How Does Social Engineering Work? From Planning to Execution

Social engineering remains one of the most potent tools in a cybercriminal's arsenal, with organizations experiencing over 700 social engineering attacks annually.

Dardan Prebreza, former senior security consultant at Bishop Fox, explored the intricacies of proactive social engineering engagements — from planning and defining objectives to executing various tactics and techniques. By understanding the methods and tools used in social engineering, organizations can better defend against these sophisticated attacks.

Discover the key points from his webinar in this recap blog, and make sure to watch it on demand.

What is Social Engineering?

In information security, social engineering involves manipulating people psychologically to take actions or divulge confidential information beneficial to attackers. Common tactics include:

• Phishing: Uses emails to send crafted emails to the victims with the objective of gathering information and credentials, as well as and compromising their victims' systems​
• Vishing: Also known as voice phishing, uses a telephone system to gather intelligence of an organization and gain system access.
• Smishing: Like email phishing, uses SMS or text messages to lure victims into clicking malicious links or provide sensitive information, such as multi-factor authentication (MFA) codes.
• Impersonation: Occurs mostly during physical attacks, where the hacker pretends to be someone else to gain access to a system or building.

Setting Social Engineering Objectives

Setting clear objectives is an essential first step for any organization conducting a social engineering engagement with the two most common being to 1) raise security awareness and 2) identify gaps in security policies and procedures.

Specific goals, such as obtaining VPN or email credentials or gaining remote access, are helpful in defining the social engineering approach for the security assessors.

Defining Social Engineering Targets

Successful social engineering engagements require defined targets. Security assessors will ask for:

• Client-provided list including names, roles, and departments. Contact information of employees such as emails and phone numbers are especially useful.
• Out-of-scope targets to properly understand who can/can’t be targeted as part of the engagement.

If a client doesn’t want to provide or doesn’t have a list readily available, then security assessors will conduct reconnaissance and intelligence gathering on their own to define proper targets. LinkedIn has proven to be an elite source of information in today’s digital resume world.

Creating Social Engineering Scenarios

Scenarios are specific situations or storylines designed to manipulate someone into taking action or revealing sensitive information. These often use the influence tactics of authority and scarcity. Authority involves impersonating a superior to compel targets to comply, while scarcity uses urgent actions, like imminent password expirations, to prompt hasty responses.

Additional influence tactics used in social engineering include commitment and consistency, concession, liking, obligation, reciprocity, and social proof.

Examples of common social engineering scenarios include:

• Suspicious email log-in attempts: Emails warning of suspicious log-in attempts direct employees to an authentic-looking webpage to log in to their company email, allowing attackers to steal their credentials.
• Expiring VPN passwords: Emails prompting users to change their VPN passwords enable attackers to intercept credentials and gain access to the company’s VPN platform.
• IT Help Desk credential resets: Impersonating an employee to request a password reset and temporary MFA disablement. Often, they claim their work phone is lost or infected with malware, requiring urgent access via a personal phone.
• Remote access: Impersonating the IT Help Desk and calling an employee about a workstation issue, often preceded by an SMS alert about suspicious activity. The goal is to gain remote access to the employee’s workstation and obtain backdoor access to the internal network and applications.

Social Engineering Tools

Successful social engineering campaigns use a variety of tools, both public and proprietary.

• Phishing Frameworks: Tools like GoPhish, Lucy, Modlishka, and evilginx2 help create convincing phishing campaigns. All are open source except Lucy.
• Reconnaissance and Intel-Gathering Tools: Skrapp.io and LinkedIn Scrapper are useful for gathering target information, while SalesIntel RevDriver is particularly helpful for gathering phone numbers for vishing or smishing. All offer free versions up to a certain level of use. Alongside these public tools, Bishop Fox frequently uses internal tools for reconnaissance.

Social Engineering Techniques

Numerous techniques help boost the effectiveness of social engineering campaigns by enhancing the apparent legitimacy of faked communications and taking advantage of security weaknesses and gaps. Innovative techniques that Bishop Fox’s Red Team has deployed include:

• Exploiting Microsoft Teams’ features: Microsoft Teams' default external communication features enable attackers to trick victims by creating a free group chat, adding the target, and impersonating someone from the victim's company using a dummy email address. This malicious communication appears trustworthy as it seems to originate from within the victim's organization.
• Reconnoitering the External Attack Surface: Subdomain brute forcing is a crucial step for email-based social engineering campaigns to identify log-in pages for VPNs, email platforms, and third-party services used by the target organization. Checking for breached email accounts provides potential initial access points.
• Leveraging Domains: Exploiting domain weaknesses is key for social engineering attacks involving email spoofing. Analyzing the target's domain configurations like SPF, DMARC, and DKIM makes email spoofing easy if domain protections are weak or missing. Registering lookalike domains that impersonate the target's brands or services enables phishing attacks with deceptive URLs — for instance, vpngoogle.com rather than vpn.google.com. Using Punycode domains (which include special characters) was previously highly effective in phishing campaigns, although it is used less now.

Real-World Examples of Social Engineering

Real-world examples illustrating social engineering in action include:

• Microsoft Teams attack: This involved compromising an account via password spraying, then impersonating that user's manager's manager over Microsoft Teams. The attacker convinced an intern to share their MFA code, allowing access to the company's Azure environment for weeks.
• Vishing for IT Help Desk: Another attack started with password spraying, then impersonating the IT Help Desk over the phone to trick users into revealing their MFA codes by claiming they needed to make system updates.
• Email and vishing combo: At a university, attackers used an open SMTP relay to send phishing emails impersonating the IT Help Desk. While on the phone providing instructions, they sent emails appearing to be from the legitimate Help Desk requesting users click malicious links.
• Impersonating CIO: Social engineers impersonated a company's CIO, calling the IT Help Desk claiming the CIO's phone was compromised before an urgent board meeting. After answering basic questions from the Help Desk, they attempted to get the CIO's password revealed, but the Help Desk instead securely reset the password.
• Vishing for ransomware: In the 2022 MGM breach, attackers gathered information on privileged IT staff from LinkedIn. Impersonating these employees, they called the IT Help Desk to reset MFA, compromising Okta, domain, and Azure administrators to steal data and deploy ransomware.

Measuring Success as Red Teamers

For Red Teamers performing social engineering attacks, success can range from getting a single user to click a malicious link to fully compromising a company's internal network. The greatest satisfaction comes from compromising a high percentage of targets — over half the targets in some engagements. However, even unsuccessful attempts provide valuable lessons and insights. Here are a few we’ve found:

1. Security awareness should educate, not punish. Companies must avoid blaming employees for the results of social engineering assessments. Instead, identify and improve weak policies, procedures, and training.
2. Continuous security awareness, especially for new employees, is essential. While social engineering reveals IT security gaps, poor training is often the root cause.
3. Multi-factor authentication alone cannot prevent social engineering because attackers can intercept MFA codes. Physical security tokens such as YubiKeys are a stronger alternative to one-time passwords.

Conclusion

Understanding the methods and tools used in social engineering, from phishing to impersonation, is vital for enhancing security awareness and identifying vulnerabilities. Regular training, robust security measures, and a proactive approach can significantly reduce the risk of falling victim to these sophisticated attacks. Stay vigilant and keep your security practices up to date to protect against the constantly evolving tactics of social engineers.

To learn more about how Bishop Fox conducts its social engineering engagements, read our Social Engineering Methodology.