How Social Engineers Seek Information for Hacks
Once social engineers have a goal in mind, they typically start the attack by gathering public information about their victim(s). Many social engineers acquire information slowly over time so they don’t raise suspicion. Obvious information gathering is a tip-off when defending against social engineering.
Regardless of the initial research method, all a hacker might need to penetrate an organization is an employee list, a few key internal phone numbers, the latest news from a social media website, or a company calendar.
Use the Internet
A few minutes searching on Google or other search engines, using simple keywords, such as the company name or specific employees’ names, often produces a lot of information. You can find even more information in SEC filings at and at such sites as Hoover’s and Yahoo Finance. By using this search-engine information and browsing the company’s website, the attacker often has enough information to start a social engineering attack.
The bad guys can pay just a few dollars for a comprehensive online background check on individuals. These searches can turn up practically any public — and sometimes private — information about a person in minutes.
Dumpster diving is a little more risky — and it’s certainly messy. But, it’s a highly effective method of obtaining information. This method involves literally rummaging through trash cans for information about a company.
Dumpster diving can turn up the most confidential information because many employees assume that their information is safe after it goes into the trash. Most people don’t think about the potential value of the paper they throw away. These documents often contain a wealth of information that can tip off the social engineer with information needed to penetrate the organization. The astute social engineer looks for the following printed documents:
Internal phone lists
Employee handbooks, which often contain security policies
Spreadsheets and reports
Printouts of e-mails that contain confidential information
Shredding documents is effective only if the paper is cross-shredded into tiny pieces of confetti. Inexpensive shredders that shred documents only in long strips are basically worthless against a determined social engineer. With a little time and tape, a social engineer can piece a document back together if that’s what he’s determined to do.
The bad guys also look in the trash for CD-ROMs and DVDs, old computer cases (especially those with hard drives still intact), and backup tapes.
Attackers can obtain information by using the dial-by-name feature built in to most voicemail systems. To access this feature, you usually just press 0 after calling the company’s main number or after you enter someone’s voice mailbox. This trick works best after hours to ensure no one answers.
Attackers can protect their identities if they can hide where they call from. Here are some ways they can hide their locations:
Residential phones sometimes can hide their numbers from caller ID by dialing *67 before the phone number.
This feature isn’t effective when calling toll-free numbers (800, 888, 877, 866) or 911.
Business phones in an office using a phone switch are more difficult to spoof. However, all the attacker usually needs is the user guide and administrator password for the phone switch software. In many switches, the attacker can enter the source number — including a falsified number, such as the victim’s home phone number. Voice over Internet Protocol (VoIP) phone systems are making this a non-issue, however.
VoIP Servers such as the open source Asterisk can be used and configured to send any number they want.
The latest criminal hacking craze is phishing — criminals sending bogus e-mails to potential victims in an attempt to get them to divulge sensitive information or click malicious links. Phishing has actually been around for years, but it has recently gained greater visibility given some high-profile exploits against seemingly impenetrable organizations.
Phishing’s effectiveness is amazing, and the consequences are often ugly. A few well-placed e-mails are all it takes for criminals to glean passwords, steal sensitive information, or inject malware into targeted computers.
You can perform your own phishing exercise. A rudimentary method is to set up a bogus e-mail account requesting information or linking to a malicious site, send e-mails to employees or other users you want to test, and see what happens. It’s really as simple as that.
You’d be amazed at just how susceptible your users really are to this trick. Most phishing tests have a 10–15 percent success rate. It can be as high as 80 percent. Those rates are not good for security or for business!
A more formal means for executing your phishing tests is to use a tool made specifically for the job. Even if you do have a good experience with commercial vendors, you need to think long and hard about giving up potentially sensitive information that could be directly or inadvertently sent offsite, never to be controlled again.
If you go down this path, make sure you fully understand what’s being divulged to these third–party phishing vendors just as you would with any cloud service provider. Trust but verify.
An open source alternative to commercial phishing tools is the Simple Phishing Toolkit, also known as spt. Setting up an spt project environment isn’t necessarily simple, but after you have it in place, it can do amazing things for your phishing initiatives.
You’ll have pre-installed e-mail templates, the ability to scrape (copy page from) live websites so you can customize your own campaign, and various reporting capabilities so you can track which e-mail users are taking the bait and failing your tests.
Social engineers can find interesting bits of information, at times, such as when their victims are out of town, just by listening to voicemail messages. They can even study victims’ voices by listening to their voicemail messages, podcasts, or webcasts so they can learn to impersonate those people.