Social Engineering Tools
Social engineering also uses a decent toolset that can make or break a social engineer's ability to achieve success in his or her ploy. Most productive social engineers have adequate knowledge in use the tools, which closes in the break between failure and success.
It is important to take note that social engineers who merely possess the tools, even the best or most expensive ones, will not guarantee success in their ploys. The tools only allow social engineers to enhance their security practice, especially when they are executing their attacks.
This blog explains Social engineering tools, including physical tools, phone tools, and software-based tools.
Physical security refers to measures, which people or companies utilize to keep them secure without the involvement of computers. It usually involves motion cameras, locks, and window sensors among others.
In social engineering, it is important to understand how physical security works just as it is valuable for ordinary people to understand simply security mechanisms.
For instance, lock picking, as portrayed on television and in the movies is simply putting a lockpick in and the door opens instantly. Some people have knowledge of lock picking; however, most people learn how to do it slowly with countless attempts, frustration, and tension. A skill that is associated with lock picking is raking.
It is using raking tools and sliding it in and out of the lock gently with minimal pressure to the tension wrench. More often than not, lock picking coupled with raking works on most types of locks, making the breach as simple and effortless as possible. Social engineers learn the skills of lock picking and raking efficiently to conduct their ploys.
Today, a number of companies and organizations are using RFID, magnetic cards, and other types of electronic badges, making lock picks almost obsolete.
For instance, in 2004, WalMart has launched a pilot program by making use of radio frequency identification (RFID) technology in relation to its strategic plan of using inventory-tracking tags for its top suppliers.
RFID is known as a type of automatic identification system, which enables data to be transmitted through a portable device referred to as a tag.
The tag is read by an RFID reader and processed based on the needs of a particular application. The data transmitted by the tag may furnish identification or location information about the tagged product including date of purchase, color, and price among others.
According to Wal-Mart, RFID will provide employees greater ability to locate products within a location and get them on shelves as customers need them. On the other hand, the use of RFID can also cause implications to its people, say, on their auditors.
Certified public accountants and auditors will have to obtain the skills and knowledge to reassess accounting procedures, systems, and methods related to the use of RFID systems.
In fact, they will have to be skilled in assessing RFID system controls and note signs of inaccuracy or insufficiency of information such as partial inventory counts.
Security of information may also be affected by the use of RFID systems. The illicit tracking of RFID tags has been a principal security concern of RFID technology.
Tags pose risks to both personal location privacy and business security since they are world-readable. Thus, locks and lock picking are still used in many companies that do not have enough financial capability to install types of electronic access.
The problem in using locks is not due to the choice of locks, but the security plan that supports them. For instance, a company may have installed a heavy-duty lock that demands biometrics as well as key access in order to enter the server room;
However, the next door may have a single-paned glass window in which scammers, thieves, or social engineers can easily break and gain access with minimal effort.
Thus, locks alone are not enough security for companies and even homes regardless if the locks belong to the top of the line types. Social engineers know for a fact that security does not merely rely on a piece of hardware.
During a social engineering audit wherein a company patches its human infrastructure for more security, people are tested on their knowledge and skills about company security. However, the same principles are employed when social engineers carry out their ploys.
In general, people are unwilling to admit that they are inclined to be fooled or tricked by social engineers. In fact, most people would deny being fooled by a simple social engineering tactic due to fear of job repercussions as well as embarrassment.
Recording devices can show proof that the trickery actually happened although they can also be used to train both employers and employees, specifically on what signals to watch out for.
Cameras and recording devices should never be used in getting employees to embarrassment or trouble. On the other hand, the information obtained from these devices provides valuable learning to show employees who fell for the pretexts and other scams by social engineers.
Most companies that use cameras and recording devices can obtain proof of a social engineer's successful hack. This can educate both employers and employees on how they should deal with malicious attempts involved in social engineering.
Recording devices also provide companies with the necessary protection against social engineering ploys, especially from advanced or highly-skilled social engineers.
In-camera recordings, for instance, the staff can see the facial gestures and other little details of social engineers. Thus, once the camera captures those details, the staff has something to analyze so as to be ready for a social engineering attack.
The telephone is one of the oldest tools that social engineers use in carrying their ploys. With the advent of cell phones, homemade phone servers, and VoIP, social engineers are given a wide range of options to conduct their malicious schemes via the telephone.
Given that people are flooded with sales pitches, telemarketing calls, and sales advertisements, social engineers are compelled to be skillful when it comes to using the phone, leading to a successful ploy.
As simple as it may seem, social engineers who use the phone as a tool can compromise a company's security in a matter of minutes.
Today, most people, if not all, are using cell phones and carry them both for personal and business conversations on subways, buses, and any other public places.
In these places, social engineers are likely to eavesdrop or call their targets on their cell phones to obtain additional vectors, which may not be available during their previous malicious attempts.
As smartphones and hand-held phones that resemble computers are increasing in numbers, most people are inclined to storing personal data, passwords, and other private information in these devices.
As such, social engineers are provided with yet another opportunity to carry out their ploys because they can have access to their targets as well as their data in various situations.
In addition, people have 24/7 access to their smartphones, which makes them more inclined to giving out information quickly when social engineers pose as “believable” callers. Take for example the caller Ids on cell phones, which indicates the identity of the person calling.
When social engineers successfully access their targets by calling them from a corporate building, the targets are likely to give out information willingly without verifying the caller's identity. Certain applications in Android and iPhone smartphones are available for spoofing caller ID numbers to any number desired.
In the context of social engineering, the use of phones is categorized into two; the technology equipped with phones and the planning of the social engineers on what they would tell their targets.
One of the key aspects of social engineering is information gathering. Social engineers make it a point to spend time gathering information about their objectives and targets to ensure success in their ploys.
Today, there are various tools that can help social engineers in gathering, collecting, utilizing, and cataloging the data they have collected. This means that social engineers are no longer limited to what they can obtain from routine searches as online and software-based tools are already available.
Social Engineer Toolkit (SET)
While social engineers take most of their time in honing their skills, much of the variables for carrying out their ploys require the ability to generate PDFs and/or emails, which are embedded with malicious codes.
Social engineers have developed the social engineer toolkit (SET), which provides them with the ability to penetrate their targets easier and quicker through malicious codes.
Nowadays, the SET is continuously expanding. In fact, recently, SET has proven its capability to handle attacks such as an infectious media generator in addition to spear phishing and website cloning. An infectious media generator allows a user to create a CD, DVD, or USB key, which is encoded with a malicious file.
Then, the CD, DVD, or USB key is left or dropped at the office building of the target. Once it is inserted and ran in a computer, the generator will carry out its malicious payload, causing the computer of the target to be compromised.
SET also has the capability to produce a simple payload as well as a proper listener. For instance, if a social engineer wants to embed an EXE with a reversed shell connecting back to their servers, a USB key may be used to carry the payload and carry out their ploy.
Once the social engineer finds a computer or any machine for remote access, they can insert the USB key and run the payload file. This allows the social engineer a quick connection back to their servers.
SET creates the programming necessary for telling tiny boards what to do the moment they are plugged in. It also commands tiny boards to give reversed shells or set up listening ports.
As mentioned, SET also has a web interface feature in which a web server starts to host the SET automatically on a web page so the social engineer can use it easily.
Thus, SET is an extremely powerful social engineering tool that allows attackers to test the weaknesses of targets, specifically in companies.
Facebook Friend Request
The ploys used in social engineering are continuously evolving as various tools for obtaining information are made available. These tools are specifically designed for information gathering on social networking sites.
In 2011, a tool referred to as a Facebook profile dumper was developed by a group of security researchers who were based in Egypt. The tool was created to educate users on how people can get scammed easily on Facebook. This Java-based tool was released for general use.
It automates the hidden Facebook profile data, which is collected from users and only accessible to friends in a network of a user. According to the developers, the tool enables a user to send friend requests to a number of Facebook profiles.
The moment the recipient accepts the friend request, the tool dumps all his/her information, friend list, and photos to a local folder.
The developers claimed that a scammer or social engineer collects information from the facebook profile of a user simply by creating a new account. The social engineer then adds all the user's friends through a “friending plugin” to ensure they share some common friends with the user.
Then, the social engineer uses a cloning plugin that allows them to choose one of the user's friends. The plugin clones the display name and picture of the chosen friend and lays it to the authenticated account.
The social engineer then sends a friend request to the user's account and once the latter accepts it, the tool begins to save all information, tags, images, and accessible HTML pages, allowing the attacker to examine them offline.
While it may be too late, the user may unfriend the forged account in the event that he or she discovers that it is actually fake.
Given that the social engineer was able to penetrate the user's information, they will be able to carry out a number of social engineering ploys. When social engineers are able to obtain more personal information, they are likely to carry out more convincing ploys.
For instance, a target is likely inclined to open a malicious email attachment, which social engineers normally use in a spear-phishing attempt, if it seems to appear authentic.
The main goal of the tool's developers for releasing it is user awareness for what is transpiring in the world, specifically in social networks. The developers claimed that the tool will provide people with awareness and be cautious of the actions they make online.
For instance, accepting friend requests without verifying the authenticity of the profile is one of the wrong actions people make. Social engineers will be able to exploit user profiles even with the shortest period given.
The developers also hope that they can make people aware of the flawed user verification process of Facebook. They claim that it is advisable for Facebook to have stricter policies when it comes to verifying profiles who claim to be “friends” as well as filter out impersonating or fake accounts.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Another toolset that social engineers use is password profilers. After obtaining information about their targets, social engineers create a profile of each of their target. This profile is used to plan out some attack strategies that social engineers deem fit for a specific target.
A profile is also used to establish a list of potential passwords that social engineers can use in their ploys. Passwords can help social engineers in carrying out a hack, specifically when the situation presents such an option.
There are several password profilers that are used in social engineering, which provide assistance in profiling potential passwords of a target or company. Some of these password profiling tools include Who's Your Daddy (WYD) and Common User Passwords Profiler (CUPP).
The number of people who fall prey to simple social engineering ploys is increasing every year in spite of various warnings issued by both private and government sectors. In addition, the number of individuals listing all types of information about themselves, their lives, and their families on the Internet is also rising.
Social engineers can profile and outline the entire life of their targets by simply using their tools and combining a profile established from social media usage. This works well on the part of social engineers given that most people choose their passwords.
Fact is, most people use the same password for various Internet accounts such as emails and social networks. Worse, these people choose passwords that others can guess easily.
While social engineering tools are important to carry out malicious tactics, they do not guarantee the success of a social engineer. Tools are useless unless they are coupled with knowledge of their usage.
Social engineers should also be able to maximize these tools in order to result in a successful ploy. As such, potential targets should also have knowledge about these tools as they are commonly used even by ordinary people.
Regardless of what tool social engineers use, whether it is a physical tool, phone tool, software tool, or a combination of tools, successful ploys are only possible if they have adequate knowledge of each tool.
On the part of targets, they should be doubly aware of the features of these tools so as not to become victims of social engineering.
Understanding Social Engineering Audit
A social engineering audit involves a simulation of the malicious attacks carried out by social engineers. This simulation is administered by a professional security auditor whom a company hires for testing the policies, physical perimeter, and people of the company.
There are two primary differences between a professional security auditor and a malicious social engineer. One, a professional security auditor follows legal and moral guidelines and two, the goals of a professional security auditor is to help as opposed to that of a malicious social engineer, which is to harm, steal, or embarrass a target.
In order to fully understand the concept of a social engineering audit, it is best to establish the goals of why an organization wants to implement it.
A professional security auditor should carry out his behavior based on morally and ethically accepted principles while he stretches across the line, allowing him to pose as a malicious social engineer.
In other words, he should take note of things, which he can use to obtain information or gain access to the weakness of a company. While he tries to expose the hole in the defenses of a company in the persona of a malicious social engineer, he still needs to behave in an appropriate manner.
On the part of the companies hiring a professional security auditor, they should be able to determine the security gaps and balance them with a concern for each employee.
More often than not, companies who undergo a social engineering audit think that terminating the employee or employees who fell for the ploy is the solution to the problem and fixes the hole.
However, companies should realize that once an audit is done, the employees who fell for the attack are probably the most secure employees in the building during that time. Consequently, a professional security auditor should also take actions in ensuring that the jobs of employees would not be jeopardized.
On the other hand, there is a new breed of attackers who use their expertise to go past the solutions and tools of organizations. This new breed of attackers is referred to as social engineers, who are likewise known as hackers;
However, their primary objective is to tap into one's weakness, that is, human psychology. Social engineers make use of media such as phone calls as well as social media to trick people so that they can gain access to important and sensitive information.
Using the phone as a significant part of a social engineering ploy.
Nowadays, the Internet dominates more social engineering aspects that are impersonal or objective. Back in the days, social engineers use the phone as an integral part of their ploys.
Thus, the shift resulted in most social engineers to exert less effort or energy in using the phone.
However, highly-skilled or advanced social engineers know that the phone remains as one of the most effective tools for their ploys and that using it should not be reduced due to the Internet's impersonal nature.
In some cases, social engineers who plan attacks using the phone may think differently as using the Internet is much easier to plan.
Social engineering attacks that are phone-based are given the same level and depth of effort, information gathering, and research as with any other attacks. They are also of the same level of practice.
Social engineers usually practice and hone their phone-based skills by learning to deal with the “unknowns” or unexpected, specifically if they accidentally altered something in their script, throwing them of their base.
Social engineers, particularly those who work alone or do not have anybody to practice their phone-based skills with, are creative enough to ensure that they are able to hone such skills. For instance, they try to call their friends or family members to know how convincing they are and how far they would be able to trick them.
Social engineers who use the phone know that it is one of the quickest solutions to get close to their target. The phone gives them the opportunity to fake or “spoof” anything they want to tell their target.
Moreover, social engineers also spoof the information appearing in the target's caller ID. They use services or homegrown solutions to tell the target that they are calling from a local bank, a corporate headquarters, and even the White House. These types of services allow social engineers to spoof the number and make it appear that it is coming from anywhere all over the world.
Hence, the phone is a powerful social engineering tool that solidifies pretexting. Social engineers spend time in developing the habit of using the phone and treating it with respect as an efficient toolset for their pretext.
The simpler pretexts are developed, the better the chances of success
This is based on the principle, “the simpler, the better.” If a social engineer creates a pretext with too many details and forgets even one little detail, the social engineering act is likely to fail.
In order to establish credibility, social engineers keep their facts, details, and storylines as simple as can be. In addition, it is highly impossible for social engineers to remember all the pretexts they created; as such, they keep pretexts simple, natural, and easy to remember.
Moreover, apart from remembering the facts, the details of a pretext should also be kept small.
Social engineers know that keeping their pretexts simple paves the way for their story to grow as well as allow their target to fill the gaps using his/her imagination. Pretexts should not be elaborate. More often than not, tiny details make the difference in the manner the target views the pretext.
Then again, there are some social engineers who deliberately make a few mistakes in their pretexts. Even famous con men and criminals purposely inject a few mistakes based on the premise that “nobody is perfect.”
In addition, most targets become more at ease when the person they are talking to makes even just little mistakes. It could be intimidating if social engineers are all too perfect for their target.
In social engineering, the types of mistakes that attackers decide to make are also calculated. While mistakes can complicate a pretext, they can also make it appear natural. The key of social engineers, whether or not they plan to inject mistakes, is to keep their pretexts simple.
Apart from creating a simple and uncomplicated storyline, social engineers back it up with appropriate tools and clothing, which can make the pretext more convincing. More often than not, the lack of detail makes a pretext workable and more believable.
For instance, a social engineer that makes use of the pretext of a tech support person is likely to wear a pair of khakis and a polo shirt coupled with a small tool bag for fixing computers.
In most cases, this actually works with the target, providing room for the social engineer to enter and move freely with minimal supervision.