Actions

Social Engineering and (Spear) Phishing

From Whonix



Road-sign-464653 960 720.jpg

Introduction[edit]

Whonix ™ does not protect against social engineering [archive] attacks. These attacks rely on human cognitive biases and trick people into revealing passwords or other sensitive information that allows the compromise of a target system's security. [1]

Other examples of social engineering include convincing someone to send a copy of logs or other information from the Whonix-Gateway ™ or host operating system machine. In all cases, after trust has been established between the attacker and the victim, and sufficient information has been gathered, an exploit will be executed to perform harmful actions such as stealing personal or financial information, sabotaging the target's system, deanonymizing the individual, installing malware on target systems and so on. [1]

Phishing [archive] is specifically highlighted in this chapter because it is one of the most common social engineering vectors used to fraudulently obtain private information. In all cases, the phisher's modus operandi is impersonation of a genuine business or staff member in order to obtain sensitive personal or financial information from contacted people.

It is notable that social engineering attacks prey on human biases and utilize psychological manipulation techniques. In other words, successful exploitation does not rely solely upon technical measures to subvert the user's platform to achieve the same aim. Attacks using low-technology means are perhaps the greatest risk normal Internet users will face and successful defense requires both awareness and a cautious mindset that can identify how to respond to potential impersonation, lies, bribes, blackmail and threats. There are a host of possible motives for a social engineering attack, but the most common are for financial gain, revenge, self-interest [2] and responding to external pressure from friends, family or organized crime for the aforementioned aims. [1]

In the specific case of Whonix ™, the best tools for maintaining anonymity are the knowledge that comes from research and experience, and healthy skepticism towards scenarios that pose potential security threats.

Attack Methodology[edit]

Social Engineering Cycle[edit]

Although each social engineering attack has unique elements, researchers have identified four primary phases in the lifecycle: [1]

  • Information gathering: The attacker will gather information about the intended target(s) and related persons to build a relationship and increase the likelihood of a successful attack; for example, gathering birth dates, phone lists, personal interests, and organizational charts. Examples include:
    • Shoulder surfing to observe access codes or password/PINs entered on a keypad.
    • "Dumpster diving" to retrieve potentially useful information that has not been disposed of securely in waste systems.
    • Conducting mail-outs to gather information about individuals or organizations; for example surveys that offer prizes for completion.
    • Forensic analysis of old computer equipment like SSDs, HDDs, USBs, DVD/CDS or other removable media to extract relevant information about individuals or organizations.
  • Relationship development: Targets with a trusting nature are exploited so a rapport is developed with the attacker. Conversations are initiated that seem appropriate for the context.
  • Exploitation: After engaging with the target(s) for a sufficient period, trusted attackers use manipulation techniques to reveal sensitive information (like passwords) or have targets perform other actions that are abnormal, such as creating an account. This might be the end of the attack cycle or the completion of a preliminary stage.
  • Execution and disengagement: Once targets have completed tasks requested by the attacker, the cycle is complete. Attackers slowly disengage from communications to not arouse any suspicion -- many victims are unaware that an attack has taken place.

Psychological Techniques[edit]

In order to achieve exploitation, attackers rely upon one or more of the following cognitive biases related to influence: [3]

  • Authority: People will generally follow the instructions of perceived authority figures, even when the act is objectionable.
  • Intimidation: Attackers state or imply there will be negative consequences if instructions are not followed. [4]
  • Consensus: People will most often do things they see other people performing. [5]
  • Scarcity: Demand is generated by perceived scarcity; for example when an offer is stated as being for a limited time only.
  • Urgency: Similar to scarcity, attackers impress upon the target(s) that certain actions must be completed quickly.
  • Familiarity / liking: It is easier for attackers who are familiar or liked to persuade others to take certain actions.
  • Trust: Targets are more likely to perform actions if they believe the attacker is a trusted source such as "someone from IT" or a well-known company (like Microsoft).

Exploitation Vectors[edit]

The most common social engineering vectors relate to phishing attacks which are summarized below, as well as related exploitation vectors.

Table: Social Engineering Exploitation Vectors [6] [1] [7]

Exploitation Vector Description
Clone Phishing This is a form of phishing attack (see further below) that utilizes previously delivered email content containing attachments or links. An identical or cloned email is created with the same content and intended recipients, except the attachment(s) or link(s) are replaced with malicious versions. The email is then sent from a spoofed email address that appears to come from the original sender stating it is updated or has additional information.
Impersonation Attackers will pretend to be another person and present a believable pretext in order to gain access to physical building or system. [8]
Page Hijacking Legitimate webpages are hacked so that users are redirected to a malicious website or exploit kit with cross-site scripting. For example, a common method is changing a webpage to include a malicious inline frame that allows loading of an exploit kit. This is technically social engineering, since the hacker is impersonating a trusted entity.
(Spear) Phishing Phishers fraudulently obtain private information by pretending to represent a legitimate business like a credit card company or bank. Commonly they will send emails requesting urgent verification of personal or financial information to avoid certain and dire consequences.

A common example is emails that appear legitimate -- presenting with specific logos and HTML content of the related businesses -- asking for completion of forms on a fraudulent web page that provide addresses, PIN numbers or credit card details. Some sites might also utilize malicious code that installs trojan key logging software on a target's computer. Since it is easy to create authentic looking websites and emails are sent to a large number of people, phishers depend on a small percentage of recipients falling victim to the scam. It is now less common to rely upon files containing malicious code because most users are now aware of this possible attack vector.

Spear phishing is a sub-category that targets specific organizations or people rather than using bulk phishing that targets a larger number. This requires the gathering of more intelligence and personal information to increase the success of the attack. Common targets are financial services departments or high-value executives that have access to sensitive financial data systems. [9]

Smishing This is variant of phishing that relies upon SMS text messaging to convince targets to perform certain actions. Usually it contains a malicious link(s) or requests that certain personal information be divulged like credentials to websites or services. [10] Since URLs are often shortened on mobile browsers, this can make it more difficult to identify fake websites (although the sender's telephone number may present in an unexpected format).
Voice Phishing (Vishing) Social engineering is conducted with a telephone system to access personal/financial information for financial gain. This is also used in the information gathering stage for targeted individuals or organizations.

In most cases a large number of telephone numbers are contacted and an automated recording is played using text to speech synthesizers. A common message is that fraudulent activity has been detected on bank accounts or credit cards and a spoofed institution number is provided to help "resolve" the alleged fraud, when the real intent is to access sensitive information.

Other Related Exploitation Techniques
Baiting Attackers leave malware-infected media like CDs, DVDs and USB flash drives in locations where the intended target is likely to find them, such as parking lots, elevators and bathrooms. The intention is that curiosity or greed will lead the target to insert the media into their computer or return it to the business, particularly if it is labelled carefully, for example "Confidential" or "Company profits and losses - 2021." Once the media is inserted, malware is installed that provides access to the computer and maybe the broader internal network. [11]
Direct Approach Attackers sometimes directly contact target individuals and ask them to complete a specific task. For example, a worker might be contacted directly and asked for their username and password to rectify a non-existent problem. This technique has a low success rate because most people are wary of unsolicited requests concerning this information.
Helpless or Important Users In the first case, an attacker pretends they require help to gain access to relevant systems in the organization. For example, they may pretend to be a new or temporary worker and call administrative staff for "help", hoping they will receive a username and password of an active account.

In the second case, the attacker pretends to be in senior management of the organization and needs urgent system access to meet deadlines. This might include contacting administration or a Helpdesk concerning (remote) software in use, how it is configured, telephone numbers for remote servers, and credentials for logging into the server. After initial access, attackers can then call back and ask their account password be reset due to "forgetting" their details.

Malicious Websites Websites are sometimes created that are solely designed to have unwitting users disclose potentially sensitive data. For example, a website might require the user to enter a contact email and password to claim a non-existent prize in a fake competition. Attackers examine this information which is sometimes very similar to passwords used by the target at their workplace. URL shorteners are often used to mask phishing sites that seek user credentials; for example, this is common for websites designed to look identical to Google Mail, Yahoo Mail, Facebook and others. [12]
Pretexting Very often attackers will create invented (fake) scenarios that encourage the target to divulge information or perform actions that are unusual. Preparatory research by the attacker will use some legitimate information such as date of birth, tax file numbers and so on to increase the success of their attempted action. If further information is obtained like business records, banking details, telephone records and other information, this is used to justify the legitimacy of further attacker demands such as making account changes and obtaining bank balance accounts. Pretexting also allows attackers to impersonate co-workers or staff of financial/government institutions.
Reverse Social Engineering

The attacker entices the victim to ask them questions to solve problems they actually caused; this enables further sensitive information to be obtained. This usually occurs in three stages:

  • Sabotage: attackers gain simple access and might corrupt a workstation or make it perform sub-optimally. The target user discovers the issue and seeks help for the problem.
  • Marketing: attackers leave advertising material that ensures the target calls them for help, for example business cards in the office or contact details on error messages.
  • Support: the attacker "assists" with the problem when contacted by the target. During this stage they obtain additional information and the target is not suspicious of their requests.
Tailgating Sometimes attackers access sensitive areas that have electronic access control (like RFID cards) by walking in closely behind others with genuine access. Doors may be held open in this case or the attacker might ask for the door to be kept open for them. In some cases the attacker will feign having lost their appropriate identification or present a fake identity token.
Technical Support Personnel The attacker pretends to be from the organization's IT or technical team in order to gain useful information from users. For example, they may claim to be a system administrator who needs certain usernames and passwords to resolve non-existent problems. In other cases, they will keep contacting staff until they identify somebody who has already reported a technical problem and is grateful for "help" to solve their issue, which inevitably involves the attacker gaining system access or launching malware.
Watering Hole Attack Since users trust websites they regularly visit, attackers identify those websites of the targeted individual(s) and search for vulnerabilities that will allow code injection to infect a visitor's system with malware. Once a target is infected, this provides a stepping stone to infiltrating more secure systems the target has access to.

Countermeasures[edit]

It is difficult to fully protect against social engineering attacks because no system is immune to human elements that can undermine the security of even the most robust systems. This is evidenced by the previous success of attacks that have targeted high-level government institutions, in addition to well-known corporations and business identities.

For Whonix ™ users seeking to protect their anonymity, the simplest solution is greater education and awareness of common methods used by attackers, as well as adopting a skeptical mindset. That means in virtually all cases, users should never provide any personal or other information that can reduce their anonymity set, regardless of the forum. This includes all interactions with fellow Whonix ™ users and developers on the available infrastructure, including forums, developer portals and so on. Similarly, technical advice that is provided should be carefully scrutinized and not followed unless the user is absolutely sure that it will not harm their anonymity.

Outside of the Whonix ™ context, virtually all social engineering attacks rely on an individual's trust in the claims and assumed authority that are invented by the attacker. Unless absolutely certain, potentially sensitive information should never be disclosed and suggested actions should not be performed as they can lead to a breakdown in security systems and theft of personal or financial information.

Organizational Measures[edit]

Organizations also need to employ robust measures that can reduce the likelihood of successful social engineering attacks, as well as limiting the potential harm if/when it does occur. This requires: [1]

  • managers implementing protective measures and understanding their role
  • security policies defining staff expectations, particularly regarding assistance offered by support teams and staff
  • strong controls that restrict physical access to facilities for any staff, contractors or visitors
  • security architecture that carefully controls outbound and inbound firewall access
  • limiting the amount of data that is available on public websites, databases, internet registries, phone lists and so on -- generic information should be preferred to limit research opportunities for attackers
  • implementing incident response strategies that ensure users have clear guidelines on procedures to be followed for different requests -- particularly methods of confirming authenticity before acting
  • educating users about security issues and providing them with tools to react appropriately
  • secure waste management procedures
  • performing periodic tests of the security framework that are unannounced

Anti-phishing[edit]

With regards to phishing, anti-phishing training can be paired with additional technical measures for protection, including: [13]

  • spam filters that reduce the number of phishing emails that reach inboxes [14]
  • taking note of browser warnings regarding possible fraudulent websites
  • adopting multi-factor authentication [archive] so stolen passwords cannot be used on their own to breach a specific system
  • redacting URLs in email messages so it is impossible to click on embedded links
  • using a smartphone as a second verification channel for all authorized banking transactions

Examples[edit]

Help Welcome[edit]

Please add screenshots, texts, examples of actual social engineering / phishing attempts with explanations of how it could have been detected as one.

See Also[edit]

Footnotes[edit]

  1. 1.0 1.1 1.2 1.3 1.4 1.5 https://www.sans.org/reading-room/whitepapers/engineering/social-engineering-means-violate-computer-system-529 [archive]
  2. Such as modifying or accessing personal information or that associated with family members, friends or neighbours.
  3. https://en.wikipedia.org/wiki/Social_engineering_%28security%29#Seven_key_principles [archive]
  4. Such as a report to the senior manager.
  5. In other words they conform to what is perceived as the social standard.
  6. https://en.wikipedia.org/wiki/Social_engineering_%28security%29#Four_social_engineering_vectors [archive]
  7. https://en.wikipedia.org/wiki/Phishing [archive]
  8. For example this is used in SIM swap scam frauds.
  9. Accountancy and audit firms are common targets for this reason.
  10. For example, text messages from a supposed carrier with a malicious link stating a package is in transit.
  11. This attack is feasible because many computers auto-run media or devices that are inserted and systems may not be set up to carefully control infections.
  12. https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/ [archive]
  13. https://en.wikipedia.org/wiki/Phishing#Anti-phishing [archive]
  14. Machine learning and natural language processing classifies phishing emails and rejects those with forged addresses.


Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Social Engineering&body=https://www.whonix.org/wiki/Social_Engineering link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Social_Engineering&title=Social Engineering link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Social_Engineering&t=Social Engineering link=https://mastodon.technology/share?message=Social Engineering%20https://www.whonix.org/wiki/Social_Engineering&t=Social Engineering

Iconfinder Apple Mail 2697658.png Subscribe to Whonix ™ Newsletter.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.