Types of Social Engineering Attacks used to Gain Internal Network Access

Social engineering is a technique commonly used by adversaries to manipulate individuals or groups of people into divulging confidential information, performing certain actions, or giving up access to valuable resources. These attacks can take many forms and are typically carried out through electronic communication channels or in-person interactions.

Social engineering is often considered one of the easiest ways to gain access to a company’s IT systems because it relies on exploiting human weaknesses rather than technical vulnerabilities. With the right pretext and social engineering tactics, attackers can convince unsuspecting employees to reveal sensitive information, click on malicious links, or give them access to secure systems. However, it's important to note that social engineering attacks still require a significant amount of planning, research, and skill on the attacker’s part. Additionally, employers can implement effective training and security policies to reduce the risk of social engineering attacks and protect their employees and sensitive data.

This blog discusses three types of social engineering attacks, provides some common pretext examples, and offers advice on mitigating some of these risks.

Vishing Attacks

Vishing attacks are a form of social engineering that involves using voice communication to trick the victim into providing sensitive information. Attackers may use various pretexts, such as posing as an IT or HR representative. They may request personal information, such as Social Security numbers, bank account numbers, or login credentials.

Common attack pretexts:

• An adversary calls a staff member posing as an IT representative, informing the victim that some actions required on their account. The attacker will ask the victim to provide their account information or perform some actions on their behalf. The attacker could also provide a link to a fake website and ask the victim to download and install a malicious executable file.
• An adversary calls the company help desk to impersonate a legitimate staff member to change that user’s password. Typically, an IT department will use PII (personally identifiable information) to verify if the user is legitimate. An attacker with enough information may be able to pass this verification, resulting in the IT department changing the victim’s password. Once the password is changed the attacker can use the victim’s credentials to access internal IT systems.
  An attacker can also use this method to change the 2FA number on the account, giving the attacker the ability to verify 2FA requests.

Prevention/Mitigation:

• Train employees to recognize the signs of a vishing attack, such as urgent or threatening language, and to verify the legitimacy of the call by calling back a known number for the organization.
• Consider using voice biometrics or other forms of authentication to verify the identity of callers.
• Implement call screening and caller ID verification to block calls from known or suspected malicious numbers.

Phishing/Smishing Attacks

Phishing and SMShing are types of social engineering attacks that involve using email and text messages to deceive individuals into divulging sensitive information or performing certain actions. The attackers often use pretexts to create a sense of urgency or fear in the victim, encouraging them to reveal sensitive information or click on a malicious link.

Phishing is centered around email as the main attack vector, while smishing employs SMS text messages. Both attacks are very similar in execution, but smishing attacks are more difficult to prevent because devices are usually owned and managed by the end user, instead of being managed by the company (such as SOE laptops).

Common attack pretexts:

• An attacker sends an email claiming the recipient's account has been compromised and they need to reset their password immediately to avoid losing access to their account. The email provides a malicious link that will point to a fake password reset page that matches the company's IT infrastructure. Upon submitting this form, the attacker will have the victim's password.
• An attacker sends an email that looks like a legitimate HR email. The email explains that the victim must complete some compliance training and provides a malicious link. The link points to a phishing site that mimics the company login, at which point the victim enters their credentials and is redirected to a fake training site.
  
  

Prevention/Mitigation:

Mitigating phishing/smishing attacks typically involves a combination of employee training and policies and procedures. The following is a good list of best practices.

• Train employees to recognize the signs of a phishing or smishing attack, such as suspicious links or requests for personal information, and to verify the legitimacy of the message by contacting the supposed sender through a known, legitimate channel.
• Use email and SMS filtering tools to block messages from known or suspected malicious sources.
• Implement two-factor authentication (2FA) or multi-factor authentication (MFA) to reduce the risk of stolen credentials being used to access sensitive data or systems.

Physical Social Engineering Attacks

Trustwave recently published a blog post explaining some common physical intrusion scenarios and explained why physical security assessments are important. If you are curious about needing a physical security assessment, please refer to this blog post for more information:

Physical social engineering attacks involve in-person interactions that manipulate individuals into divulging sensitive information or gaining access to secure areas. The attackers often use a pretext to gain the victim’s trust and create a sense of urgency or fear.

There are many attacks in the physical social engineering space. Many break-and-enter tactics can be used by an adversary. Typically, when focusing on physical security of a company location Trustwave will focus on two main types of attack: tailgating, and impersonation. Tailgating is the act of following a legitimate user into a building in the hopes they will hold the door open for the next person. Impersonation is the act of impersonating a legitimate staff member in the hopes of gaining access to a restricted area.

Once inside a company’s location an attacker will usually try to gain access to the internal network by plugging into Ethernet jacks in the office.

Common attack pretexts:

• Tailgating: An attacker waits outside a company’s entrance around lunchtime, when they notice a badge-wearing employee walking to the door they will pretend to be walking in right behind that person, when they reach the door, they will speed up a little bit to show the person in front that they are coming in after you. However, If a company location does not have a badge security system installed, an attacker can just walk in without the need to tailgate.
• Impersonation: An attacker dresses up as an employee, such as a janitor, building management, or IT technician to gain access to a restricted area or sensitive information. They will carry official-looking equipment, such as a uniform or tool kit, to appear more convincing.

Prevention/Mitigation:

Mitigating physical social engineering typically involves a combination of employee training and policies and procedures. The following is a good list of best practices.

1. Develop an access control policy: Employers should develop policies that limit access to sensitive areas and information to authorized personnel only. Employers should establish a policy that requires all visitors to be signed in and escorted by an authorized employee. Organizations should train employees to ask for identification from anyone they don't recognize and to verify that the person has a legitimate reason for being on the premises.
2. Implement network access controls to help enforce these policies by requiring authentication and authorization before allowing access to the internal network or sensitive data.
3. Implement a clean desk policy: Employers should implement a policy that requires employees to keep their desks and workspaces clear of sensitive information when they are not present. This can help prevent attacks like dumpster diving and baiting.
4. Conduct regular security awareness training: Train employees on the different types of physical social engineering attacks and how to identify them, and to be vigilant and report any suspicious activity to security personnel.

Conclusion

In conclusion, while social engineering attacks can be one of the easiest ways to hack a company due to their reliance on exploiting human weaknesses, they still require significant planning and skill on the part of the attacker. Employers can take steps to mitigate the risk of social engineering attacks, such as implementing effective employee training and security policies, utilize network access controls, and monitor for suspicious activity. By being aware of the different types of social engineering attacks, their pretexts, and mitigation strategies, employers can better protect themselves and their employees from these types of attacks.