Social Engineering: Manipulation

Attackers Build Credibility

To a skilled social engineer, any unprepared organization is vulnerable. It’s not hard to find information online these days. Directories, manager names, used technologies – these are all available to just about anyone and build an attacker’s credibility.

The more familiar an attacker is with how a company operates, the easier it is to gain access to more information by asking someone who works there. Attackers may name drop or refer to the inner workings of the company. Some create situations where it would be rude not to help out, and in most organizations some workers just want to be helpful, especially to other workers.

Manipulation in Steps

The key is that each attack seems harmless, but together the attacks represent a real threat to an organization. Each attack strengthens the next attack. Requests often seem legitimate like an employee asking for help, one who has misplaced, forgotten, messed up, or under-prepared.

Cursory details of an upcoming project from a receptionist (first step) might lead to more intimate details from a project worker (second step), especially if a manager’s name and working hours are found on a website. Perhaps during that manager’s off hours, a call is made to a worker claiming to be a third party contractor that the manager arranged. It just so happens this contractor shares the worker’s frustration and that it seems they’re both woefully out of the loop. What if that contractor has the worker introduce them to I.T. and an email account is created for coordination?

Hidden Target: You

It’s clear each stage may not seem dangerous in and of itself, but if an established attacker gets access to internal resources, it may not be the immediate potential for harm that is the biggest concern, but the alarming amount of credibility they now wield to perform larger attacks on more sensitive/valuable data. If a work email account requests information that sounds legitimate, especially if an organization is large enough, it might get actioned without a second thought. At what point could that data publication damage the company enough that someone in charge could reasonably be the target of blackmail?

If you have any questions about engineering more safety into your network, business, or website, please submit a ticket to ask about how we might be able to make security easy for you.