Social Engineering Part 2: Sophisticated social engineering techniques
What is social engineering?
Social Engineering is a form of security fraud that relies on psychological manipulation techniques to trick people into revealing sensitive information.
In the previous article in this series, we discussed what social engineering is in more detail, the social engineering lifecycle, its reliance on human error, and some of the more common social engineering techniques. The following article will delve deeper into the topic, as we explore examples of social engineering as well as exposing the details of some more advanced social engineering attacks.
The importance of ‘spoofing’ in social engineering
In the context of social engineering, spoofing is the ability to make a communication from an unknown source appear as if it is from a known or trusted one. Spoofing can apply to:
- Phone calls
- Text messages
- IP addresses
Spoofing is an important aspect of many vishing, smishing or phishing attacks, with spoofed email addresses, phone calls, or text messages often used in advanced social engineering attacks. It does not require a lot of technical knowledge to apply spoofing to these communication methods, and tools to easily spoof phone calls or email addresses can be purchased online. Although spoofed email addresses or phone numbers aren’t essential for social engineering, the most successful social engineering attacks do apply these methods.
Below are examples of social engineering techniques that use a mixture of social engineering tactics, some of which include spoofing.
Advanced Social Engineering Attacks
The crying baby method
The ‘crying baby’ is often carried out as a spear vishing method – meaning that it is highly targeted at pre-selected individuals, sometimes within a company or organisation, and it is carried out as a phone call. The attacker will call the targeted victim and introduce themself – often giving a fake name or impersonating someone from the company they work for. Whilst they make their introduction they play the sound of a crying baby in the background – they will often apologise for the baby making noise, frequently shush or attempt to soothe the baby, and will appear to be in distress.
Just two years ago it would have been uncommon for a colleague to be watching a child while working or while in the office – however the amount of people working remotely has increased significantly since the start of the covid-19 pandemic, and it is no longer unheard of for people to juggle parenting and working simultaneously. If the victim falls for the attacker’s impersonation – which could be likely if they have used the name of someone within the organisation and spoofed their phone number – the natural human instinct of wanting to help their distressed colleague will be triggered, and the victim is more likely to comply with the attacker’s request. The attacker is then able to request access to sensitive documents, login credentials, or request a transfer of funds
Companion calls are another method of spear vishing. Usually, the attacker will begin by calling the targeted victim and introducing themselves and where they are calling from, which is often a charity or non-profit organisation. The organisation and name they provide could be fake, but the more advanced social engineering attacks will either impersonate a real individual from a known charity or will ensure they have set up a legitimate looking website or LinkedIn profile for the false information.
The initial call made to the victim is done to build rapport rather than asking for money or sensitive information; instead, they might ask the victim to take part in a short survey, for example during the holiday season they might ask “What is on your Christmas wish list this year?”. The call is intended to be non-threatening and is designed to not provoke any suspicion. Any questions asked by the attacker during this call are usually associated with information people would happily share in small talk with strangers.
The second (or “companion”) call usually comes a couple of weeks later. The attacker will introduce their alias again and will mention that they spoke to the victim on a previous call. The victim will usually remember this, and due to the initial rapport building call, they will feel an element of trust or recognition towards the attacker and will view them as an acquaintance rather than a stranger. It is during this call that the attacker will set the trap to acquire the information they are after; they may ask the victim to visit a malicious website where they can then install malware or gather company login credentials or ask the victim to donate money to their fake charity. In this situation the victim is much more likely to comply with the request due to the initial rapport building call.
The birthday coffee method
The birthday coffee method is a simple but effective spear phishing attack. The attacker will start their investigation by quickly gathering the names and birthdays of people within a company or organisation, which is usually openly shared on social media profiles. They will then send out phishing emails to those within the organisation who have had a birthday recently, or those who have a birthday coming up, often spoofed to look like the email has come from the company’s HR or wellbeing team. The phishing emails will contain a message congratulating the victim on their recent birthday and will include a link which invites the victim to click and claim their ‘free birthday coffee’ as a birthday gift from the company. By simply clicking the link the victim may have unintentionally given the attacker access to their computer or have installed malware onto the system. The link could also potentially take the victim to a website spoofed to look like an employee portal where they are asked to provide their login credentials, which will then be harvested by the attacker.
The most sophisticated social engineering attacks are usually a cleverly combined mixture of several types of attack. The above examples of social engineering techniques demonstrate this and highlights the importance of promoting awareness of such threats within your company or organisation. The third and final part of this series will focus on how to prevent social engineering, and how to protect yourself, your employees and your company from social engineering attacks.
Protect your revenue and customers on auto-pilot.