a short email.
Why Social Engineering should be Prepared
Any malicious hacker who watched corporate espionage films can deduce that any organization or person who uses technological devices to communicate and send data prepares for this kind of attack the least. Most people are not ready for this kind of manipulation, which makes it very effective.
Social engineers know that most organizations do not have any formal and secure data organization or any incident response plan. A lot of computer users are also not knowledgeable about authentication processes of social media accounts and all the possible ways to possibly retrieve a lost password. Malicious hackers always take these factors into consideration, especially when they are aware that it is a lot easier to retrieve information this way.
Once a social engineering attack becomes successful, a hacker can get the following information:
1. Any user or administrator password
2. Security badges to a computer server room
3. Financial reports
4. Unreleased intellectual property files such as designs and research
5. Customer lists or sales prospects
Also, take into consideration that unknowingly granting access to social engineers may also be in the form of unknowing or naïve computer users who forget their responsibility in maintaining the security in a shared network. Always remember that having a secure firewall and networking system may be useless against hackers if the user himself is vulnerable to a social engineering attack.
A social engineering attack is done through the following steps:
1. Conduct research and find the easiest way to infiltrate
2. Build confidence and trust
3. Create relationship with target computer user
4. Gather information
Means to Get Information
If it is not possible to create rapport with a target computer user, then it would be easy to phish for information instead before launching a large-scale social engineering attack. Gathering information can prove to be easy, given the nature of computer users today – it is rather easy to get phone numbers, employee list, or some personal information about the targeted user through social networking sites. It is also easy to find information through public SEC filings, which could display a lot of organizational details.
Once a malicious hacker gets a hand on this information, they can spend a few dollars on doing a background check on the individuals that they are targeting in order to get deeper information. If it is difficult to get useful information using the Internet, a malicious hacker may choose to do a riskier method called dumpster diving. Dumpster diving is literally rummaging through the trash of their target in order to get the information that they need.
While this method can be messy, there are a lot of gems that a hacker can discover through discarded paper files. One can find credit card information, subscriptions, phone numbers, addresses, important notes, or even password lists. They can even make use of discarded CDs or hard drives that may contain backup data.
What Makes a Social Engineering Attack Powerful?
You may think that criminal hackers are going low on technology and resources when they use social engineering hacks to gain access to your protected files. However, social engineering hacks are very powerful because they are means to hack the most important component of a computer’s security – you.
These attacks are, in fact, psychological attacks – instead of attempting to use numerous hacking tools to manually decrypt any password in a world of advanced security protocols, hackers are more inclined to let their own targets do the job for them instead. The only goal that they have when it comes to social engineering is this: create a scenario that is convenient for their targets, to the point that they would be willing to loosen their security in exchange for something that they desire. An example of a good social engineering scheme is a type of the evil twin hack, which makes targets believe that they are connecting to a legitimate free wireless internet, in exchange for their passwords.
Why do these tricks work on most people? The reason is that people are not really that careful when it comes to giving away their information. For most cases, there’s not even any need for a fake company personnel to contact a hacker’s target in order to get privileged information – you would be surprised that there are just too many people that would immediately create accounts on an unverified landing page using the password to their private emails. How does that happen so easily? The reason is this: when you are prompted to create an account using your email address as the username, it is very likely for you to use your email’s password as your new password for this particular account that you are trying to make.
For criminal and ethical hackers alike, there is something embedded in Kali Linux that proves to be very useful – Social Engineering Tools (SET). These tools are developed in order create the following social engineering hacks:
1. Website attacks
2. Mass mailer attack
3. Infectious media generator
4. Arduino-based vector attack
5. SMS spoofing attack
6. Wireless Access Point
7. Spear-Phishing Attacks
All these attacks are designed to make you do what social engineering wants you to do: give out information or create an action because of a legitimate-looking request.
If it is hard to obtain information, one can simply use sleight of hand or gleaning techniques to retrieve passwords. One can make effective password guesses by looking at hand movements when someone enters a password. If one gets physical access to the computer, it is also possible to insert a keylogging device by replacing the keyboard or placing a device between the keyboard and the computer.
Hacking Someone with a Phishing Email
How easy is it really to scam a person using a phishing email? A phishing email normally contains the following components:
1. A reliable-looking source of email, such as a co-worker, that will serve as bait.
2. A legitimate-looking attachment, which would serve as the hacking tool to obtain the information that a criminal hacker needs.
3. Great timing, meaning that the email should be sent during a reasonable time of the day in order for the target to be convinced to click on the attachment.
Given the right tools, any criminal hacker can send a legitimate-looking email, complete with an attachment that looks trustworthy. To create a phishing email, you only need to follow the following steps:
1. Get Kali Linux and pull up SET (Social Engineering Toolkit)
This Toolkit would show you different services that are used for social engineering hacks. To do a phishing attack, choose on Spear-Phishing attack.
Note: Why Spear-Phishing?
When you think of phishing as a hacker attack, its method is to cast a large net over your targets, and then being able to get random people to give you the result that you need. With spear-phishing, you get to target a specific range of people and obtain an exact result that you desire.
When you click on spear-phishing from the menu, you can choose to do the following:
1. Send a social engineering template
2. Create a mass email attack
3. Create a FileFormat payload
For this example, choose FileFormat payload. This would allow you to install a malware in the target’s system that would serve as a listening device for you to get the information that you want remotely.
2. Now, choose the type of payload that you want to attach in your target’s computer. The SET offers a good range of file formats that your target would see once they receive the email. You would even see in the list that you can choose to send a PDF-looking file (that actually has an embedded EXE) with your phishing email!
For this example, select the Microsoft Word RTF Fragments type of attack. Also known as MS10_087, this type of attack would send a Word file to your target. Once clicked, it would automatically install a rootkit or a listener on your target’s machine.
3. Now, select the type of rootkit you want to install. If you want to have full control of your target’s system, you can choose to install a Metasploit meterpreter. This would allow you to make a variety of commands remotely that your target computer would follow.
4. Since you are already set on the type of results that you want to get from this attack, you can now start creating the file. Now, you need to create a port listener and proceed to creating the malicious file that you want to send. By default, the SET would be creating a file called filetemplare.rtf. Since it is probably not convincing enough for a target to click on it, you can choose to rename it as, say for an example, SummaryReport2015. By renaming your file as something that your victim should be expecting in his email, you elevate the rate of success of your attack.
5. You are now ready to send the malicious file masked as a Word document. In order to do this, you would need to create the first layer of your attack, which is the email body. SET would offer you a generic email template to use. However, if you want to be sure that your target would find nothing suspicious in your email and proceed on downloading the malware that you have just created, select “one-time-use email” option.
Now, make your email more inviting. Choose to create the email body in html to make it look more legitimate and original. Once you are done typing the email body, hit Ctrl + C to save what you just wrote.
Here is an example of a good phishing email body:
Dear Mr. _____________
Kindly find attached the summary report of our last meeting. Should there be any questions, please feel free to ask.
Of course, great phishing emails would depend on the targets that you are sending to. It would be great to check the background of the person that you are trying to hijack to ensure that you are spoofing the right credentials. For this example, a good use of Facebook and LinkedIn would provide you the information that you need.
6. Once you are done creating your email, it is time to send it to your target. You have two options on how you are going to send it: (1) From a Gmail account, or (2) Straight from SMTP server.
You would most likely want to send it from a legitimate-looking Gmail account, based on the names that you know should be important to your target. Of course, do not forget to create an anonymous account on Gmail for this to work.
Once you are all set, SET would be sending the phishing email, complete with the malicious file, to your target.
Ways to Prevent Social Engineering
You may realize that it is quite easy for any hacker to obtain classified information or even take control of your entire device once they have an idea of what is going on in your daily life. While the times make it necessary for you to disclose a portion of your life online, there are plenty of ways on how you can prevent hackers from taking over and stealing your data. Based on the example that was just given, a good firewall and an antivirus program would be able to detect if there is any installed payload in the attachments that you are receiving every day. Of course, a hacker would be able to simply recode the file attachment to make it undetectable by current virus scanners. For that reason, computer security should not be left solely to programs that you have, because they can also be breached. In order to create a security fortress, you would also want that the users of your computer network are not hackable themselves.
Information security personnel always advise that computer security should feel like a candy – hard on the outside and soft on the inside, before one reaches the core. It is the responsibility of all computer users to secure their firewalls and make sure that there is no vulnerability in their computers. It is also important for computer users to make it a point to follow safety protocols when it comes to using a computer and giving out information.
Every computer user should learn how to:
1. Make sure that there is no one around when entering passwords
2. Learn all authentication policies when it comes to changing passwords
3. Destroy all paper copies of sensitive information to prevent dumpster diving
4. Choose passwords that cannot be easily guessed through all information provided in social media
5. Make sure that only authorized users have access to computers
6. Refrain from providing password or authentication information over emails or phone calls
7. Refrain from sharing password information to anyone, including families and friends
Now that you know how to protect yourself from social engineering, you have better information about physically protecting your computer from any unauthorized user.