The Social Engineer's Playbook Read online

  1). Open the attached PDF file for a detailed summary of each suspicious transaction.

  2). Review each suspicious transaction shown along with the merchant, date and transaction amount.

  3). Validate any transactions as suspicious or unknown to the best of your ability. Denote all/any charges you wish to dispute.

  Your information is very important to us. We appreciate your cooperation. A representative will be contacting you shortly regarding this matter. Please reference incident number: FRDR-2039423990

  7.Send email to target

  8.Monitor for results and wait for target to connect.

  IRS Audit Notice

  Objective To assess the target’s adherence toward policy forbidding the opening of file attachments within email

  Description The objective is to get the target to open a malicious file that will open a reverse shell payload to your listening server.

  Prerequisites •Knowledge of the target email address

  •SMTP relay server

  •Social Engineer Toolkit (SET)

  Tools & Equipment •Metasploit Framework

  •Internet facing server for reverse shell listening connectivity

  1.Launch SET, select Social Engineering Attacks -> Spear-Phishing Attack Vector -> then select Perform a Mass Email Attack

  Play 2.Select Adobe PDF Embedded EXE Social Engineering and opt for the built-in BLANK PDF, then select the Windows Re verse TCP Shell

  3.Enter your IP address for the payload listener and the listening port (443)

  4.Use the following FROM address: [email protected]

  5.Use the email subject: Selected for IRS Audit

  6.Use the following pretext content:

  Why are you receiving this notice?

  The tax information we have on file does not match the entries for [year]. A significant discrepancy has been discovered requiring your immediate cooperation.

  What steps should you take?

  In order to comply wit this audit notice, you must carry out the following steps:

  1). Open the attached PDF file for more information regarding the tax discrepancy matter.

  2). Print the document and keep for your records.

  A representative will be contacting you within five (5) business days.

  7.Send email to target

  8.Monitor for results and wait for target to connect.

  Get Your Updates Here

  Objective To assess the target’s adherence toward policy visiting unknown web sites

  The objective is to get the target to visit a web site that is designed to “backdoor” their browser and potentially allow for various levels of system compromise.

  Description In this pretext, the social engineer is pretending (spoofing) to be a technical support person from the target’s IT department or IT service provider. The objective is to entice targets to visit a malicious web site in order to “register” their computer to receive automatic security updates.

  For obvious reasons, the company’s IT resources should not be included in the email recipient list. Rather, this pretext should be directed at less-technically savvy individuals who are more likely to fall victim.

  •Knowledge of the target email address

  Prerequisites •Knowledge of the target’s email signature

  •Kali Linux (Highly recommended)

  •BeEF – Browser Exploitation Framework. (Preinstalled in Kali Linux or http://

  beefproject

  .com/)

  Tools & Equipment •Phony website purporting to be a SaaS security update delivery organization (see: http://www.

  securityupdatede

  livery.com/)

  •See here for cheap web site templates: https://crea

  tivemarket.com/

  templates/

  websites

  •A convincing domain name

  •A web host provider

  1.Invent a name for the phony SaaS security company

  2.Register a domain name for your phony company. Optionally, you may elect to the make the domain name a “private” registration.

  Play 3.Procure a web-hosting provider (e.g.: Dreamhost) if you do not already have one.

  4.Become acquainted with BeEF: https://www.you

  tube.com/

  user/The

  Beefpro

  ject

  5.Install BeEF on an externally facing web server. Or, use the BeEF that comes preinstalled on Kali Linux (recommended).

  6.Use the following FROM address: spoofedemail@[targetdomainname]

  7.Use or adapt the following email subject:

  Action Required: Security Update Registration

  8.Adapt the following email pretext to your liking:

  All,

  To help better secure our company computers, we will begin using a service designed to download and install security updates on our systems automatically.

  Please click the link below and register your computer for updates by entering your name and email address on this site.

  Visit this website: [yourphonycompanydomainname]

  Thanks, [spoofed IT individual]

  [spoofed IT individual’s email signature]

  9.Send email to target

  10. Monitor for the BeEF console for results and wait for target to connect.

  Company Re-Org

  Objective To assess the target’s adherence toward policy forbidding the opening of file attachments within email

  The objective is to get the target to open a malicious file that will open a reverse shell payload to your listening server.

  Description In this pretext, the social engineer is pretending (spoofing) to be a human resources person from the company’s administration department. The goal behind this pretext is to entice targets to open an email attachment in order to be briefed on a “significant” company re-organization.

  For optimum results, the company’s human resources staff should not be included in the email recipient list.

  •Knowledge of the target email address

  Prerequisites •Knowledge of one or more executive or management individuals

  Tools & Equipment •SMTP relay server

  •Social Engineer Toolkit (SET)

  •Metasploit Framework

  •Internet facing server for reverse shell listening connectivity

  1.Launch SET, select Social Engineering Attacks -> Spear-Phishing Attack Vector -> then select Perform a Mass Email Attack

  2.Select Adobe PDF Embedded EXE Social Engineering and opt for the built-in BLANK PDF, then select the Windows Reverse TCP Shell

  3.Enter your IP address for the payload listener and the listening port (443)

  Play 4.Use the following FROM address: HR@[targetdomain.com]

  5.Use the email subject: Company-wide Reorganization

  6.Use the following email content:

  [Company name] has experienced significant change in recent months. In an effort to meet the demands of our industry, we must respond and adapt accordingly.

  As of [date] we will initiate a company

  wide reorganization of all groups/departments. In certain situations, this may result in the consolidation of certain departments. In other scenarios, some groups/departments may be transitioned.

  For more information regarding this initiative, please refer to the details outlined in the attached file.

  7.Send email to targets

  8.Monitor for results and wait for target to connect.

  Telephone

  Telephone is a social engineering attack conducted over the telephone in an effort to get the target to divulge information or persuade them into performing an action. According to statistics, those outside of the United States perform this type of social engineering often. It is certainly one of the most widely used forms of social engineering.

  The Forgetful User

  Objective To assess the targets susceptibility toward performing privileged actions without properly authenticating the use
r or divulging confidential information

  Description This is a classic social engineering pretext. In this maneuver, the social engineer telephones the organization’s user Help Desk while purporting to be a legitimate user. The pretext is that the user has forgotten his/her network password or VPN password and needs it to be changed to something of the social engineer’s choosing.

  Prerequisites •Most effective on a mid-sized to large organization where Help Desk personnel are not likely to have a personal rapport with all staff members

  •Knowledge of legitimate user details (name, email address, title, department, gender)

  •Knowledge of the name of at least one company executive

  •Do not select a manager, executive or ranking user for this pretext

  •Knowledge of target Help Desk telephone number

  Tools & Equipment •Mobile phone with SpoofCard application

  1.Launch SpoofCard app or mechanism with similar functionality

  2.Use the voice change feature and select a gender appropriate voice or simply alter your natural voice

  Play 3.Configure spoofed phone number and the dial Help Desk number

  4.Be sure to place the call using phony background noise (outside, airport) or place the call outside near busy traffic.

  5.Relay the pretext to the target

  6.Play your character out to be a nontechnically savvy person. Speak slowly and ask the target to repeat him/herself often. Do this especially in situations where the target attempts to authenticate who you are. Exacerbate by faking a bad phone connection. This will press on the target’s patience.

  7.Create a sense of urgency. Indicate that an important email or file needs to be sent in the next few minutes and the password needs to be reset immediately.

  8.Increase the level of urgency by indicating that {company executive} needs this information sent immediately.

  Sleight of Hand

  Objective To assess the targets susceptibility toward performing privileged actions without properly authenticating the user or divulging confidential information

  This is an adaptation of a classic telephone pretext. The premise for this pretext involves the social engineer masquerading as a company IT resource. The social engineer telephones the target asking him/her to visit a website in order to add their computer to the new Windows domain that’s currently being built. Meanwhile, the social engineer’s actual objective is to capture the target’s network username and password.

  Description Nowadays, users are trained not to give out passwords, even to their own IT staff. So instead of asking for their password outright which could raise suspicion, the social engineer asks the target to visit a “registration” website where he/she must enter their current username and password in order to be added to the new Windows domain. Behind the scenes, the “registration” website is actually a phony SaaS company whereby any data entered (e.g.: credentials) are captured and saved.

  Prerequisites •Most effective on a mid-sized to large organization where Help Desk personnel are not likely to have a personal rapport with all staff members

  •Knowledge of legitimate user details (name, email address, title, department)

  •Do not select a manager, executive or ranking user for this pretext

  •Knowledge of target Help Desk or IT resource telephone number

  •Mobile phone with SpoofCard application

  •Phony website purporting to be a website where the user must register their computer to be added to the new Windows domain

  Tools & Equipment •See here for cheap web site templates: https://creati

  vemarket.com/

  templates/

  websites

  •A convincing domain name for the website

  •A web host provider

  1.Invent a name for the phony site

  Play 2.Register a domain name for your phony website. Optionally, you may elect to the make the domain name a “private” registration.

  3.Procure a web-hosting provider (e.g.: Dream-host) if you do not already have one.

  4. Upload the web site template to the hosting provider. Ensure there is an HTML form with functionality present to capture the information user’s credentials.

  5.Launch SpoofCard app or other mechanism with similar functionality

  6.Use the voice change feature and select a gender appropriate voice or simply alter your natural voice

  7.Configure spoofed phone number and the target number

  8.Be sure to place the call using phony office background noise. This may be helpful: https://www.

  youtube.com/

  watch?v=D

  7ZZp8XuUTE

  9.Telephone the target. Adapt this sample pretext to better fit your target:

  “Hello, [target name], my name is [IT staff name] and we are calling everyone to help coordinate a new IT project. We will be using a service by [phony SaaS] to help us migrate our users to a brand new Windows domain. Before we can begin the migration, we need to have all of our users go to register their systems first. So, I just need you to complete a couple of quick steps.

  Open your browser and go to [phony SaaS website]. Please fill out the form to register your computer.”

  10.It is recommended that calls to the targets be placed just before the lunch hour or during busy periods. This increases the odds for compliance. Reason being, an unusual request like this may be buried between tasks they have going on at the time and simply forget about it later. It provides less time for the target to stop and question their management about the legitimacy of the request. Lastly, targets will likely either want to complete the request quickly in order to go to lunch or move on with their other tasks.

  Financial Foray

  Objective To assess the targets susceptibility toward performing privileged actions without properly authenticating the user or divulging confidential information

  In this maneuver, the social engineer telephones the organization’s financial department while purporting to be a representative from their banking institution. The goal is to gather sensitive financial information from the target regarding the target company. The type of information sought out should be adapted to fit your pretext.

  Description For the purposes of this pretext, the objective is to obtain at least one of the organization’s bank account numbers. Again, in order to be valuable, the type of information sought out should be adapted to fit your particular pretext. To effectively carry out this pretext, we should first identify at least one of the organization’s banking institutions. Alternatively, a social engineer could assume one of the big name banks by guessing. However, this is recommended only as a last resort.

  Identifying which bank the target banks with can be obtained through dumpster diving and through other information gathering means.

  Additionally, the target will automatically expect the bank representative (social engineer) to already know some privileged information about them. To substantiate this illusion and to preempt any suspicion by the target, the social engineer should have as much company specific information as possible.

  For the purposes of this pretext, we will use the organization’s IRS Employer Tax ID and their business filing information with their state. This information is public, but can be used to substantiate the illusion of authority and already having privileged information. This information should be used by the social engineer very early in the phone call in order to thwart any suspicion on behalf of the target.

  •Knowledge of the target organization’s banking institution (Recommended)

  Prerequisites •Knowledge of the name of at least one finance/account contact at the target organization

  •Mobile phone with SpoofCard application

  Tools & Equipment •The Federal EDGAR system: https://searchwww

  .sec.gov/EDGARFS

  Client/jsp/EDGAR_

  MainAccess.jsp

  •The organization’s secretary of state business filings search. Such as: ht
tp://mblsportal

  .sos.state.

  mn.us/Business/

  Search

  1.Launch SpoofCard app or mechanism with similar functionality

  2.Use the voice change feature to alter your natural voice

  3.Configure spoofed phone number and the dial financial/accounting target’s number

  4.Be sure to place the call using phony office background noise. This may be helpful: https://www.youtube.

  com/watch?v

  =D7ZZp8XuUTE

  5.Telephone the target and adapt this sample pretext to better fit your scenario:

  Play “Hello, my name is [fake name] from [organization’s bank]. The reason for my call is to validate some information we have in our system in order to resolve a minor issue. The Federal ID we have in the system for [target organization] is [state ID], business type of [i.e.: LLC, S-Corp, etc.] with the mailing address of [address]. Now, my system shows an account number ending in 1000, but has been flagged as invalidated. Could you give me the account number you have associated with [organization’s bank] so that I can verify this information and resolve the issue?”