Social Engineering uses influence and persuasion in order to deceive, convince or manipulate. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
The following is an example of a previous job I performed for a client. It demonstrates what seemed like insignificant information can build trust with people and compromise a company.
This has been provided as further reading for an interview I did on penetration testing and social engineering for PC Extreme magazine.
Social Engineering Tools
To explain how I might go about using a combination of social engineering and technology I need to first explain the tools that I may use.
We have many tools that we have developed for the purpose of penetration testing. In this Social Engineering example, I will be using a package or executable wrapper, a rootkit and The RAT (Remote Access Tool).
In simple terms, the wrapper can create executable programs that appear to do one thing but, in fact, perform other tasks as well. Our wrapper also encrypts and compresses the contents to help deflect virus detections and computer forensics.
The RAT is a remote access tool which, when run on a machine, searches for connections out of the network to the Internet, utilising proxies and other devices if required. The RAT uses outbound connections from the target machine to receive its commands to completely bypass any security from a firewall or NAT. The communication traffic is also sent as legal HTTP/HTTPS traffic so even if the target’s proxy or firewall has application-level filtering, the control commands will appear as normal HTTP traffic because, in fact, they are. This means that we can communicate with targets deep inside the company’s networks and defeat firewalls/proxies/DMZ, etc.
The RootKit is a program that hides the hacker’s actions from the operating system and anybody examining the machine. Our rootkit hides Processes, Handles, Modules, Files and Folders, Registry Keys and Values, Services, TCP/UDP Sockets and Systray Icons.
What this means is the task manager, netstat, regedit, file explorer, etc. will not be able to see anything that has been placed on a machine by the hacker that has been rootkitted. The hacker’s actions and programs will be completely invisible.
There are some less sophisticated versions of these types of tools available on the Internet but there are two good reasons why a professional hacker won’t use them. One is they don’t provide the required functionality, and the other reason is that many virus checkers will pick up their signatures and stop them. This is the difference between the script kiddie and the professional hacker.
Social Engineering call (1)
Call to main switchboard of the organisation from my mobile phone.
Nathan: Hi, I’m having a problem with my desk phone. Can you put me through to someone who may be able to sort this out for me?
Reception: Connecting you.
Phone Services: Hi.
Nathan: Hi, I’m having a problem with my desk phone. Sorry, I’m new here. Is there any way I can find out who is calling me when they call my desk phone? Is there a caller ID?
Phone Services: Not really, because we use hot desks here. Because people usually use their mobile phones, the caller ID isn’t often related to a name. Is this a problem for you?
Nathan: No, it’s fine now. I understand. Thanks. Bye.
I now know that the company uses hot desks and that phone caller ID is not always expected. Therefore, it is not an issue if I call from outside the company. If it was expected, then I could work around it anyway.
Social Engineering call (2)
Call to main switch board of organisation.
Nathan: Hi, could you put me through to building security?
Building Security: Hello, how can I help you?
Nathan: Hi, I don’t know if you will be interested but I found an access card outside the building which I think someone must have dropped.
Building Security: Just return it to us. We are in building 3.
Nathan: OK, no problem. May I ask who I’m speaking to?
Building Security: My name’s Eric Wood. If I’m not here, give it to Neil.
Nathan: OK, that’s great. I will do. Are you the head of building security?
Building Security: It’s actually called Facilities Security and the head is Peter Reed.
Nathan: OK, thanks a lot. Bye.
This told me the name of a number of people in security, the correct name of the department, the head of security, and that they are the ones who deal with physical access cards.
Social Engineering call (3)
Call to main switch board of organisation.
Nathan: Hi, I’m calling from Agency Group and I wonder if you could help me. I had a meeting about a month ago with some of your HR people but unfortunately, my computer crashed and I have totally lost their names.
Reception: Sure, no problem. Let me look up that department. Have you any idea at all of their names?
Nathan: I know that one of them was the head of HR. There was a number of people in the meeting though.
Reception: …….OK, here we are. Head of HR is Mary Killmister. 0207 xxxxxxx
Nathan: Yes, that rings a bell. Who are the other names in HR?
Reception: In HR, Jane Ross, Emma Jones……
Nathan: Yes, definitely Jane and Emma. Could I have their numbers please?
Reception: Sure. Jane Ross is xxxxxxx and Emma Jones is xxxxxx. Would you like me to put you through to any of them?
Nathan: Yes. Could you put me through to Emma please?
I now know the names of the three people in HR, including the head.
Social Engineering call (4)
HR: Hello, Emma here.
Nathan: Hi, Emma. This is Eric from Facilities Security in building 3. I wonder if you can help me. We have had a problem here with the access card database computer. It crashed last night and some of the data for the new starters got lost. Do you know who would be able to tell who the new starters were over the last 2 weeks as their access cards will have stopped working? We need to contact them and let them know ASAP.
Emma: I can help you with this. I’ll look up the names and email them to you if that’s OK? For the last 2 weeks did you say?
Nathan: For the last 2 weeks, yes. That’s great, thanks but would it be possible to fax it as we share one computer for email and that was affected by the computer crash, too.
Emma: Yes, OK. What is your fax number? Oh, and what’s your name again?
Nathan: Mark it for the attention of Eric. I’ll have to find out the fax number for you and call you back.
Nathan: Do you know how long it will take to find out the information?
Emma: It shouldn’t take me more than 30 minutes.
Nathan: Will you be able to start working on in straight away as it’s quite urgent.
Emma: I have a few things to do this morning but I should have the names this afternoon.
Nathan: That’s great, Emma. Thanks. When you’re done, would you be able to call me straight away so I can start reactivating their cards?
Emma: Yes, sure. What is your number?
Nathan: I’ll give you my mobile number that way you’re guaranteed to get me. 07970 xxxxxx.
Emma: OK, sure. I’ll call you when I have the list.
Nathan: Excellent, thanks. Really appreciate this.
Social Engineering call (5)
Call to main switch board of organisation.
Nathan: Could you put me through to IT Support?
Reception: Connecting you… (Long wait in queue.)
IT support: Hello, can I have your LS number or your case reference?
Nathan: I’ve just got a quick question. Is that OK?
IT support: What is it?
Nathan: A guy from Reuters is trying to send me a presentation and is asking me what the maximum size is for attachments.
IT support: It’s 5MB, sir.
Nathan: That’s great, thanks. Oh, one more thing. He said it’s an .exe file and sometimes, those get blocked or something.
IT Support: He won’t be able to send an executable file as the virus scanners will stop it. Why does it need to be an exe file?
Nathan: I don’t know. How can he send it to me then? Could he zip it or something?
IT Support: Zip files are allowed, sir.
Nathan: OK. Oh, one more thing. I can’t seem to see my Norton Anti-virus icon in my system tray. The last place I worked, there was a little icon.
IT Support: We run McAfee here. It’s just a different icon — the blue one.
Nathan: That explains it then. Thanks, bye.
I now know that to send an executable via email, it will have to be zipped first and less than 5 MB. I also know that they are using McAfee anti-virus.
Social Engineering call (6)
A few hours later, call from Emma in Human Resources.
Emma: Hi, is this Eric?
Nathan: Yes, hi.
Emma: I have the new starters list for you. Do you want me to fax it?
Nathan: Yes, please. That would be great. How many is there?
Emma: About 10 people.
Nathan: I’m not sure the fax is working properly here. Could you possible read them out to me. I think it will be quicker.
Emma: OK. Do you have a pen?
Nathan: Yes, go ahead.
Emma: Sarah Jones, sales. Manager is Roger Weaks, ………..
Nathan: OK, thanks. You have been a real help. Bye.
I now have a list of the new starters over the last 2 weeks. I also have the departments they belong to and their manager’s name. New starters are many times more susceptible to social engineering than long-term employees.
Social Engineering call (7)
Call to main switchboard of the organisation.
Nathan: Hi, I’m trying to email Sarah Jones but am not sure what the format of your email addresses are? Do you know?
Reception: Yes, it would be email@example.com.
Social Engineering email (1)
Minutes later, a spoofed email is sent.
subject: IT Security
As a new starter to the company, you will need to be made aware of the company’s IT Security policies and procedures and specifically, the employees “Acceptable Use Policy”.
The purpose of this policy is to outline the acceptable use of computer equipment at target company. These rules are in place to protect the employee and target company. Inappropriate use exposes risks including virus attacks, compromise of network systems and services, and legal issues.
This policy applies to employees, contractors, consultants, temporaries, and other workers at target company, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by target company.
Someone will contact you shortly to discuss this with you.
Social Engineering call (8)
A couple of hours later, call to the main switchboard of the organisation.
Nathan: Hi, could you put me through to Sarah Jones, please?
Reception: Connecting you.
Sarah: Hello, Sales. How can I help you?
Nathan: Hi Sarah. I’m calling from IT Security to brief you on IT security best practises. You should have gotten an email about it.
Sarah: Yes, I got an email about it today.
Nathan: OK, excellent. It’s just standard procedure for all new starters and only takes about 5 minutes. How are you finding things here? Everybody being helpful?
Sarah: Yes, thanks. It’s been great. It’s a bit daunting starting somewhere new, though.
Nathan: Yes and it’s always difficult to remember everyone’s name. Has Roger introduced you around? (…… various small talk to build rapport interspersed with more trust-building.)
Nathan: …Emma Jones is very nice in HR if you need any help with that side of things.
Sarah: Yes, Emma did my HR interview for the job.
Nathan: Well, I better run through the security presentation with you. Do you have your email open? I’ll send you the security presentation now and I can talk you through it.
Sarah: OK, I see the email.
Nathan: OK, just double click on the “Security Presentation.zip” attachment.
Sarah: It has come up with winzip.
Nathan: Just click extract and double-click on “Security Presentation”
Sarah: OK. …..
The executable that she ran is, in fact, a cleverly packaged series of scripts and tools created by our wrapper program including within it the RAT, a rootkit, keyloggers and anything else I may want to add.
When she clicks on the file, the presentation immediately starts. This is just a series of PowerPoint slides telling her not to run executables that she is sent, etc. and other good security practices 😉
The presentation is branded with all the company logos that were conveniently copied from their public web server, just to add a little more trust. A few seconds later as she is being taken through the presentation, scripts within the package start to try to disable McAfee and any other PC security that may be found that may help protect the user. Then, the rootkit installs itself hiding all future actions from the operating system or anybody doing forensic investigation. Next, the RAT is hidden and installed. The RAT is made to start every time the machine reboots and these actions are all rootkitted and hidden. The RAT then looks up any proxy settings and other useful information and tries to make its way out of the network and onto the Internet, ready to get its commands from its master. Obviously, all processes and TCP connections are hidden and even running things like netstat and task manager will not reveal them.
The RAT connects to the master. I now own the PC and it’s time to start looking around and really start hacking! Job done.
Thank you for the examples. Sometimes we get writer’s block when creating scripts for phone phishing attacks during our pentesting engagements. This helped me with a few new ideas.
Amazing! Do you have more SE examples like this?
Sorry this is the only one.
Nice and clear example of how to escalate things. Textbook example might I say. Have you written article / is there a course which tells how to hide processes and TCP connections from user / OS / forensic investigator?
Good question. I think we have something. Ask support please.
Excellent, are you going to keep this up for a while? I’d like to use the link as a training example for some of my user education.
Yes please link.
Very informative. I had no idea it was so easy to compromise security.
Not such thing as 100% security.
What RAT and rootkit did you use?
Custom so not detected by AV.
Wow! Very thorough social engineering, very well planned and executed.
Wow this is awsome…
Aside from the training/human firewall problem, I am trying to think what would be a technical controls that would be counter measures for this.
Let me know if these would NOT be preventing this:
[x] limited user rights for Sarah on her own computer
[x] DNS filtering for the lookup on the C&C host name (unless it’s an IP)
[x] NDR/packet capture analysis with pattern recognition AI and TCP/IP reset SOAR capability (like a Darktrace for example)
[x] application installation lock tool like ThreatLocker
[x] script execution prevention tool like Huntress
[x] a good EDR that identifies 0-day behavior of the RAT
[x] better spam filter tech and proper SPF, DKIM
[x] call recording and AI pattern recognition and automatic hang-up when score drops/certainty threshold is matched for fraud (I don’t remember a specific tool’s name, but I read about these)
Or are all of the above ineffective?
Yes all these can help. This would be defence in depth. Controls will be prevention but also detection, response and recovery.
Nothing is fool proof. So know that.
Learn about software restriction policies. What you want to do is have two zones: The first zone is where a user can save or transfer files. The second zone is where a user can execute a file from. Make sure those zones DO NOT overlap. This reduces (but does not eliminate) the risk of users downloading and executing a file. Why does it not eliminate it?
And I am a BIG fan of better spam filtering. I’ve been going through some of the spam our users are getting and I have to say: The headers on some of the e-mails are COMPELLING. Some of them are incredibly enticing to open. Spam filters won’t be 100%. But again, you can greatly reduce your potential attack surface.
Also, we are considering, but have not yet implemented, a whitelist only e-mail policy with DKIM authentication. This could have helped with the attack above. Again, nothing is perfect.
In any case, your list is a decent start. And things are continually evolving.
It is amazing just how smart hackers can be. I was amazed at the steps taken to not only gain the confidence of the people involved but also create the level of trust required to carry out such a hack.
Its very real world. We get many calls from people who have had their bitcoin stolen by getting their phone number transferred to another phone via social engineering of the mobile provider.
Very useful topic and has a lot of valuable information thanks a lot
Nice practical article. Please also give what should be the ideal answers to be given in each call. Thanks.
Don’t trust verify. Security awareness training should include a process for verification.
recently read it, you really did an amazing job, can you share some more examples so that I can know more scenarios…
I’ll add that to my to-do-list.
Wow. I have so much to learn. Thank you Nathan. This really opened my eyes on how vulnerable we can be in trusting others with information & data. Please keep sending examples. These are great learning tools.
Huh, with little mastery and that simple and if you get so much information, it’s amazing how vulnerable and unprotected we are falling into this social engineering technique. All care is little, thanks for this alert. Your posts are extremely relevant.
This was really interesting!
Oh, and FYI. There is a typo in your Nathan House “About me” section at the bottom of the page (e.g., “…he has advised *some of largest companies* in the world…”. I thought you would like to know as some people/potential clients see things like that as a potential red flag as to how thorough and professional they really are. Just figured you might like to know. Take it easy, man.