Social Engineering

"Social Engineering is the art of gaining unauthorized access to a person's information or actions by exploiting the human weakness factor through psychological tactics."

IMPORTANT NOTE: Social Engineering is a sensitive and critical field in cybersecurity. Do not use the information provided in this website for malicious purposes.

Social Engineering is the art of gaining unauthorized access to a person's information or actions by exploiting the human weakness factor through psychological tactics.

Useful & Common Tactics

Phishing (Email, SMS, etc..)

Objective: Steal credentials, deliver of malware, trick the target into a specific action.
Tip: Customize emails to make them highly convincing. Use spoofed addresses, insider info, or impersonate someone important (CEO, boss or employee from the victim's company, family members, etc...).
Payloads: Fake login pages, malicious attachments, or urgent financial requests.

Spear-Phishing

Objective: Target a specific individual or organization using detailed personal info.
Tip: Gather data from social media like: LinkedIn, Instagram, Twitter, or data breaches to craft high convincing messages and pretexting.

Vishing (Phone Phishing)

Tip: Impersonate IT support, HR, or a bank. People are more vulnerable on the phone call, specially with authority figures.
Key Targets: New employees, customer service agents, or anyone unfamiliar with security protocols.

Pretexting

Objective: Create a believable scenario to manipulate the target into giving information or access.
Tip: Research your target, build a backstory, and have all the right jargon ready.
Common Pretexts:
- IT Guy: "There's an issue with your account."
- HR Officer: "I need to confirm your benefits info."
- Law Enforcement: "You need to comply with this investigation."

Baiting

Objective: Entice the victim with an irresistible offer (i.e.: free downloads like "Spotify Plus APK", "Adobe Photoshop CC Full + Crack").
Tactics: Leave infected USB drives with attractive labels ("Confidential", "Bonuses 2024") in strategic locations (company parking lots, break rooms).

Piggybacking

Objective: Physically access restricted areas by exploiting people's politeness.
Tip: Carry something bulky (boxes, coffee, etc.) so people hold doors open for you. Wearing a uniform adds legitimacy.

Information Exchange Pretext

Objective: Exchange fake services for real information.
Tip: Offer free technical assistance in exchange for login details or information ("I'll fix your computer issue if you give me your password").

Impersonation

Objective: Pretend to be someone you're not (executive, IT, delivery person).
Tip: Know your role inside and out. Use technical jargon to sound legit. Wearing the right clothes or a fake badge increases success.

Execution Phases

1. Reconnaissance

Gather Information: Dig deep into social media profiles, company websites, public records, and LinkedIn. Look for:
- Employee names, positions, and email formats.
- Recent organizational changes.
- Upcoming events or promotions.
Tools: Google Dorking, Whois, Shodan, dumpdork.

2. Initial Contact

Phishing / Phone Call / In-Person: Use your crafted persona (pretext) and make contact.
Pro Tip: Use urgency ("Your account has been compromised"), and don't give them time to think.

3. Exploitation

Manipulate Emotion: Fear, trust, curiosity, or urgency are your best friends. Always escalate the urgency to push for action.
Goal: Get the target to:
- Click a link.
- Provide credentials.
- Let you into a building.

4. Execution and Extraction

Payload Deployment: Get access to the network, install malware, or grab physical documents.
Exfiltration: Always have a clean exit. Walk away before suspicion arises.
Pro Tip: If it's physical access, take small pieces of info instead of something obvious (i.e., photos of documents).

5. Covering Tracks

Minimize Evidence: Delete traces of your access or interaction (emails, logs, browser history).
Pro Tip: Use anonymous email services, burner phones, or VPNs. Clean up your digital and physical trail.

Advanced Tactics

1. Deep Fake Voice Calls

Use AI Voice Cloning to impersonate high-profile individuals like the CEO or CFO and issue commands.

People overshare on platforms like Facebook, Instagram and LinkedIn. Gather personal details to make your attack seem authentic (i.e., mentioning hobbies, events, recent trips).

Use SET to easily clone websites or launch phishing campaigns.

4. USB Drops:

Equip a Rubber Ducky USB with a payload that can compromise systems when plugged in. Leave them in high-traffic areas.

Make the victim come to you. Create a problem (like a fake tech issue) and have the target reach out to you for a solution.

Psychological Triggers to Exploit

Fear of Missing Out (FOMO): "You must act now, or your account will be locked."
Reciprocity: "I helped you, now you help me."
Authority: "This is IT support; you need to give me your credentials to resolve this issue."
Scarcity: "Only a few USBs are left with the latest financial reports."
Sympathy: "I'm just trying to do my job, could you let me in?"

The Social-Engineer Toolkit (SET):
- A powerful tool for creating phishing pages, QR codes, or spear phishing attacks.
Maltego:
- For gathering intel on a target via open-source intelligence (OSINT).
OSINT Tools:
- Recon-NG, SpiderFoot, Shodan for scanning networks and collecting personal information, PimEyes for reverse lookup of people using photos of their faces https://pimeyes.com
Fake Identity Generators:
- Use websites like https://www.fakenamegenerator.com and https://thispersondoesnotexist.com to create convincing fake personas.

1. CEO Fraud (Business Email Compromise)

Scenario: A hacker impersonates the CEO of a company via email (using spear phishing) and requests that the finance department urgently transfer funds to a fraudulent account.
Tactics Used: Authority, urgency, email spoofing.
Execution: The attacker monitors social media for company events (i.e., CEO traveling), then sends a well-timed email to employees requesting immediate action, leveraging the CEO's authority.

2. Deep Fake Attack on Executives

Scenario: Using AI voice cloning, a hacker creates a phone call where they sound like the CFO of a company and instructs an employee to approve a large, unauthorized transaction.
Tactics Used: Authority, urgency, voice cloning technology.
Execution: The employee believes they are talking to their superior and follows through with the request, never realizing it was an imposter.

3. USB Drive Drop in a High-Security Company

Scenario: The attacker plants USB drives labeled "Confidential Financial Documents" near a parking lot or break room in a high-security company. The curiosity of an employee leads them to plug in the USB, unknowingly executing malicious code.
Tactics Used: Curiosity, baiting, malware deployment.
Execution: The payload on the USB installs backdoor access, allowing the hacker to infiltrate the company's internal network.

Scenario: The attacker attends a large corporate event posing as a staff member or vendor. They engage in casual conversations with employees, gaining insider information like IT protocols or company software, later used in a more targeted phishing attack.
Tactics Used: Pretexting, reconnaissance, in-person engagement.
Execution: By blending in and building rapport, the hacker extracts crucial details about internal operations, which are used in further attacks.

Scenario: The attacker causes a minor technical disruption (i.e., disabling a server) and then calls the IT Help Desk posing as a senior employee reporting the issue. They convince the real Help Desk staff to provide them with credentials to "fix" the issue.
Tactics Used: Authority, urgency, technical knowledge, reverse social engineering.
Execution: The attacker not only gains credentials but leaves unnoticed, with no suspicion raised, as the IT team believes they were helping a legitimate employee.

Timing is Key: Attacks are more successful during times of stress, confusion, or transition. Launch your attacks during:

Busy hours: Employees are distracted.
During staff changes: New employees are often unfamiliar with security protocols.

Human Error is Your Ally: People make mistakes under pressure-exploit that to your advantage by creating urgency or confusion.
Think Like an Insider: Understand company workflows, daily habits, and communication patterns. The more you know about internal operations, the more convincing you can be.

Social engineering attacks can happen to anyone, but you can stay safe by keeping a few simple rules in mind:

Trust but Verify: Always double-check any request for sensitive information or urgent action, even if it seems legitimate. Contact the requester through official channels to confirm.
Stay Skeptical: If something feels off-whether it's an email, phone call, or person-trust your instincts. Scammers rely on creating urgency or fear to get you to act quickly.
Don't Overshare: Be cautious about the personal information you share online or in public spaces. Hackers use this data to craft convincing attacks.
Enable Two-Factor Authentication (2FA): Use 2FA on all important accounts. It adds a strong layer of protection, making it harder for attackers to access your information even if they steal your password.
Educate Yourself: Learn about the latest social engineering tactics. The more you know, the less likely you'll be tricked.

By staying alert, questioning unexpected requests and protecting your personal information, you can effectively reduce your chances of falling into social engineering attacks.

PreviousOSINT

Last updated 3 months ago

Social Engineering

"Social Engineering is the art of gaining unauthorized access to a person's information or actions by exploiting the human weakness factor through psychological tactics."

IMPORTANT NOTE: Social Engineering is a sensitive and critical field in cybersecurity. Do not use the information provided in this website for malicious purposes.

Social Engineering is the art of gaining unauthorized access to a person's information or actions by exploiting the human weakness factor through psychological tactics.

Useful & Common Tactics

Phishing (Email, SMS, etc..)

Objective: Steal credentials, deliver of malware, trick the target into a specific action.
Tip: Customize emails to make them highly convincing. Use spoofed addresses, insider info, or impersonate someone important (CEO, boss or employee from the victim's company, family members, etc...).
Payloads: Fake login pages, malicious attachments, or urgent financial requests.

Spear-Phishing

Objective: Target a specific individual or organization using detailed personal info.
Tip: Gather data from social media like: LinkedIn, Instagram, Twitter, or data breaches to craft high convincing messages and pretexting.

Vishing (Phone Phishing)

Tip: Impersonate IT support, HR, or a bank. People are more vulnerable on the phone call, specially with authority figures.
Key Targets: New employees, customer service agents, or anyone unfamiliar with security protocols.

Pretexting

Objective: Create a believable scenario to manipulate the target into giving information or access.
Tip: Research your target, build a backstory, and have all the right jargon ready.
Common Pretexts:
- IT Guy: "There's an issue with your account."
- HR Officer: "I need to confirm your benefits info."
- Law Enforcement: "You need to comply with this investigation."

Baiting

Objective: Entice the victim with an irresistible offer (i.e.: free downloads like "Spotify Plus APK", "Adobe Photoshop CC Full + Crack").
Tactics: Leave infected USB drives with attractive labels ("Confidential", "Bonuses 2024") in strategic locations (company parking lots, break rooms).

Piggybacking

Objective: Physically access restricted areas by exploiting people's politeness.
Tip: Carry something bulky (boxes, coffee, etc.) so people hold doors open for you. Wearing a uniform adds legitimacy.

Information Exchange Pretext

Objective: Exchange fake services for real information.
Tip: Offer free technical assistance in exchange for login details or information ("I'll fix your computer issue if you give me your password").

Impersonation

Objective: Pretend to be someone you're not (executive, IT, delivery person).
Tip: Know your role inside and out. Use technical jargon to sound legit. Wearing the right clothes or a fake badge increases success.

Execution Phases

1. Reconnaissance

Gather Information: Dig deep into social media profiles, company websites, public records, and LinkedIn. Look for:
- Employee names, positions, and email formats.
- Recent organizational changes.
- Upcoming events or promotions.
Tools: Google Dorking, Whois, Shodan, dumpdork.

2. Initial Contact

Phishing / Phone Call / In-Person: Use your crafted persona (pretext) and make contact.
Pro Tip: Use urgency ("Your account has been compromised"), and don't give them time to think.

3. Exploitation

Manipulate Emotion: Fear, trust, curiosity, or urgency are your best friends. Always escalate the urgency to push for action.
Goal: Get the target to:
- Click a link.
- Provide credentials.
- Let you into a building.

4. Execution and Extraction

Payload Deployment: Get access to the network, install malware, or grab physical documents.
Exfiltration: Always have a clean exit. Walk away before suspicion arises.
Pro Tip: If it's physical access, take small pieces of info instead of something obvious (i.e., photos of documents).

5. Covering Tracks

Minimize Evidence: Delete traces of your access or interaction (emails, logs, browser history).
Pro Tip: Use anonymous email services, burner phones, or VPNs. Clean up your digital and physical trail.

Advanced Tactics

1. Deep Fake Voice Calls

Use AI Voice Cloning to impersonate high-profile individuals like the CEO or CFO and issue commands.

People overshare on platforms like Facebook, Instagram and LinkedIn. Gather personal details to make your attack seem authentic (i.e., mentioning hobbies, events, recent trips).

Use SET to easily clone websites or launch phishing campaigns.

4. USB Drops:

Equip a Rubber Ducky USB with a payload that can compromise systems when plugged in. Leave them in high-traffic areas.

Make the victim come to you. Create a problem (like a fake tech issue) and have the target reach out to you for a solution.

Psychological Triggers to Exploit

Fear of Missing Out (FOMO): "You must act now, or your account will be locked."
Reciprocity: "I helped you, now you help me."
Authority: "This is IT support; you need to give me your credentials to resolve this issue."
Scarcity: "Only a few USBs are left with the latest financial reports."
Sympathy: "I'm just trying to do my job, could you let me in?"

The Social-Engineer Toolkit (SET):
- A powerful tool for creating phishing pages, QR codes, or spear phishing attacks.
Maltego:
- For gathering intel on a target via open-source intelligence (OSINT).
OSINT Tools:
- Recon-NG, SpiderFoot, Shodan for scanning networks and collecting personal information, PimEyes for reverse lookup of people using photos of their faces https://pimeyes.com
Fake Identity Generators:
- Use websites like https://www.fakenamegenerator.com and https://thispersondoesnotexist.com to create convincing fake personas.

1. CEO Fraud (Business Email Compromise)

Scenario: A hacker impersonates the CEO of a company via email (using spear phishing) and requests that the finance department urgently transfer funds to a fraudulent account.
Tactics Used: Authority, urgency, email spoofing.
Execution: The attacker monitors social media for company events (i.e., CEO traveling), then sends a well-timed email to employees requesting immediate action, leveraging the CEO's authority.

2. Deep Fake Attack on Executives

Scenario: Using AI voice cloning, a hacker creates a phone call where they sound like the CFO of a company and instructs an employee to approve a large, unauthorized transaction.
Tactics Used: Authority, urgency, voice cloning technology.
Execution: The employee believes they are talking to their superior and follows through with the request, never realizing it was an imposter.

3. USB Drive Drop in a High-Security Company

Scenario: The attacker plants USB drives labeled "Confidential Financial Documents" near a parking lot or break room in a high-security company. The curiosity of an employee leads them to plug in the USB, unknowingly executing malicious code.
Tactics Used: Curiosity, baiting, malware deployment.
Execution: The payload on the USB installs backdoor access, allowing the hacker to infiltrate the company's internal network.

Scenario: The attacker attends a large corporate event posing as a staff member or vendor. They engage in casual conversations with employees, gaining insider information like IT protocols or company software, later used in a more targeted phishing attack.
Tactics Used: Pretexting, reconnaissance, in-person engagement.
Execution: By blending in and building rapport, the hacker extracts crucial details about internal operations, which are used in further attacks.

Scenario: The attacker causes a minor technical disruption (i.e., disabling a server) and then calls the IT Help Desk posing as a senior employee reporting the issue. They convince the real Help Desk staff to provide them with credentials to "fix" the issue.
Tactics Used: Authority, urgency, technical knowledge, reverse social engineering.
Execution: The attacker not only gains credentials but leaves unnoticed, with no suspicion raised, as the IT team believes they were helping a legitimate employee.

Timing is Key: Attacks are more successful during times of stress, confusion, or transition. Launch your attacks during:

Busy hours: Employees are distracted.
During staff changes: New employees are often unfamiliar with security protocols.

Human Error is Your Ally: People make mistakes under pressure-exploit that to your advantage by creating urgency or confusion.
Think Like an Insider: Understand company workflows, daily habits, and communication patterns. The more you know about internal operations, the more convincing you can be.

Social engineering attacks can happen to anyone, but you can stay safe by keeping a few simple rules in mind:

Trust but Verify: Always double-check any request for sensitive information or urgent action, even if it seems legitimate. Contact the requester through official channels to confirm.
Stay Skeptical: If something feels off-whether it's an email, phone call, or person-trust your instincts. Scammers rely on creating urgency or fear to get you to act quickly.
Don't Overshare: Be cautious about the personal information you share online or in public spaces. Hackers use this data to craft convincing attacks.
Enable Two-Factor Authentication (2FA): Use 2FA on all important accounts. It adds a strong layer of protection, making it harder for attackers to access your information even if they steal your password.
Educate Yourself: Learn about the latest social engineering tactics. The more you know, the less likely you'll be tricked.

By staying alert, questioning unexpected requests and protecting your personal information, you can effectively reduce your chances of falling into social engineering attacks.

PreviousOSINT

Last updated 3 months ago

The Concept of "Social Engineering"

Useful & Common Tactics

Phishing (Email, SMS, etc..)

Spear-Phishing

Vishing (Phone Phishing)

Pretexting

Baiting

Piggybacking

Information Exchange Pretext

Impersonation

Execution Phases

1. Reconnaissance

2. Initial Contact

3. Exploitation

4. Execution and Extraction

5. Covering Tracks

Advanced Tactics

1. Deep Fake Voice Calls

2. Social Media Recon:

3. Social Engineering Toolkit (SET):

4. USB Drops:

5. Reverse Social Engineering:

Psychological Triggers to Exploit