Social engineering is an attack that requires human interaction, persuading employees of the target company to act, such as opening a malicious document, or providing authentication credentials.
While the social engineering delivery method is usually assumed to be email, many other channels such as SMS messages, calls, or social media may be used in the assessment. During the test, spearphishing attacks are preferred, where a user’s personal information and position in the company are used to enhance a pretexting scenario, improving the success rate.
Usually, social engineering attacks are carried as a part of an adversary simulation assessment.
- Involves email and social media delivery channels. Both spearphishing and mass emailing are used to cover different pretexting scenarios. Customer-specific attack templates are created, together with unique attack tools and payloads to minimize detection.
- Voice calls (Vishing)
- Vishing attacks utilize a more personal approach to coax a user into providing sensitive information or executing an untrusted file. Usually performed as a part of a spearphishing attack, vishing is less common in the wild, but more effective, as the attacker can establish an immediate, personal connection with the target users.
- On-Site assessments
- While less well-known than email or phone social engineering, it is necessary to perform engagements in person to test security countermeasures to physical social engineering attacks. Methods that are used during these assessments include infected USB drives, wireless Evil Twin attacks, Keystroke Injection attacks, tailgating or creating a fake badge to gain access to a restricted area, and more.
Social engineering assessments are very different between customers, but we use a repeatable and reliable structure for our tests. The step-by-step approach ensures consistency in key areas while being flexible enough to account for different attack environments and scenarios.
Passive and active information gathering
During the initial stage of the social engineering assessment, a list of potential targets is created, detailing phone numbers, names, emails, positions in the company, and any available additional info. Also, a list of applications and services suitable for cloning to use in phishing attacks is developed. The company’s infrastructure is researched to learn about used phishing countermeasures, antivirus programs, and potential vulnerabilities in the infrastructure that require social engineering to exploit.
Payload and scenario creation
Utilizing the knowledge gained at the previous stage, attack scenarios are developed. Preparing an attack scenario requires creating unique email templates, malicious payloads, phishing websites, and call scenarios. The attack infrastructure is set up to support various listeners, file transfer services, email servers, and phishing backend. Each scenario is then thoroughly tested on a virtual infrastructure emulating the customer’s security setup. For onsite assessments, payloads and exploitation devices are created and tested.
Using the target lists and specified attack scenarios, the attacks are carried out with the appropriate emails and voice calls. For onsite assessments, a series of tests are started, including ‘baiting’ with infected USB drives, setting up onsite wireless Evil Twin attacks, delivering Keystroke Injection attacks via prepared devices, and more.
Persistence and lateral movement (optional)
If the social engineering test is carried out as a part of an adversary simulation, initial access is used to obtain persistent access to the network to carry out further attacks.
Reporting and debrief
After the social engineering test is complete, we create a report that outlines both the executive summary and assessment-specific details. We also provide remediation steps and training recommendations for any vulnerability we exploit.
Once the report is reviewed, a debrief meeting is scheduled to answer any questions and elaborate on the details in the social engineering report.
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
Adversary simulation assessments allow to completely emulate the actions of a malicious individual and trigger proper security team response.