The biggest loophole in the security system will always be people. Social engineering is an extension and upgrade of information collection technology and an advanced means of information utilization. The biggest vulnerabilities in the system are always people. social engineering web attacks are a means of efficiently exploiting such vulnerabilities.
The following is a case where the information collection list and social engineering shine for your reference.
Test list of Social Engineering Web Attacks
- Identity information collection
- Name, nickname, gender found
- Student resume discovery
- Current mobile phone number discovery
- Relationship network combing
- Work relationship network combing
- Life relationship network combing
- Social information discovery
- Discover other dating apps
- Puddle attack
- Phishing attack
- Email phishing
- Web phishing
- Password guessing
Case analysis
Just like the world-famous hacker Kevin David Mitnick is still controversial, social engineering, as one of his main weapons, is also suffering from people’s doubts.
It is often said that social engineering is nothing more than a “scam” method, not enough to call it a security threat. It is true that social engineering is not a technology commonly used by security workers who usually focus on computer network technology, nor is it covered by every security worker. But regardless of the color,(black or white), it is a good cat that can catch mice.
Therefore, “For unscrupulous hackers, the means that can achieve their goals are the best means.
The biggest loophole in the system is always people. By extension, fortresses are often the first to be breached from within. The following cases will reveal the power of social engineering techniques that uses human nature to carry out attacks.
Phishing Attacks
We have various ways by which phishing attacks can be carried out. In this section, we shall be analyzing the various types of phishing attacks one after the others. On this list are attacks such as email phishing, website phishing, and so on.
-
Email Phishing
When a hacker is testing an exchange, the easiest person to contact is the customer service personnel, so the customer service personnel responsible for external communication often become the primary targets of social engineering attacks using a phishing technique.
A researcher from the security team of Zero Hour Technology once conducted a security test on an exchange. After the basic information collection phase and a simple vulnerability test, it was found that there was a TradingView DOM XSS on the exchange’s K-line, which correlated the vulnerability with phishing methods.
Since the domain name in the DOM XSS payload is the same as the exchange domain name, it is easy for some customer service personnel who do not have high-security awareness to enter the trap.
The picture below is a phishing email constructed by the security team of Zero Hour Technology and sent to the exchange customer service staff:
When the customer service staff opens the email and clicks the link/URL in the email, the attacker can obtain the customer service staff’s login session authentication and successfully control the customer service staff account.
-
Website Phishing
In the field of social work, the two most important points in attacks against people are trust and demand.
In a test authorized by the developer of a certain manufacturer, the zero-hour security team tester claimed to have discovered that a certain website is a Twitter mirror, which is also accessible in China, and the content is updated in real-time, and the victim is induced to click into it. Phishing website lure victims to tentatively entered the Twitter account and password.
The picture below shows the developer’s Twitter account and password.
-
Identity Information Collection
It has become a very popular trend to separate work and life without intersecting them. For example, to distinguish mobile phones, WeChat, WhatsApp, Facebook, etc. used in your respective place of work from the ones used for pleasure life.
Such a trend seems to be the general trend of people in the workplace who are under high work pressure and switch environments to avoid pressure, but it is not without safety considerations.
When the zero hour security team was authorized to conduct a sample test, it found the ID of a post-bar related to the company and then continued to explore based on this ID, and successfully found the person’s QQ, mobile phone number, and another personal ID.
This attack was successful because the person didn’t separate work from life. Also found from the vulnerability are registered forum IDs and other information. In addition, the person’s password was guessed as the name Pinyin initials + birth date + characters “.”. This is the basis for subsequent direct contact with social engineering attacks. (The following is part of the information)
The following figure shows the specific information of the person.
-
Harpoon Attack
A trading platform was successfully hacked by a hacker team using a spear attack in March 2019. Because a customer service staff opened the installation program of the bundled backdoor that a malicious user put in a Telegram group, the attacker subsequently obtained the host authority, implemented the invasion through the intranet, and stole the private key.
The following picture shows the security detection of a malicious installer, which was successfully identified as a malicious program:
This attack team reduced the suspicion of victims by building and operating a real website. The following picture shows the phishing website built by the C&C server:
Conclusion
Currently, there is no special defense against social engineering attacks such as phishing attacks and spear attacks. Strengthen the construction of personnel safety awareness, do not blindly open unfamiliar URLs, documents, and files, and have a simple understanding of basic vulnerabilities to avoid possible risks.
Leave a Reply