Establishing a workable social engineering approach is a creative process, enabled by careful research and a core understanding of your chosen target. Selection of a situationally appropriate delivery vessel and scenario is essential to the success of the attack. Depending on the situation, a well-planned combination approach can raise the efficacy of the attack by enhancing the trust-level of the communication itself. This post focuses on the delivery media used for social engineering attacks, as well as reflecting on how they can be combined for greater effect.
The most prevalent social engineering attacks utilise email, SMS and phone calls as the delivery media. These attack vectors will resonate with most people as we have all likely experienced them at a personal level. Some examples of these attacks have been included below:
You have inherited money/property from a mysterious benefactor and once you pay a small processing fee it’s all yours!
SMS
The Tax Office require you to action something, else face fines/prosecution.
Phone Call
Your computer is infected with a virus and the caller can help if you provide remote access.
One commonality of these attacks is their directness. Little or no effort is made to build rapport and gain the trust of the target, meaning that they are typically only successful against vulnerable individuals (e.g. the elderly or those lacking a basic level of security awareness). The attacks are designed to be launched at large scale against a typically unqualified target list, often acquired from data breaches. This style of attack, while common, is quite immature in its complexity and nature and the expected percentage of targets who would fall victim to the attack is low.
When targeting a specific organisation or individual, the approach taken must be more clinical, details matter. There are occasions as social engineers where we will have a small target list, sometimes the scope may be limited to a few key individuals. In these situations, a broad, low maturity attack would serve only to alert the target (and the organisation) to the threat, increasing the scrutiny and visibility of any follow up attempts. Diligent reconnaissance and planning will provide the information and context required to create a mature, targeted attack scenario.
Media Selection
The delivery media for a targeted social engineering attack should be appropriate to the target organisation and more specifically, to the individual targets themselves. Being constrained by a traditional approach (e.g. email phishing only) can limit the creativity required to compromise some targets, so it’s beneficial to brainstorm all potential scenarios based on the information you have at hand.
When choosing your delivery mechanism, it’s important to understand the pros and cons of different media types. To that end, by reflecting on a range of engagements and outcomes I created a scoring matrix based on the following calculation:
Trust and Efficacy are scored from 1 (low) to 10 (high).
Success Rate = (Trust + Efficacy) / 2
Exposure is scored from 1 (high) to 10 (low)
Score (%) = (Success Rate + Exposure) / 20
The weighting allocated to each category can change dynamically based on information you uncover relating to how the target/organisation uses each media type. While the scoring mechanism is certainly subjective in this regard, the following table presents a generalised breakdown of common media types based on experiences and outcomes of social engineering engagements I have conducted over the last five years.
Media | Trust | Efficacy | Exposure | Score |
Internal Email | 10 | 10 | 5 | 75% |
External Email | 4 | 5 | 8 | 63% |
Phone Call | 7 | 8 | 5 | 63% |
Traditional Mail | 4 | 3 | 8 | 58% |
Social Media | 6 | 5 | 6 | 58% |
Face-to-Face | 9 | 10 | 1 | 53% |
SMS | 4 | 4 | 5 | 45% |
Blogs/Forums | 3 | 5 | 4 | 40% |
Fax | 4 | 3 | 3 | 33% |
Digesting this information, we can begin to understand how the chaining of different delivery mechanisms may increase the potential for a successful outcome. Below are a couple of examples of combinations we have used with the greatest effectiveness:
Email + Face-to-Face
By creating a seemingly benign connection with target via email and arranging a legitimate purpose to meet them (or another target) in person, the potential exposure of a face-to-face interaction can be slightly reduced. At the same time, both the trust and efficacy of the attack are reinforced by this new sense of legitimacy.
Phone Call + Email
A simple introductory phone call can be initiated with a target to build rapport and lay some foundational context around a subsequent email communication. This can aid in humanising what would otherwise be an unexpected and suspicious digital communication. If the target feels familiar with you then they are less likely to be suspicious of something you send to them.
Conclusion
Social engineering is a blend of art and science, requiring equal measures of preparedness and guile. More and more organisations are realising the significance of the threat posed by social engineering attacks, and in response they are seeking professional assistance to guide and enable them to mitigate such threats.
A structured, repeatable approach is essential to honing such skillsets within the cybersecurity industry, ensuring that the threat is considered with a broad perspective and that consistent/appropriate advice is provided, suitable to protect against more than just email phishing alone.
The prevalence and impact of social engineering attacks on organisations of all sizes across the globe is testament that organisations should adopt a roadmap approach when attempting to mitigate the threat. Education programs should focus on teaching users how to identify a social engineering attack regardless of the media used, and test scenarios should be conducted with regularity to baseline and monitor the organisation’s response to a range of tailored scenarios. To supplement these common practices, corporate comms can be utilised to raise awareness of prevalent or trending attack techniques, providing clear guidance and support across the organisation.