When we hear social engineering, we immediately think phishing. Those of us in the industry may also think about vishing, dumpster diving, or the SECTF held at DEFCON and DerbyCon. Whether you are technically inclined or not, you are probably familiar with the "Nigerian Prince" or "419" schemes. You have probably received a convincing or near-convincing phishing email claiming to be "Deltaa" or "App1e" or "Arnazon." This article aims to educate you about other social engineering attack vectors.

Spear Phishing

This is a tactic that goes beyond the basic phish. Instead of a mass blasting, the attacker will craft the email to target a specific person or group of people. The email may be well informed with laser precision, which may include the attacker collecting Open Source Intelligence (OSINT) on the target person or people.

They may use this information to build rapport for the engagement (especially if it is a long-term engagement, think nation-states or APTs) or get the initial fear factor or attention grabber quickly. Depending on the scope and the target, they may attempt to deliver a malicious payload or collect information (such as a password) or provide information to pivot to someone else, such as a more privileged user or an executive (who would be targeted in a "Whaling" attack).

Vishing

Most of us have received a phone call soliciting information about us or our employer. I have received numerous calls from "The Microsofts" telling me about the malware infecting their servers. To be honest, I get multiple calls daily from "Card Services" offering to "lower my interest rate."

I give them a fake credit card number (meaning one that will never pass Luhn's algorithm for a valid card number) that you may use 4867 5309 9035 7684 (Notice numbers 2-8). One person on the other end of the line didn't find my response funny and threatened to have me called daily. He lives up to his promise 365 days of the year.

Anyway, these calls attempt to get your personal information, credentials, or other sensitive information. They do occasionally attempt to get you to perform an action for them. The best defenses for these attacks are using apps like RoboKiller or if you find yourself answering, come up with an urgent call or meeting and offer to call them back in a few minutes. If they are spoofing a number as most of them do, you will get pushback. Also, do a search for the phone number on your favorite search engine or using a myriad of OSINT tools.

Pretexting

This is akin to "getting into character." It is also along the lines of impersonation. This could be someone who claims to be a store employee and seeks to help you (and themselves to your wallet). It could be a nice person in a "Waste Management" truck and a dark green polo who says there is a problem with your dumpster. Note: the white pickup truck is rented with a magnet on the side. This person will go "inspect" the dumpster and help themselves to a couple of bags of trash to do "TRASHINT" (h/t to Tess Schrodinger).

The moral of the story is to be wary of people. Demand proof. If you do not feel comfortable with what someone is asking, ask for someone else. Do not be afraid to abandon the situation within reason. You do not have to be rude, but be stern. In my experience as a social engineer, being polite gets you further than being rude. There is no reason to not put the shoe on the other foot.

In conclusion, phishing and social engineering are mainstays. Being aware of the tactics and methods used and applying them to our everyday lives is the key to defense. We live in an era where we must trust very little information and fewer people. Not everyone has our best interests in mind.