How To | Social Engineering Cyber Criminals Most Convenient Way | Complete Tutorial

Social engineering is an emerging attack in every decade. Still, social engineering is increasing day by day. There are many situations when attackers try to find out different ways to mislead their targets for gathering credentials. Every time attackers use ongoing real-time situations in social engineering attacks. Social engineering is an art of tricking end-users to enter their credentials on fake login pages or end giving their banking credentials information. Using social engineering for attackers is much easier than attacking their networks. Unless if the network poorly configured or using bad password policies. Social engineering is a very common form of cyberattacks.

Cybersecurity experts or defenders use the process of securing networks, data servers, and network devices. If one person is talking to another, one person can definitely analyze why or why not to trust another person. The same works while giving your credentials to any website, why or why not to trust any website. When users enter their credentials, they simply trusting that particular site. If we ask from any cybersecurity professional, they will always say weakest part in security is humans’ emotions. Using human emotions, hackers take advantage of and attacks their victims. From medium scale industries to large scale industries, everyone is at risk of social engineering attacks.

How does social engineering start?

Let’s go a bit in deep, there are various factors for making to trap any user in social engineering. Social engineering has different methods. As new technology emerges, attackers always try to find out methods for social engineering. But most of the time social engineering follows classic ways of finding their victims. The main objective of attackers is to believe victims into they are entering their details into the actual login webpage.

Techniques or Methods Used By Attackers

As technology is evolving, more and more users are keeping their data online rather than carrying on their devices. For accessing data, they need the internet. Due to the high usage of the internet, more and more public networks are creating nowadays. Using public networks can put your privacy into risk. There might be some attackers sitting around you and monitoring your online activities on public networks using session hijacking techniques. It might take some time for attackers to setup session hijacking methods but after setting up it can cause real harm users on public networks. Apart from public networks, Social networking platforms is another reason where an attacker can gather information about their victims. Facebook, Instagram, Snapchat, Tiktok, and the last social media platform for working professionals can be used to gather information. Social media popularity on which every user wants to get popular. And for promoting their platforms such — social media platforms offer various easy methods for getting popular to increase their user base.

Social Engineering Methods From Attacker’s Perspective

Types of Social Engineering

Automation Calls (Voice Phishing)

Automation Call (Voice Phishing)

Automation calls which are very commonly used by many companies in order to serve their consumers. There are many firms that use automation call procedures which are used for verification as well as for OTP(One Time Password). Still, many network operators follow the automation call approach for other verification. It is mostly used by attackers also for gathering the credentials of their victims. Cybercriminals use the same method that companies uses for gathering authentication.

Vishing can be in many forms. As different automation methods come with different techniques. These are many growing cases that have come up in which attackers have used vishing to gather details. Vishing is done by using an automation call where a recorded voice is used for conformation or any credential information. Many experts stated that vishing will become the modern-day of social engineering. Because many end users are not aware of such an attack.

Below you can check out demonstration that how attackers uses automation call techniques for asking important credentials or asking any unique identification number.

Automation Call Phishing

Above scenario shows that attackers uses automation voice methods for getting credentials of their victims. Most of the banks have already stated that banks never ask for account number, login ids or passwords.

This small demonstration shows that how attackers can use automation calls (voice phishing) method to steal your credentials. Such calls always tries to gather details by using guessing techniques or you can say bruteforce. A method uses all letters or numbers to grap information about their victims.

Make sure that you do not give any personal details or any login credentials. You may loose your hard earned money. None of the companies or any organizations calls and ask for banking id, password or any other details.

Fake Mail

Fake Mail

Receiving fake mails is a widely used social engineering attack. This attack is widely used by many attackers or hackers across different countries. Still, in 2020 this attack is active and many victims fall into the trap by attackers. The method is simple, the attacker sends the crafted malicious mail to their victims by using simple methods related to their banks, or social media accounts. The attacker sends malicious webpages that look very authenticate to victims. Attackers use original webpage source code for creating a malicious webpage and small scripts. Below you can see how attackers use such social engineering procedures. There are many tools available online used for sending fake emails. We will show you go phish, the most widely used tool for sending fake emails.

Go-phish is a popular phishing tool, designed to test social engineering, that how users are aware of social engineering attacks. Go-phish makes real social engineering attacks simple. So penetration testers can test the local networks. Many corporate/ organizations use go-phish. As the name speaks itself, Go-phish is completely designed in the GO language.

Go phish is used by many organizations to find out the weakest link which could expose to social engineering attack. Download go-phish

For testing we have go-phish used on Windows 10 professional version 1909 (OS Build 18363.592)

Download go-phish and extract the file. After extracting file, open config.json and enter the ip address — 0.0.0.0:80

Gophish-Config

After configuring the json file . Go back to cmd , go to directory where you have extracted gophish. Here we extracted in another disk. In cmd, type E:

Then type cd E:\Installations\gophish-v0.9.0-windows-64bit. type dir

Gophish-Directory

Type gophish.exe

Gophish

Copy the default ip address and paste in web browser as shown below. Paste http://127.0.0.1:3333

Gophish

For testing on mail server , we have used gmail . Go to gmail.com sign in with your testing account . Here we have to enable less secure app access . Go to manage account .

(Note — Due to security reasons, email id is hidden because in initial testing, gophish is used on personal email ids.)

Manage Account

Go to security and enable less secure app access.

ess Secure App Access

This will allow gophish to receive in inbox. As gmail continuously checks for spam mails and does not allow gophish.

(Disclaimer —Only those users will receive email from gophish who has enabled less secure app access in their gmail inbox account as simple mail. If the users has disabled less secure app it will show as dangerous email. Gophish can also run on third party mail servers.)

Mostly attackers target third party mail servers in public wifi network. Many companies uses their own mail servers. In production companies there are many sensitive data which needs to transfer that’s why companies don’t implement strict security policies for their mail servers.

Gophish tools can also be used by attackers/ spammers to spread their malicious data in public wifi network.

Now return back to gophish page and configure four components -

Sending Profiles

Landing Page

Email Templates

User and Groups

And then last we will setup campaigns for initializing gophish.

Start with “ Sending Profile ”. Click on sending profile and enter the email,password as shown below, email host. Make sure to enter correct username and password.

Sending Profile

After the entering the required details, click on “ Send Test Mail ”. You will see test mail has sent successfully.

Send Test Mail

After sending mail, go to email id and check inbox if gophish is configure.

Gmail Test_Mail

Above mail shows that gophish has been configured on this email id.

Then click on “ Landing Page ” Here enter the URL where you want to send your victim after clicking on crafted link. Click on import site, enter the site here we have entered gmail login. Copy below link to import site.

Check on capture submitted data, captured passwords and enter “ https://accounts.google.com/signin/v2/identifier?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginhttps://accounts.google.com/signin/v2/identifier?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin “ in redirect webpage. Click on save page .

Landing Page

Then click on “ Email Template ”. You can use any email template which will received to victim. So for testing purposes we will use spam mail template.

We will use spam email template from another gmail account. Go to email, click on option mark on right hand side. Then go to show original .

Another Gmail Account

Click on copy to clipboard and paste into import email .

Copy To Clipboard

Paste the mail header in email template.

Import Mail

Then click on save template .

In “ Users and Groups ” enter user and group name. We have to enter victim first name, last name and email address. Then click on Add .

Users And Groups

Click on save changes .

After completing above steps, configure campaign and start campaign. Enter name, select email template, sending profile, enter URL (Depending how you setup gophish, we setup in internal network. We have used localhost type http://localhost/) , select sending profile, select Groups.

Configure_Campaign

And then click on launch campaign .

Campaign Email_sent

After launching campaign , email sent to the victim email address . Below check out victim email inbox, and we can see email has received using gophish.

Continue reading here:

https://medium.com/relatesec/social-engineering-cyber-criminals-most-convenient-way-901113253f54

6 Likes