Welcome to the Off-Shore Club

The #1 Social Engineering Project in the world since 2004 !

Hack admin

⚠️ ☢️ Always Remember to keep your identity safe by using a Zero-KYC Zero-AML like https://coinshift.money ☢️ ⚠️

Gold

Mr. Nick

Well-known Hacker
USDT(TRC-20)
$0.0
Checking the awareness of personnel about cybersecurity threats is one of the most demanded cases. It is carried out, as a rule, by methods of social engineering.

In today's article:
• Our goal: to verify that employees comply with information security policies.
• Methods: social engineering.
• Local goal: obtaining information that will allow for a "privilege escalation" attack.

This post was written by me in co-authorship with colleagues of the Prospective Monitoring based on real cases worked out by our working group in practice. Enjoy reading!

In many cases, successful social engineers have strong human qualities. They are adorable, polite, and down-to-earth - the social qualities needed to establish quick connection and trust - Kevin Mitnick
Checking the awareness of personnel about cybersecurity threats is one of the most demanded cases. It is carried out, as a rule, by methods of social engineering.

Purpose: to verify that employees comply with information security policies.
Methods: social engineering.
Local goal: Obtain information that will enable a privilege escalation attack.

The stages of social networking are not much different from the stages of a pentest.

Planning
The main thing in social networking is to set a clear goal. Without goal-setting, acting chaotically, you will achieve little, only turn the social program into a booth, and yourself into clowns.
We set a goal: to contact the system administrator and get information from him on the account structure, password structure, ideally - to get the password itself.

Collection and analysis of information
This is the longest and most tedious stage. Through the eyes of an uninformed person, the work of a social engineer consists of telephone conversations, during which he, with the power of magic, talent and charm, fishes out confidential information from gullible users. In reality, information gathering / negotiations are related to many days of exhausting training / performance at the championship with an athlete.

What we need: the most complete information about the employees of the attacked company. Namely: full name, positions, contacts, powers. The most important information is the technologies used in the company. You also need information about the company itself: market position, financial condition, rumors, gossip (the latter is especially interesting, since it reveals the informal atmosphere in the company).

What we use: the organization's website, collection of information from open sources, phishing, some information can be provided by the customer.

Phishing is an ideal solution, but for a whitehacker it is not always possible in terms of a contract with a customer. Preparing an email containing a malicious attachment or a link to a phishing site. The goal is to get real user credentials.

In order for a phishing email to hit its target, you need to carefully study the information about the company and its specifics. What technologies are used in the company? Where is the office? What bonuses are offered to employees? What problems does the company have?

An example of a phishing email:
You can make several letters, each of which is focused on its own target group.

Is the customer against phishing? Ok, arm yourself with patience and sift through open sources: work sites, review sites, social networks, blogs, forums, thematic groups. Prepare to kill a few days with a boring and often thankless job.

Collecting information from public sources manually is laborious. Since one of the products developed by our company is a complex for collecting data from open sources, this stage takes a small amount of time for us, because everything is done quickly enough, connections between objects of interest are built automatically.

Friendship diagram of a real account. Photos are replaced.

g58rg9hm-cn63--sxl__m4s1jik.jpeg

The final outcome of the stage may be as follows:
  • approximate organizational structure of the attacked company;
  • the structure of the employee's email address;
  • list of prospective employees with positions;
  • contacts of employees, phones, e-mail, accounts in social networks.
Exploiting vulnerabilities
From all users, we need to select several victims: those to whom we call, and those on behalf of whom we are calling. Think over their connections, based on the analysis of social media accounts, write a supposed psychological portrait.

If our goal is a system administrator, then the target groups will be as follows: reception, secretaries, hr, accounting, technical support staff and, in fact, administrators.

Conventionally, according to the degree of susceptibility to attacks, we divide users into the following groups.

Paranoid. You won't get anything out of these. It doesn't matter why they are like that, as a child, my mother forbade talking to strangers or recently received a thrashing from an evil security guard. Recognizable by the cloth language, coldness and formalism.

Indifferent. Such an employee does not care deeply who calls him and why. Even before he picks up the phone, he is already thinking of how to get rid of you as quickly as possible, no matter who you are and what you need. In a small percentage of cases, precisely because of his indifference, such an employee will give you all the information you need. More often it will refer to lunch, the end of the working day, busyness or lack of authority.

Cowardly. Employees who are afraid to death not to please their superiors, to break any rules or orders, in general, those who fear for their chair at a given moment prevails over critical thinking. Get more bossy metal in your voice and you'll crack it.

Kind, good people, sincerely ready to help. But at the same time, they do not try to figure out who they are actually helping. And this is our target audience.

How to distinguish one from the other? Preparation, knowledge of psychology, flair, acting, experience.

So, based on the analysis of the profiles of social media employees, we select 2 victims: a secretary with a rescue and an administrator. It is desirable, of course, not 2, but 5-6. The best choice is bright personalities with pronounced features, which are easy to imagine and portray. The attack script must also be written taking into account the peculiarities of the psychology and connections of the found "victims". Calling a random employee asking for a password is a failure.

The victim, on whose behalf the call will be made: Secretary of the Responsible Ekaterina Petrova, 21 years old, with the company for half a year, studying by correspondence to become an economist. Bright makeup, pink hair, lots of social media photos, a Tinder account.

z0ixpweord_mibde_-iglcdsjye.jpeg

We call the employee of the technical support department Dmitry, 35 years old, work experience in the company for 5 years, single, wants to change his place of work. This is important because it is possible that, psychologically, the employee already associates himself less with the company and is more negligent about safety.

Developing an attack scenario
Legend:
agirl on sick leave cannot access her work email via owa. She needs to send a mailing list to top managers regarding the timing of the closed conference. She entered the password incorrectly 3 times and asks to send her a temporary one, promising to change the password at the first login. The legend must be thought up in advance and learned by heart in order to avoid the situation "never before was Stirlitz so close to failure." You still have to improvise and the degree of chaos is better to reduce.

The main thing is confidence, do not let the person on the other end of the line come to their senses. Lost, lost, began to mumble, forgot your name, did not find quickly what to answer - I lost.

Call script:
- Dim, hello! This is Katya. Do you have a minute?
- Hey! What is Katya?
- Yes I am! Katya Petrova, from the reception. Dim, save me.


Further, several options for the development of events are possible:
  • Dima does not remember who Katya is, but he is ashamed to admit it.
  • Dima "recognized" Katya.
  • Katya is standing next to Dima, and he is shocked by what is happening.
In this case, he will most likely say something like “Whatoo? What is Katya? "and all that remains is to hang up and never call Dima from this number again. Therefore, several potential targets of attack must be selected in advance.

Let's say that everything is fine with us and Dima is ready for a dialogue.
- What's happened?
- Dim, I'm at home, on sick leave. I can't go to our general mailbox reс[email protected], but I really desperately need to make a mailing list for our tops today. Help, Ivanova will kill me. (Ivanova, as we found out during the collection of information, is Katya's immediate leader)
.

During a call, it is necessary to scan Dima's emotional state with lightning speed. Is he in the mood for communication? Is he restrained? Is he in a hurry? Is he flirting with Katya? Is he indifferent? If Dima has any hobbies that you read about on social networks, you can also screw it up, but very carefully so as not to overplay it. This is where you need all your empathy. "Calculate" the person, choose the desired tone - the password is in your pocket.

You can keep a photo of Katya in front of your eyes. For some time you need to become "Katya" yourself to the core.

Next, consider 2 options.
1) Dima is a cheerful dolt, he is interested in chatting, and he is ready to help.

- What did you fail? Have you checked the layout and caps?
- Why can't I come in? Yes, I entered the password incorrectly 3 times. That's how I contrived, we do not use this box so often. I forgot, we have there "si" or "s". Yes, I tried it anyway, and that's all 3 times wrong, I remembered, but there are no more attempts, he got stuck. What to do !!! Ivanova will kill me, as if she will. Help Dimaan ... Can you put a temporary password in my cart? And I will change it back at the first entrance.


There can be many options for a conversation. I forgot the caps, mixed up the layout, chose the wrong browser. The general idea is that "Katya" will harass Dima with her stupidity, chirping and moronic questions until he spits and dictates or sends a new password.

After changing the password, you will have a certain amount of time, exactly until the moment when someone tries to log in with a regular password and calls technical support. What can you take in the general secretariat box? Well, for example, download a directory with employee contacts.

In Dima's defense, I can say that situations in the work of technical support are still not the same, and users sometimes demonstrate even greater learning disabilities and forgetfulness.

2) Dima is a gloomy, non-contact type.

- Dmitry, I need remote access to e-mail. Due to production needs. I urgently need it. Which means there is no request, I'm at home, on sick leave. Yes, I ask you to create a request yourself as an exception! My name is Ekaterina Ivanovna Petrova, department secretariat. I urgently need to send a mailing list to senior management. Should I write to the management that I could not do this newsletter due to the fault of the technical support employee?

And now Dima's ideal answer: “Dear Ekaterina, I ask you to call back from the phone indicated in the corporate information system. I have no right to give you a password. "

The purpose of the awareness test is not to punish the unfortunate Dima, who merged the password for a girl with pink hair. The main thing is to identify and eliminate weak points.

What should a company do that has been socially engineered to identify multiple Human Factors vulnerabilities? Our recommendations:
  • periodic training of personnel in the basics of information security, trainings with the involvement of specialized companies;
  • checking the awareness of employees in information security issues;
  • the employee must know exactly what information is confidential;
  • training IT staff in methods of countering social engineering.
The weakest point of the system is the person. If you do not pay attention to the human factor, then no matter how secure and complying with all standards and best practices your system is, you will lose data through an ordinary user.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Friendly Disclaimer We do not host or store any files on our website except thread messages, most likely your DMCA content is being hosted on a third-party website and you need to contact them. Representatives of this site ("service") are not responsible for any content created by users and for accounts. The materials presented express only the opinions of their authors.
🚨 Do not get Ripped Off ! ⚖️ Deal with approved sellers or use RTM Escrow on Telegram
Gold
Mitalk.lat official Off Shore Club Chat


Gold

Panel Title #1

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Panel Title #2

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Top