Social Engineering and

Countermeasures
INF 203
Content
• Social Engineering
• Key Principles
• Reconnaissance
• Attack Vectors
• Countermeasures
• Toolkit
Social Engineering
• Many attackers claimed that the easiest way to get the
information you want, is by asking to the victims
themselves.
- Psychological techniques to get private information
- Does not require a computer science background
- Attack vectors: spear phishing, phone calls with impersonation, …

• Kevin Mitnick
- One of the most famous social engineers
- Possibly one of the first ones using
these techniques extensively
- (5 years in jail, after that consultant)
Social Engineering
• Social Engineering is a psychological manipulation of people
into revealing confidential/sensitive information of the
organization or performing certain actions, such as:
- open an infected attachment via e-mail
- click on a URL of a compromised website.

• Social Engineering relies on a set of non-technical strategies

that exploit weaknesses of human psychology.
- Hence, it typically does not require a computer science background, but
rather a knowledge of the potential victim and their personal context.
“Pretending not to be afraid is as good as
actually not being afraid.”

–David Letterman
Social Engineering:Phases
• A Social Engineering attack can be roughly divided in two main phases:
- Phase 1: Reconnaissance: The attacker learns as much as possible (e.g., through Open
Source Intelligence) to result credible and lure the victims into revealing sensitive
information of perform dangerous actions.
◆ Roles in the company
◆ Company contacts (e.g., e-mail, phone numbers)
◆ Key persons in the company
◆ Choosing a victim
- Phase 2: Victim Approach: The actual attack of the social engineer is performed by
contacting the victim through one of the possible attack vectors, such as:
◆ Phone
◆ Email
◆ Social network
Social Engineering
Key Principles
Social Engineering: Key Principles
• Professor Robert Cialdini
- Regents' Professor Emeritus of Psychology and
Marketing at Arizona State University
- Identified six key principles of influence that
correspond to human behaviors heavily exploited by
Social Engineering.
- Originally intended for “Marketing” purposes
• In Social Engineering, these principles are often
exploited by the attacker to lure victims into:
- Revealing informations
- Performing actions
Social Engineering: Key Principles
• Principle 1: Reciprocity
- People tend to return a favor.
- If the attacker is for example generous or does
something for the victim, he/she will feel more
compelled to do a favor also to the attacker
- For example,
◆ bending the rules,
◆ provide special access without
passing by the protocol.
Social Engineering: Key Principles
• Principle 2: Commitment and Consistency
- If people commit to an idea or goal, they are
more likely to honor that commitment because
they have stated that that idea or goal fits their
self-image.
- The attacker may find and exploit victim’s
commitments
- For example,
◆ Particular charity activities
◆ Recycling
◆ Eating particular types of foods
Social Engineering: Key Principles
• Principle 3: Social Proof/Consensus
- People will do things that they see other people are doing.
- For example:
◆ Attackers may create fake websites with testimonials
and lure the victim into clicking something.
◆ Or maybe convince the victim that another
employee has already done that, or that it is not the
first time a similar request has been made.
Social Engineering: Key Principles

• Principle 4: Authority/Intimidation
- People will tend to obey authority figures, even if they are asked to perform
objectionable acts.

- The attacker can try to impersonate someone important in the

organization, which the victim may not know personally.

Social Engineering: Key Principles
• Principle 5: Liking/Familiarity

- People are easily persuaded by other people whom they like.

- The attacker may:

◆ call the other person by first name

◆ throw in the conversation/e-mail a topic that is liked by the

victim (e.g., a football match, hobbies).

Social Engineering: Key Principles
• Principle 6: Scarcity/Urgency
- Perceived scarcity will generate demand, and this may be used
to induce urgency in the victim.
- For example,
◆ take advantage of limited-time opportunities (e.g., to lure the
victim into clicking a link, or providing information).
◆ a false request of urgency for updating a presentation for the
person’s boss who did not have time do to it and has an
important presentation in a few hours (e.g., maybe attaching an
infected presentation to an e-mail request).
 Social Engineering
Phase 1: Reconnaissance
Reconnaissance
• OSINT reconnaissance (see lecture on “Cyber Reconnaissance”)
- Many information available from search engines
• Reconnaissance example: Email harvesting
- It is an effective way of finding emails, and possibly usernames, belonging
to an organization.
- These emails are useful in many ways, such as providing intelligence on how to perform
attacks, revealing the naming convention used in the organization, or mapping out users in the
organization.
- Tools (example): theharvester.
Choosing the victim
• Typically, not senior members of the company, but people who are
closely tied to them (e.g., secretaries, collaborators)

• Once a candidate victim is chosen, you need to spot the list of elements that
will create a confidential “feeling” between you and the victim
- Exact victim’s position in the company
- Use of nicknames known only in the company
- Praising the role of the victim (e.g., knowing what they do)
- Belonging to some mailing list
- Personal interests of the victim
 Social Engineering
Phase 2: Victim Approach
Approaching the Victim
• After initial reconnaissance, the attacker will get in contact with the victim
- By phone
- By Mail
- By Social Network
- …

- Rarely face-to-face (i.e., in-person)

• The most effective strategies require creativity in the attacker

Social Engineering: Attack Vectors
• Vishing (voice call)
- Perform a voice phone call to lure the victim into revealing sensitive information or
performing attacker-desired actions.

- Common strategies:
◆ Impersonating a manager/senior member of the organization
◆ pretending to be a colleague in need
Social Engineering: Attack Vectors

• Spear Phishing (e-mail)

- Send a targeted e-mail to the victim, to lure him/her into clicking a link,
opening an attachment, or revealing some sensitive information.

- Unlike traditional phishing, this is crafted for a specific victim

Social Engineering: Attack Vectors
• Tailgaiting:
- Entering in restricted areas by following people with access
- Pretending to be someone with access (e.g., courier)
Social Engineering: Attack Vectors
• Smishing (SMS Phishing):
- Similarly to phishing, but performed by sending an SMS text message.
- Depending on the victim habits, the attack vector should resemble the
most trusted communication method for the attacker.
Social Engineering: Attack Vectors

• Watering Hole:
- Compromising part of a legitimate website (e.g.,
through stored XSS, or DNS poisoning) trusted by
the victim (e.g., the victim’s bank website).

- When the victim visit the websites, some malicious code

is executed only for that specific target (i.e., it is not

triggered for all the other benign users).

Social Engineering: Attack Vectors
• Quid Pro Quo:
- The attacker offers “something in exchange” for following his orders
- Examples:
◆ The attacker calls various numbers pretending to be a
technician, and convinces a victim to follow commands to grant
him access or which lead to malware installation
◆ Occasionally, the attacker may have pre-install some preliminary
malware that slows down the PC (e.g., computer virus hoaxes)
◆ Offers salary reconciliation
Social Engineering: Attack Vectors
Social Engineering
Countermeasures
Social Engineering: Countermeasures
• How to Spot a Social Engineer
- Hurry
- Intimidatory attitude
- Refuses sharing contact information (e.g., phone battery is dying)
- Too friendly for being a stranger
- Interest in private information
- Small mistakes
- Knows only subsets of names but not many manager’s names

• Be Skeptical and Aware of Risks

- Emails with urgent requests of sensitive information or delicate actions
- Typosquatting e-mail addresses
Social Engineering: Countermeasures
• Main Countermeasure: Security Training to employees in all roles, and make
them aware of the potential strategies of attackers.
- For example, some strategies to check if you are being a victim of
social engineering include:
◆ asking for the correct spelling of his/her name
◆ asking for a number where you can return the call
◆ asking him/her why they need this information
◆ asking him/her who has authorized the request and let him/her know that you
will verify the authorization.
- Report incidents immediately to the company’s security teams
Social Engineering
Toolkit
Social Engineering Toolkit (SET)
• SET is a toolkit able to support different types of social engineering.
- Installed by default on Kali Linux
SET Documentation
• Many examples of attack vectors you can use:
- Interacts also with MetaSploit framework