Contact Us
Contact Us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Social Engineering

Social engineering is the art of manipulating genuine users into revealing confidential information that can be used to gain unauthorized access to their computer systems. Are you investing in your staff training to prevent this?

Learn more about our Social Engineering
Get a FREE 30 min consultation

Are you happy for Defendza to keep you informed on the latest developments in cyber security (attack reports, guidance, DIY articles)? Of course you can unsubscribe at any time. Please see our privacy policy

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Overview

Social engineering is a form of deception that is used to gain unauthorised access to buildings, systems, or data by a threat actor. This is possible by exploiting human psychology, rather than by breaking in or using technical hacking techniques. The types of information social engineers are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.

UK Businesses are still not taking seriously the threat that comes from social engineering. Considering how reliant we are becoming on technology it is essential to protect that technology from malicious attacks. The danger of social engineering is that it targets the individuals in business and preys on human error. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. 

Serious Consequences

The ultimate objective of social engineering is to coerce someone to provide information that leads to ill-gotten gains; anything is possible. Effective social engineers can obtain the following information:

  • User passwords.
  • Security badges or keys to the building and even to the computer room.
  • Intellectual property such as design specifications, source code, and other research-and-development documentation.
  • Confidential financial reports.
  • Private and confidential employee information.
  • Personally identifiable information (PII) such as health records and credit card information.
  • Customer lists and sales prospects.

If any of the above information is leaked, financial losses, lowered employee morale, decreased customer loyalty, reputation damage and even legal and regulatory compliance issues are possible.

Methodology

Reporting

The assessment-execution phase is followed by the analysis & reporting. Defendza performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels. 

Email Harvesting

Email addresses are harvested from the internet using special scripts to look for target domains.

Based on the naming notation, personnel names are searched from online sources that are then used to create email addresses. This is one of the techniques used as a preparatory step for phishing campaigns.

Staff Credentials Abuse

Organisation Analysis

In this phase, we obtain details about the organisation and their staff using various online sources. This includes (and is not limited to)

  • Use of multiple search engines such as Censys, Shodan, Google, Wayback machine, archives and cached search results. 
  • Job postings on the corporate website as well as on job networks.
  • Infrastructure Reconnaissance - Information such as network blocks, infrastructure components, websites, networks & DNS is collected from online sources.
  • WhoIS, Domain Search Results such as registrant information, domain squatting.
  • Review threat intelligence feeds related to the network blocks obtained.
  • Web archive / time machine to obtain data posted in the past on the corporate website.
  • Obtain data from past compromises, postings on Pastebin and GitHub.

Staff details

From email address and social media websites like LinkedIn, details about the staff would be obtained. This would include -

  • Employee full names, job roles, as well as the software they use.
  • Obtain details about personal and corporate blogs
  • Identify all social networks used by the target user or company.
  • Obtain employee email addresses, telephone extension / mobile number details, personal interests from social media sites like Instagram, Twitter.

Vishing (Voice Phishing)

Vishing involves phishing using the phone. The phisher calls an unsuspecting victim over the phone pretending to be a worker of a supplier, support helpdesk or even from the bank, to collect personal information. 

Smishing (SMS Phishing)

Unlike email phishing, for Smishing, the attack vector is a phone number. The phisher pretends to act on behalf of a trusted or legitimate company and sends an SMS to the unsuspecting victim. This could be a genuine sounding reason that needs immediate attention like e.g..., announcing that they have won a prize or offering them to participate in a raffle or context. 

Email Phishing

Email phishing is one of the easiest types of phishing and is used to trick unsuspecting users into giving information without their knowledge. This phishing can be launched in several different ways:

  • Sending an email through a familiar name like from a well known Support used by their company or vendor,
  • Sending an email impersonating their superiors requesting for an immediate response with sensitive data. Just by seeing the superior's name and the urgency of action, some users may click on the link. And finally,
  • Impersonating the identity of an organization and asking employees to share internal data.

Planning

Based on the response received from the reconnaissance phase, the target list is prioritised. The priority would be based on "low-hanging" fruit that could aid in gaining a foothold within the network trivially. 

Reconnaissance and Intelligence Gathering

The first step of reconnaissance activity includes passively identifying the hosts and services visible on the Internet. This includes limited Open Source Intelligence phase. During red teaming or related offensive security projects, this exercise involves extensive information gathering about a customer's people, processes and technology in use. Research based threat intelligence is an integral part of any offensive exercise.

Overall, the aim of this phase aims to harvest as much information as possible about your organisation that would be used for later phases.

Lets talk about your security requirements 
Call Us Now

Why Defendza ?

Thorough Analysis and Reporting

Our reports are comprehensive and include all the evidence that supports our findings. We give you a risk rating that considers how likely an attack is as well as the impact it could have. We don’t create panic scenarios. Our mitigation is detailed, covering both strategic and tactical areas to help our clients prepare a remediation plan.

Custom tools and scripts

Apart from the range of commercial and open source tools available for specific testing, our team has its own custom scripts for efficient testing. We provide accurate results to make sure our clients completely understand any vulnerabilities we report.

In-house experts

Our teams are led by veteran security consultants accredited by CREST standards for the last several years. Our experience shows that our clients are best served by giving them the right advice for their cyber security needs. We do not believe in spreading fear, uncertainty and doubt to generate more business.

Key Benefits

Our mobile experts are waiting
Call Us Now

Testimonials

"My experience to date with Defendza has been very positive, I look for a flexible, knowledable security "partner" when I engage a PT firm. Pentest means many things to many people and there are many different use cases for both the testing activity and the report generated and I need someone to work with me to get the absolute best value out of my security budget."

Information Security Officer
Insurance Group

Excellent people to work with. Very good knowledge of requirement and give us correct findings with excellent remedy to improve our security for our B2B portal site."

Head of Technical & Business Improvement
Leading Pharmaceutical Manufacturer

"I thought it was a highly professional and thorough exercise and I would have no hesitation recommending Defendza to any of my connections."

Director, Software Engineering
Global Information and Analytics Company

"Good personal service. We are delighted with the work Defendza did for us. Highly recommended."

CTO
Manchester headquartered Global Fashion Brand

"Extremely satisfied with approach, speed and end results. Thanks."

COO
International fashion label and store

"My experience of the Defendza team was 5 star.  They were so helpful, and their technical delivery and client communication were excellent."

Director, Software Development
Corporate Services Company

Resources

09/06/2019

Manufacturers Can’t Afford the Cyber Risks

Much of the manufacturing industry has failed to take proactive steps to defend against cyber attacks—which is a notable problem considering the growing threats the industry faces