What is Social Engineering Toolkit? [Complete Guide]
A lot of people think social engineering is about lying to people to get information or deceiving them to steal something from them which is totally wrong.
Social engineering has a lot of definitions but this one is so accurate:
“The act of manipulating a person to take any action that may or may not be in the target’s best interest.”
Social engineering doesn’t have to be used for malicious intent. For example, doctors, psychologists, and therapists often use elements from social engineering to “manipulate” their patients to take actions that are good for them, whereas a con man uses elements of social engineering to convince his target to take actions that lead to a loss for them.
In the following article, we will dig more into the social engineering world talking about how to become a social engineer, techniques, attacks, and some famous examples we see in our daily life.
What is the Social Engineering Toolkit?
One of the most commonly used tools regarding social engineering attacks against the human element is the social engineering toolkit is an open-source tool containing options for attack vectors to make a believable attack quickly, it was designed for testing purposes only.
The most famous social engineering attacks are online. The attacker may clone a legitimate website and trick the victim to visit the link and enter his credentials.
The attacker will harvest his credentials and then may redirect him to the original website so he didn’t suspect that anything weird has happened.
How to Become a Social Engineer?
A social engineer can be a part of a cybersecurity team like the “red team”. Briefly, red-teaming is the activity of trying to break into a company and access its assets.
The goal of the activity is to see how much vulnerable is the organization and to test the awareness of the employees. The activity happens after a contract between the team and the company management.
Usually, a social engineer's role in such a team is to get them in by performing some techniques against some employees, security guards, or other potential factors. Also, he/she does research about the employees to see who to talk to and what to say.
To be a social engineer, there is no one clear path that can let you be, but here are some tips from people in the industry that can help you:
1- Cybersecurity Knowledge
You don’t have to be an expert but some entry-level knowledge will be helpful. As we have mentioned before, most common attacks are done online.
You should be able to think the way the criminal will think to compromise a victim by checking the vulnerabilities of the target. However, you are the good guy here! You will notify the victim to be aware of such possible attack vectors.
Also in mentality, you should be flexible in different situations. We will discuss later that a social engineer should have what is called “pretexting” which means you have prepared what to say before communicating with the target.
Sometimes things don’t go as expected so you should be able to respond to different changes that can happen out of your control.
3- Critical Thinking
As we mentioned in the Mentality point, you should be flexible in different situations. Critical thinking is what will help you at this point.
Christopher Hadnagy the CEO at Social-Engineer, LLC said about critical thinking: “Critical thinkers. Probably one of the most important aspects of being a social engineer is being able to critically think. To adapt, flex and change your methods on the fly. To be able to think outside the box, as if there is no box.”
In a social engineering career, companies usually don’t require to have a certain college degree as they know it is not necessary to the job itself.
They look for an experienced person who has a background in communicating with people from different places and situations.
Maybe participating in some civil work for a while will help you to enhance your communication skills.
There are some great books discussing social engineering science in more detail like:
What are Social Engineering Techniques?
Social engineers do their work in organized steps to reach their end goal eventually.
In the following section, we will go through the basic steps. A social engineer can have more/fewer steps depending on the target:
The basic step before any attack is to identify the target, information gathering is divided into active information gathering and passive information gathering.
The active information gathering type requires interaction with the target. For example, you will communicate with the target in person or on the phone.
For an initial step, passive information gathering is the way. Passive information gathering doesn’t require any interaction. The target won’t know a social engineer is after him.
By collecting publicly shared information like social media the attacker can know a lot of useful information that he can use in his arsenal when he launches the attack like his interests, work, family, and others.
According to the definition by the FBI, elicitation is a technique used to discreetly gather information. That is to say, elicitation is the strategic use of casual conversation to extract information from people (targets) without giving them the feeling that they are being interrogated or pressed for the information.
In this step, you are going to communicate with the target. You should consider some elements at this step:
- What is your goal?
Before communicating with the target, you should know what information you want to gain from him and what is the end goal of the conversation.
The way you start the conversation will determine whether the target will respond or not. By observing the target for a while before talking to him you can know some details about his personality and his mood. With the right words and voice tone, you can start the conversation.
Remember you are not there to talk about yourself, when you open a discussion about some topic even if it is not relevant to your goal let the other side talk and feel comfortable sharing information with you.
You don’t have to always reply with your point of view you can show you are understanding and agree with him. Eventually, if the target feels good talking, you can start the plan of extracting the information you need.
Now if you want to end the conversation it should end in a smooth way without letting the target have second thoughts about the information he had shared.
Pretexting is defined as the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. You may need to create a whole new identity and then use that identity to manipulate the target.
Social engineers can use pretexting to impersonate people in some jobs and roles in order to achieve the plan, especially the attacks are done on the phone where they can assume they are whatever they said to persuade you to leak some information.
Famous examples are the criminals who assume to be from the bank side to let you release some sensitive information that can help them steal your bank account.
4. Mind Tricks
This point goal is to let you be the controller of the conversation. You can be so if you make sure the target is comfortable talking. You can know that by noting the body language and the micro-expressions.
These things can let you know whether the target is angry, happy, or sad. Knowing the previous information will determine whether you continue your way or try to change the conversation context.
Also, it is important to share back the suitable micro-expressions with the target. This way, he will feel more comfortable keeping the conversation going on.
Persuasion can make the target not only take the action but want to take the action and maybe even thank you for it at the end. This type of influence is powerful.
Robert Cialdini in his book had categorized persuasion techniques into 6 principles:
- Authority: People tend to obey authoritative figures.
- Reciprocation: People tend to return a favor.
- Scarcity: People tend to desire what is perceived as scarce.
- Consistency: People tend to act according to their ideas and goals.
- Liking: People tend to be persuaded by people who show love for them.
- Social proof: People tend to conform to what most other people are doing.
The techniques are explained in more detail here.
What is Social Engineering Attack?
A social engineering attack targets the weakest part of the chain, the human factor. These attacks will succeed or fail depending on the targeted person.
Social engineering is a very dangerous attack vector that can cause people, companies, and others a lot of damage.
You may think it is easy to avoid it by being cautious and not talking to strangers about sensitive information. These mitigations are great but the attackers know it and design their plan to succeed at your error.
To demonstrate the point further, we can watch a scene here from Mr. Robot which shows what social engineering looks like. This is an example of an unsuccessful attack as a result of not planning the attack and the awareness of the victim.
We can see at the end Elliot says: “I might have chosen the wrong candidate.” And he did indeed.
So to minimize the possibility of being a victim of a social engineering attack:
- Be aware of all the possible attack vectors around you.
- Don’t have a long talk with strangers.
- Don’t go into a conversation that its topic can lead to leaking sensitive information.
- Don’t open emails from unknown sources.
- Don’t share your life details online.
- Don’t tell your passwords to anyone.
- Be aware of what you are revealing to strangers.
- Be aware of vishing and phishing.
And for the recent social engineering attacks related to banks, you should know that :
- Your bank won’t ask you about your PIN code.
- Your bank won’t call you to get your account number.
- Your bank won’t send you a link on SMS.
- Your bank won’t ask you to tell OTP.
And whenever you feel uncomfortable during a call with any stranger just end the call and be safe.
Types of Social Engineering Attacks
In the following section, we will go through the most famous social engineering attacks.
You should know the attacker can try to do anything to gain the information he needs from the target.
Phishing is the most famous type of social engineering attack especially if the target is a company. Phishing is usually done through emails when the target receives a mail with an attachment to download or a link to visit letting the attacker have remote access or install malware on the device.
This attack is done over the phone where the attacker assumes to be someone else so you will do some actions depending on the character he pretends to be.
An attacker calls an employee telling him he is from the technical team and he is calling to help him remove malwares, then starts telling some commands to the employee. Eventually, he can get remote access to the employee's device.
3- Baiting Attacks
Baiting attacks exploit human psychology. The attacker will trap the victim by promising an attractive offer to get just if he does something for him. This attack can be offline not just online.
The attacker tells the victim to download an application to win a big prize, and of course, the application is just a trojan for malicious activity.
4- Shoulder Surfing
Shoulder surfing is a type of social engineering technique used to get information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken.
One of the most common ways to get physically into a company is when an attacker impersonates others.
For example, a company expects quality inspectors to visit them. If the attacker knows this information he can assume to be them and enter the company easily. Then, he can get some sensitive information that can help him during his attack later.
Examples of Social Engineering Attacks
There are an endless number of examples of social engineering attacks. We can spot the light on the most famous examples:
1- Can you print my resume, please?
A man visited a company for an interview. He said to the front-desk person:
“I have just ruined my resume by spilling coffee on it” and started to convince the front-desk person to print his resume from the USB he has.
Once the victim plugs the USB into a company device now he can spread malware into the company or get remote access to company devices.
2- Click the link to register and win the big prize!
As we have mentioned before, the attacker will search for his target and will know about his interests. If the target for example is a fan of a certain team the attacker can take advantage of that by sending a phishing mail to the victim telling him to register in the link and get the chance to attend the game in person.
And of course, at this moment the target may click the link un-consciously because he didn’t expect that, he was so happy, His emotional side blinds his rational side.
The page he would visit is a registration page indeed but will contain other hidden frames to gain the targeted information.
Learn more about cybersecurity by exploring more articles here.