Social Engineering

HUB Phishing is a unique service aiming to tackle common issues of Social engineering. Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

The Social Engineering Phases

Reconnaissance and Intelligence

During the Reconnaissance and Intelligence phase, the Red Team will gather information and map the target organization’s footprint worldwide. This phase includes collecting all available public information, including technical and non-technical data.

This phase can be divided into two major sections:

I. Passive Reconnaissance

In this phase, the Red Team will collect as much information as possible without actively scanning and probing the target.

If considered in scope, this phase may include physical reconnaissance of the organization’s facilities to identify potential physical entry points and wardriving (identifying wireless access points in the range from outside the facilities).

II. Active Reconnaissance

During active reconnaissance, the Red Team will perform active scans, probe accessible ports to identify the services available (banner grabbing), query DNS servers, access and map web applications, and various other enumeration and fingerprinting techniques.

This phase is more detectable and “noisy” and is meant to provide more in-depth information regarding the organization’s technologies.

Attack Planning

During the attack planning phase, all information gathered in the previous step is reviewed and cross-referenced to identify all possible attack scenarios and execute them to gain access to the organization.

The Red Team will discuss potential social attack vectors such as spear phishing or phishing via LinkedIn.

After identifying all potential attack vectors, an attack plan is devised, and all required preparations are made to proceed to the next phase. This phase, as well as all other phases, are highly dependent on the information-gathering phase.

Attack Execution

During this phase, the red team will execute the planned attacks and set in motion all possible social engineering or phishing campaigns in order to gain a foothold in the organization or gain access to critical assets.

Possible types of attacks

  1. Email Phishing – Sending emails to a broad group of people, assuming that at least several of them will open and run the attachment or give their credentials to a rogue website.
  2. Spear Phishing – Targeted to specific groups of people such as system admin, financial representatives, and more.
  3. Whaling – A very targeted attack against a person, which includes several interactions with the person on different channels to reveal information and use it in other communication to gain trust.
  4. Angler Phishing – Use of social media marketing campaigns to make people take action.
  5. Vishing – Voice phishing calls people to reveal confidential information and uses it afterward. Commonly used to bypass One Time Password (OTP).
  6. Smishing – Sending SMS messages to make a victim visit a website with malicious content.