Social engineering is one of the oldest forms of human manipulation, sensitive information stealing attack, including usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging or even voice call phishing (vishing), it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Phishing is an example of social engineering techniques being used to deceive users. When used in a wider attack context such as a Red Team attack, it may leverage the attacker's potential.
SpearIT offers social engineering services for your technical/security team or other organizational divisions, always ensuring that both executive, mid-level and technical departments gain usefull insights. Our risk-based reporting is integrated in every of our service portfolio deliverables. The objective is to exfiltrate sensitive information by combining manipulation of human factor through social interaction (email, phone, in-person) and technical exploitation of vulnerabilities.
During this phase, an operational environment is discussed and established with the help of written/verbal communication & scoping questionnaires, defining:
- Organizational cybersecurity-needs
- Which employees/departments of the organization shall be targeted and which are excluded
- Allowed types of attacks (client-side exploitation, clickjacking, information stealing)
- Testing period and timezones
- Means of communication
2. Information Gathering
Passive OSINT (Open Source Intelligence) techniques are used in combination with neutral observation actions in order to collect as much information as possible regarding the targets to be tested. The more the information, the most attack vectors can be crafted. The intelligence gathered can be of the following types:
- Leaked document and other file types by various search engines
- Leaked user accounts, emails
- Forum posts
- Social media posts
- Relation with other companies/partners/providers
3. Payload Crafting
Based on the information gained from the previous steps, the phishing payload are crafted, targeting specific employees, combining real facts regarding each target, in order to be as realistic as possible. The payload, apart from the social content, includes a type of attack, such as client-side exploits, clickjacking, cookie stealing or other stealing attack.
When the phishing campaign completes, a risk-based report is generated including an executive and technical report, success ratio and mitigation recommendations.
6. Awareness Training
SpearIT can additionally offer training services for your personnel, in order to establish or maximize the already established security awareness withing the team. The training can either target specific employees/departments or be offered in a more systematic way to your internal compliance officer/security department in order to integrate awareness to your company's security policy.