Okay, so now let's talk about some social engineering techniques
already mentioned Dumpster diving. This is a time honored technique,
and it involves some different different methods.
One not that is to just
try to stake out the area, try to sneak in and dig through the trash. And the U. S. This is considered legal in many European countries is actually illegal to do this.
So make sure you understand
the laws as it relates to your social engineering engagement. But Dumpster diving might be done through a different method, maybe through an impersonation method
where the engineer dresses
as if they work for the waste removal company,
and this gives them the pretext. And the, uh, the persona
that they've developed
gives them a chance to use that to try to get maybe behind the gates to go look at the dumpster that's in a secured area
that might be possible.
And there are lots of different techniques you can use to get to that point. We're going to attempt that level of
impersonation. Impersonation could also apply to any other thing
social engineers might impersonate on H back technician
so they could try to get into the data center. Go look at the heating, the ventilation system
that might also work.
Really, a lot of it depends on how you're dressed, how you carry yourself, the language that you use and, if necessary, maybe even identification that gets produced just for this purpose.
Shoulder surfing is another social engineering technique.
This is an identity theft technique as well.
phones, right. We all have video cameras in our pockets, so it's very simple to Thio. Stand behind somebody and make it look like you're texting on your phone. But really, you're recording what they're doing.
This happens at airports, coffee shops, bars, restaurants standing along at the grocery store. Anybody could be recording at any time for whatever purpose they they have. And most people around them have no idea that that's happening unless they happen to glance at the screen and see the fact that it's being that's being used to record.
So that could be a great technique to get information which the social engineer could review later
to get more clues or to get information about watching someone logged into their banking website recording bad information. That's a possibility.
I mentioned trying to harvest credentials, so making copies of websites
is a fantastic trick in the bag of the social engineer.
They want to trick you into going to your banking website, your credit card website,
some website that's useful to them to get your credentials.
Generally, the way that works is they make the copy.
They send you malware which infects your computer, maybe changes your D. N s settings to point you to that website or you click a link because it looks like it comes from your bank and you're in a hurry. Maybe you click the link. You get what looks like your banking website. You type in your password and your log in it doesn't work
almost always if it doesn't work the first time.
That's what the malicious copy of the website will. D'oh. It'll capture that information when you try the second time and actually send you to the real website that where you don't become too suspicious.
So there are some some nuances to these techniques that can make or break your success factor,
and we talk about another common technique of a social engineer. I mentioned this a little bit earlier. This is fishing.
So when a phishing email your maybe you're trying to get someone to click that linked to a copy of the website
you. In order to do this properly, you must have a very professional looking email. If you can capture examples of legitimate email from that target organization, and you can make your email look just like theirs,
trying to make sure you don't have any spelling errors, no grammatical errors, no punctuation errors, making sure the logos look correct, making sure the color scheme looks correct. These are all very critical factors and making that phishing email appear to be legitimate
email might have a malicious attachment, or it could have a malicious link.
You could make the link say one thing, and it actually goes somewhere else is obviously a feature of HTML,
but it can be exploited by the hacker or the social engineer, too,
to trick someone into doing something that they might not normally. D'oh.
As I mentioned before, Spear fishing is going after one individual and wailing is going after an individual that's very highly placed, like the president or CEO of an organization, or maybe a politician or someone else in a position of power that is a desirable target for the social engineer. Another interesting technique is to try to build
voice response system.
I normally refer to these as, ah, voice menu systems. We're all familiar with them. You call an organization
and you have to pick from different choices using the keypad of your phone.
I personally find these voice menu systems very annoying. I'd much rather talk to a person,
but they serve their purpose that they're cheaper to do. Implement then,
ah, staffing Health ducks help desks,
and it also gives a social engineer an interesting technique. They could create a force a voice menu system using this interactive voice response tools
that mimics the organization,
trying to get the target to call into this system, to try to follow the menus, trying to get them to reveal information may be there.
Maybe you capture their phone number. Maybe you capture their social Security number or a driver's license number or an account number
that all might be elicited through the use of this I v R.
By carefully crafting the questions, making it sound professional
and so on. It's an interesting idea. Is one of dozens you might be able to try.
Just I'm just throwing it out there as an interesting choice. I mentioned using USB drives with malware on, and this is called baiting
right. You drop the bait, hoping that the at any number of victims might pick up that bait and stick it into their computer, especially if people are curious. They will read the label
and the oldest looks like something I'd want to know about. I'm just dying to find out what's on this thumb drive so they might put it into a computer.
And maybe that computer becomes part of a botnet or becomes gets a root kit installed. Maybe some back doors get installed.
Now the attacker gets alerted that this malware installation has successfully completed,
and they can go toe work trying to get access to that system.
The social engineer now has a way in to the organization, perhaps
as well as maybe perhaps being able to capture some credentials from that target.
It's definitely possible.
We also have the idea of quid pro quo. This means I do a favor for you. You do a favor for me
quite often. This involves the helped ask
the person that calls the help desk wants a favor. Please help me reset my password at the Classic. Example. If you do this, I'll tell your boss you did a great job will make a recommendation for you. Or it could go in different direction where
the attacker offers something up front, hoping to get the information or some action taken by their target.
You know I will. I'll give you some free software. That's that's useful for you to do your job. If you tell me you know where you work and tell me a little bit about what you do there
that could just look like a telemarketing attempt. Or maybe someone's doing this in person. The idea is that people like Thio do deals with each other. It's part of our how we're wired as well. I do you a favor. You do me a favor, I scratch your back. You scratch mine
that human behavior that human nature could be exploited by the social engineer to get more details about their
their target or to help their social engineering pen test move further along to the next steps.
We're about tailgating
or piggybacking their kind of the same thing. The idea here is that the engineers trying to get into a facility, trying to get into an office, trying to get into a warehouse,
trying to get into the area where the Dumpsters kept perhaps
tailgating, basically means you're tryingto walking behind somebody else who has permission to be there. So they opened the door, and then you just kind of walk in behind them before the door closes. Or maybe you catch the door before it closes,
and you might be able to gain access that way.
This isn't always going toe work of many organizations, especially ones that I've worked for.
Each individual person must swipe their badge. There's no exceptions made. There's a guard standing there watching you,
but in some cases there might not be a guard.
A good example of tailgating would be people that want to get into a building. They might just wander around looking for people that are outside smoking.
Maybe there's an entrance off the side of the building where the smokers go
so they might go hang out with the smokers. Maybe they offer some cigarettes in order to be part of the group. Or maybe they bum a cigarette in order to be part of the group. Either way,
they might appear as if they belong there. So when people start to go back into the building, they just walk in with them.
People that are not paying attention might not notice. Hey, that guy doesn't have a badge. Who are you? Why are you here?
If it's a really large organization, they might just say, Well, that someone I've never seen before. But obviously they work here. Why would they be hanging out by this door anyway?
That could be the case. Another time locating technique involves
trying to dress up as a technician of some sort of mentioned in H back technician, or maybe an electrician's something of that nature. And you walk up to the door
carrying some heavy bags or a heavy box
and hoping that you get the timing right so that as you approach the door, someone is going in right before you.
The idea is that that person wants to be helpful. That's Oh, hey, let me hold the door open for you.
You know that that way you don't have to set down your heavy box. Open the door, try to hold it open with your foot and then pick up your box again.
That's a great way to to try to gain access to a building where you don't belong.
It could also be that there there's a known identity of someone that works there. This goes back to the impersonation idea
that's a little bit risky if people know what that person looks like, or if your badge doesn't look to be accurately created than those techniques may backfire. And, of course, you have to remember that
if you're doing a social engineering audio, you have permission, so
you need to operate within the scope of that audit.