Social Engineering

 

HUB Phishing is a unique service aiming to tackle common issues of Social engineering. Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

The Social Engineering Phases

Reconnaissance and Intelligence

During the Reconnaissance and Intelligence phase, the Red Team will perform information gathering and mapping of the target organisation’s footprint in the world-wide-web.
This phase includes collecting all available public information including both technical and non-technical data.
This phase can be divided into two major sections:

Passive Reconnaissance

In this phase, the Red Team will collect as much information as possible without actively scanning and probing the target.
If considered in scope, this phase may include physical reconnaissance of the organization’s facilities in order to identify potential physical entry points, and wardriving (identifying wireless access points in the range from outside the facilities).

Active Reconnaissance

During active reconnaissance, the Red Team will perform active scans, probe accessible ports to identify the services available (banner grabbing), query DNS servers, access and map web applications, and various other enumeration and fingerprinting techniques.
This phase is more detectable and “noisy” and is meant to provide more in-depth information regarding the organization’s technologies.

Attack Planning

During the attack planning phase, all information gathered in the previous step is reviewed and cross-referenced in order to identify all possible attack scenarios and execute them to gain access to the organization.
The Red Team will discuss potential social attack vectors such as spear phishing or phishing via LinkedIn.
After identifying all potential attack vectors, an attack plan is devised, and all required preparations are made to proceed to the next phase.
This phase, as well as all other phases, are highly dependent on the information-gathering phase.

Attack Execution

During this phase, the red team will execute the planned attacks and set in motion all possible social engineering or phishing campaigns in order to gain a foothold into the organisation or gain access to critical assets.