Social Engineering Attack Execution

In a previous blog post I told you about the two approaches for social engineering attacks. The structured approach has the following steps.

  1. The OSINT Process
  2. The target selection
  3. Profiling the target
  4. Target specific OSINT
  5. The attack preparation
  6. The attack execution

Today in our final blog post on the structured social engineering process we dive into the attack execution.

Patience, young grasshopper

One of the hardest things in social engineering is that it is a patience game. You can not make somebody do something. You game is to influence the decision making process.

Are you ethical?

A question I get often is are you an ethical hacker. The issue with the question is simple. You do not ask my dentist if he is an ethical dentist, you expect the dentist to be professional. The same goes for professional infosec people, we have a certain ethos or we would end up in a criminal scene.

That said the professional ethos will make me exclude certain things. For example I will never use a blackmail approach. Yet, if we look at the sextortion scams during the summer of 2018, it is a valid scenario. Personally I think scenarios like that can better be handled by communication than trying to emulate them.

Getting Caught

One thing some social engineers try to include is to get caught. This is useful to test the procedures on how to handle the incident response but for me that is part of incident response and not social engineering. It is just a matter of opinion.

If you get caught there are procedures called “get out of jail free” to be discussed with the customers and in this procedure the correct handling needs to be described in detail.

The fact you can exploit a loophole in the procedure is part of the assignment too. In the end a criminal will only stop if he knows he or she can’t get away with it.

Reporting

The report is what the customer pays for. Some people will opt not to mention who they social engineered by name but depending on the situation it is my experience that people will always find out.

It is more important to me to agree with the customer up front that nobody can be fired or punished because they became a target I was able to social engineer. It is important though to brief the people that have the same role on how it was done.

 

This is it for this short series on social engineering, I hope it was useful to have this little breakdown.