Often accompanied by annoying high frequency beeps that the human ear designates to be unfriendly (more than 5000Hz), most for sure have received such messages while browsing.
Button.onclick (“execute/install /run x”); //that had to be in layman.
X being, in most cases a ransomware or a remote administration tool (RAT) such as RootKit.
Rather, consider the one that stole the hearts of many unsuspecting 5,006 Kenyan Facebook users;
“The hacker created a website that looked aesthetically similar to Facebook and posted it on random users’ pages, inviting them to view their friends’ latest photos. Users who clicked on the link were asked to provide their log-in details afresh in order to proceed. Once they did this, their usernames and passwords were collected into a database that currently has 5,006 entries.” said William Makatiani, the managing director at Serianu. The captured log-in credentials were then used to take over a user’s social media page. They went on to solicit money from the account owner’s friends while masquerading as the real user (the victim). Owners of the compromised Facebook accounts were also contacted and informed that their accounts would be deleted if they declined to pay money — ranging between Sh5, 000 and Sh100, 000 — into different mobile money accounts. To ensure this succeeded the fraudsters posted malicious and alarming messages such as above on breached Facebook pages. Serianu estimates that victims of the attacks may have lost up to Sh50 million in the scam.
The examples above illustrates phishing in action. An attempt to acquire sensitive information or to make somebody act in desired way by masquerading as a trustworthy entity in an electronic communication medium. They are usually targeted at large groups of people. Phishing attacks can be performed over almost any channel, from physical presence of the attacker to websites, social networks or even cloud services
According to Verizon’s Data Breach Investigation Report  for 2016, phishing was involved in 9576 data breaches (916 of them having resulted in confirmed data disclosure) out of about 100000, or roughly 10% of the considered data breaches were caused by phishing. Phishing is often used as an initial attack vector and usually more elaborate technical methods are used once an initial PC inside the organization’s network has been infected by the attackers. Another interesting metric is open rate for phishing emails – per the same report, 13% of users clicked on the link or attachment in a phishing email. Combining a phishing campaign with a zero-day vulnerability (as is commonly the case with APTs, e.g. the Secure ID breach) means that all the aforementioned users will have their PCs infected. To put that in an even clearer perspective – any organization with at least 5 users with public email addresses is statistically expected (i.e. will happen with probability > 50%, assuming a Bernoulli distribution with success rate 13%) (Social engineering report by Yavor Papazov paper no. STO-EN-IST-143)
The two most common variants of phishing are below:
Spear phishing – The name is a wordplay on ‘spear fishing’, a fishing technique, where the fisherman targets the fish he wants to catch (with a spear), instead of waiting for it to catch the bait. Another possible analogy is sharpness – while standard phishing campaigns operate by using strength in numbers and sending millions of messages, spear phishing sends only a tiny fraction of the traffic and is, therefore, much harder to notice as a pattern on a large scale. A spear phishing attack is similar to normal phishing in its technical principles. The difference is, however, in the degree of information gathering done before the attack. Spear-phishing requires the attacker to first gather information on the intended victims (most probably you), but the success rate is higher than in conventional phishing. To be more precise, spear phishing is much more targeted – it involves selecting a target and tailoring the messages to the particular victim – e.g. using the actual names of employees in the “From:” field, following similar structure and tone to in-company communication, etc.
Check the below messages (trapping desperate Kenyans);
“CONGRATULATIONS! From LOTTO! You are the lucky winner of KSH100, 000. From LOTTO!! Contact (07xxxxxx947) calling hours 7:00AM to 7:00PM.DO NOT PAY ANY.”--/*poor English, full of unnecessary repetitions, were you supposed to pay ANY? But it bypassed many, in fact, I also received the same message and unsurprisingly it stole my heart-not to that extent anyway. */
“PLEASE nirudishie hiyo pesa kwa 07xxxxxxxx. I mistyped hiyo number ya mwisho.” which translates to, "PLEASE refund me that sum to 07xxxxxxxx. I mistyped the last digits." /*very convincing especially if your numbers almost look similar.*/
“DEF Enterprises, We are advertising for vacant positions in bbbb (position)...Salary is KSH.20, 000 a month. Free training is available. For more information, call 07aaaaaaaa”
Or you receive a call from a very noisy (like SpongeBob) woman, with a weeping child, claiming-“Hebu tuma hiyo pesa! mtoto wako ni mgonjwa sana! Atanikufia kwenye mkono! ...” which translates to “can you send that money, your child is very sick! He will die poorly in my hands.” If you have ‘another’ kid, you might fall for it.
Soft targeting – this type of phishing attack sits somewhere between standard phishing and spear phishing: the email messages are targeted, but not towards a certain individual or an organization, but rather towards a profession or occupation. This allows the attackers to use the ‘strength in numbers’ paradigm by sending millions of messages, while still having a higher success rate than completely generic phishing messages. Soft targeting is particularly popular, as per this time, as it is used as the main distribution vector for ransomware – the malware ‘trend’ of 2016 .
Consider the sample email below;
From: Kenya Revenue Authority
Sent: Tuesday, March 21, 2017 9:47 AM
Subject: [SPAM: #] Get your tax refund now
After the last annual calculations of your account activity we have determined that
you are eligible to receive a tax refund of Ksh.20, 000.
Please submit the tax refund request and allow us 2-6 days in order to
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here http://e-gov.kenya.ra.co.ke:84/www.kbc.gov/
Note: Deliberate wrong inputs will be prosecuted by law.
Kenya Revenue Authority.
A good citizen will surely tell this to be a fraudster. I mean, look at the link you are being sent to. If you know not the website to Kenya Revenue Authority then you will be caught by the whirlwind.
If a phishing attack is aimed at high-profile targets in enterprises, the attack is referred to as whaling.
The social approach explained
This is still the perfect style. Phishing mostly goes for fear and necessity but this; for what I call ‘inbuilt responses in you’ all. Shall we discuss the ingredients in the recipe for this meal. Elicitation is the general name for all these ingredients. In the previous article, elicitation was defined, and so here we go forth ahead.
Appealing to someone’s ego
Attacker: “Ow! I have always wanted to be a developer, I hear you teach not only your colleagues but even the Boss. That’s cool men, can I be your student?….”
Target: “Really, that is nice of you to say, who might have told you that, here I only…”
Take care of subjects of discussions with strangers. The above conversation may escalate to a point that the target shows, if not all, most of their skills. With the bring your own device (BYOD) scenarios in modern offices, the attacker will most surely get hold of the victims machine (all in the attempt to prove “knowledge is my brother, we walk together”) and use it as a free gate to the corporate’s system.
The method of appealing to someone’s ego is simplistic but effective. Take note! The engineers are usually trained not to overdo it; because they know; over-stroking someone’s ego or doing it without sincerity just turns people off. Hold that as a weapon (ensure they turn you off early enough; be a pond instead of the sea).
Expressing a Mutual Interest
Consider this mock scenario:
Attacker: “Wow, you have a background in ISO 9001 compliance databases? You should see the model we built for a reporting engine to assist with that certification. I can get you a copy.”
Target: “I would love to see that. We have been toying with the idea of adding a reporting engine to our system.”
Expressing mutual interest is an important aspect of elicitation. This particular scenario is even more powerful than appealing to someone’s ego because it extends the relationship beyond the initial conversation.
Making deliberate false statements
Delivering a false statement seems like it would backfire off the top, but it can prove to be a powerful force to be reckoned with.
Attacker: “Everybody knows that XYZ Company produced the highest selling software for this widget on earth.”
Target: “Actually, that isn’t true. (Overstuffed with ego, the target may even stand up, if they were seated. Imagine their next gesture) our company started selling a similar product in 1998, five years before the wretched XYZ showed up, and our sales records have beaten them routinely by more than 26%.”
These statements, if used effectively, can elicit a response from the target with real facts. Most people must correct wrong statements when they hear them. It’s almost as if they are challenged to prove they are correct. The desire to inform others, appear knowledgeable, and be intolerant of misstatements seems to be built into human nature.
War is ninety percent information.—Napoleon Bonaparte.
“Did you hear about Ruth? I heard she just got laid off from work (why didn’t she just say ‘sacked’? they are after setting the mood) and is having serious problems finding more work.” Of course, most of the time you will get, “Wow, I didn’t hear that. That is terrible news. I heard that Lewis is getting divorced and they are going to lose the house, too.”
As Hadnagy says it, the sad aspect of humanity is that we tend to live the saying “misery loves company”—how true it is in this case. People tend to want to share similar news. Social engineers can utilize this propensity to set the tone or mood of a conversation and build a sense of obligation. You will most surely fall for it. Study who you are talking to first.
Another powerful manipulation tool is that of assumed knowledge. If someone has knowledge of a particular situation, it’s acceptable to discuss it with them. That’s what I would assume and so would most of you. An attacker can deliberately exploit this trait by presenting information as if he is in the know and then using elicitation to build a conversation around it. He then can regurgitate the information as if it were his own and continue to build the illusion that he has intimate knowledge of this topic.
Pretexting is better defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit. Pretexting encompasses everything you would imagine that person to be. It is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers can use pretexting to impersonate people in certain jobs and roles that they never themselves have done. Below, I give the story of Mark Rifkin.
Stanley Mark Rifkin is credited with one of the biggest bank heists in American history
In October 1978, he visited Security Pacific, where bank employees easily recognized him as a computer worker. He took an elevator to the D-level, where the bank’s wire transfer room was located. A pleasant and friendly young man, he managed to talk his way into the room where the bank’s secret code-of-the-day was posted on the wall. Rifkin memorized the code and left without arousing suspicion. Soon, bank employees in the transfer room received a phone call from a man who identified himself as Mike Hansen, an employee of the bank’s international division. The man ordered a routine transfer of funds into an account at the Irving Trust Company in New York—and he provided the secret code numbers to authorize the transaction. Nothing about the transfer appeared to be out of the ordinary, and Security Pacific transferred the money to the New York bank. What bank officials did not know was that the man who called himself Mike Hansen was in fact, Stanley Rifkin, and he had used the bank’s security code to rob the bank of USD $10.2 million.
The bank’s wire transfer policies seemed secure. They were authorized by a numerical code that changed daily and was only given out to authorized personnel. It was posted on a wall in a secure room that only “authorized personnel” had access to.
Direct observation techniques to get information, such as looking over someone's shoulder at their screen or keyboard. Hard to succeed it may seem, but what if spying binoculars are involved. Tense not, but they do happen. Know how you sit in your space. Carefully applying geometry, an engineer can even reflect light on your desk (on your short absence), from far away. You know what is next. “Nothing happened in my absence,” back and running.
Baiting and dumpster diving had already been discussed in the previous article. Water holing mostly is effected during phishing but here, the attackers compromise a website that is likely to be of interest to the chosen victim. The attackers then wait at the waterhole for their victim. I hope the article gave you a starter in formation into the world of social engineering. Leave a comment if you feel educated.