Social engineering is a method of obtaining data by an attacker on human psychology peculiarities basis.
The main social engineering goal is to gain an access to confidential data, passwords, banking data and other secure customer systems. The current attack vector remains relevant due to the lack of information security awareness among the company’s employees.
- phishing is sending letters, messages in instant messengers and corporate chats using phishing websites and/or attachments with payload to gain an access to IP and authorization data;
- vishing is social engineering while using phone calls;
- impersonation – «attacker» impersonates another person (admin, delivery man, security guard, auditor, etc …) in order to scout private data; get an access to IS, ACS, etc; deliver software and/or hardware bookmarks;
- smishing is phishing while using SMS messages and possible number spoofing.
Social engineering can be used within the external / internal penetration testing (the data obtained from the tests can be used within the external / internal penetration test). The current method implies the legend development, the optimal attack channels choice at the Contractor’s discretion, based on the data obtained at various penetration test stages (the plan is agreed with the Customer before the operation start). Social testing goal is to obtain penetration data to the customer’s target systems.
Social engineering is used as the employees awareness assessment method in information security issues. The employees reaction statistics to various attack scenarios (the attack development is not carried out) will be collected in such a case. The current method implies conducting a socio-technical research in order to determine the customer’s employees reaction to certain influence methods, used by potential attacker.
General project plan
Stage 1Addresses list approval
We will agree the attacked objects addresses list, full names and employee positions with the customer.
Stage 2Legend development
We form the most optimal attack channels list based on the information obtained at the «External/Internal Penetration Test» stages:
– Emails distribution with the attachments, imitating malware (word, exe-files, pdf-files);
– Emails distribution, containing a link to a phishing website;
We create web resources, which simulate customer resources (DNS name, SSL certificates, website content), prepare files, simulating malware.
We attack employees on the previous stage data basis.
We enter the data, obtained into the penetration test report. Finally, the Customer gets the users data, who went to the phishing website and entered own data.