Sunday, July 22, 2012

Social Engineering Social Networks - How I Will Be Your Friend

Introduction

As detailed in a previous post, social engineering is a common, yet effective, tactic used by attackers that involves "manipulating a person to accomplish goals that may or may not be in the “target’s” best interest." This usually results in the attacker gaining unauthorized access to systems, areas, or information that would otherwise be unavailable. However, while it was briefly mentioned, we didn't really discuss the opportunities available for an attacker or pentester by utilizing one of the most common goldmines of information available today: social networks.

Almost everyone has one or more social networking profiles on one of the major social networking sites (Facebook, Twitter, LinkedIn, Google+, or Myspace), including high-value targets for a social engineering engagements (e.g. "C-level execs", President's, VP's, etc.). These profiles include information that can be critical to a social engineer when crafting the most effective spear-phishing email possible, obtaining answers to secret questions to gain access to systems, or when harvesting data that can be used in further targeted attacks. In this post, we'll look at how to utilize our social engineering skills to methodically "befriend" employees in order to quickly gain access to specific targets.