Social Engineering Reconnaissance

Summarise the key information gathered from MyBook

Name : Phillip Nomad (a.k.a. Phil)
Date of Birth : 4 February 1990 (29 y.o.)
Address : around Kingston upon Thames, London, UK
Phone Num : +44 7704 256 110
Education : Oxford Univ – Computer Science
Job title : Front end software engineer – Creative Director

Work Experience :

• Google (Front end sowftware engineer) Feb 2015 – now
• HP (Sofware developer intern) Jan 2014 – Jan 2015
• Costa (Barista) Aug 2014 – Jan 2014

What we know about Phil :

• Extroverted with many quite a few followers
• Married to Nina 2 years ago in a sea-view venue
• Owns/owned a pug
• Has travelled to France and can speak a bit of French
• Likes playing guitar and dogs
• Likes to travel to scenic places with wife (and friends)
• Has an interest in rave parties
• Has an interest in arts

Latest activities from Phil :

• His car brokedown recently and have to call car breakdown support to fix
• Phil and Nina might be expecting a baby

Phil’s friends :

• Nina (wife)
  • Art designer
• John Doe
  • Travel buddy
• Alexis Clark
  • Travel buddy
• Linda Lohan
  • Software Engineer
  • Possible friend from work
• Sophia Lee
  • Possible Oxford Colleague
  • Possible interest in rave parties too
• Richard Bell
  • Graphic designer at Envato
• Robert Cook
  • Photographer
• James Carter
  • CEO of IT Farm
  • Might work together previously
• Anna Young
  • Musician
  • Possible friend from a mutual interest in music

Potential Places to extract information from :

• Car breakdown support company
• Google
• Oxford University
• HP
• Costa
• Robert Cook
• James Carter
• Anna Young

What are the risks of using a social networking platform?

Social network accounts usually provide most recent and past activities of an individual. It also gives out some personal information if the person is not aware of the dangers if somebody gets a hold of that information. Most security authentication process needs a birth date which a person’s social network account usually provide. The same applies to email address, by having those information in a social engineer’s hand, they can easily ask for a password reset from an account.

There will always be a chain of friends in an individual’s social network. We can find what a person’s hobbies are and the things that were recently happening in their life. Knowing the characteristic and traits of Phillip, social engineer can steal Philip’s identity to deceive Phillip’s friends and extract more information of a person or a company. For example, a social engineer can befriend Robert Cook (Photographer) with photography topics. After that, the social engineer can ask about Phillip who might be posed as a mutual friend to them. As the social engineer gains trust from Robert, the social engineer can ask for photos, characteristic and personal life from Robert.

Another thing that can be obtained from an individual’s account is their friends information instead. Through this individual’s account, we can understand what their relationship is and if it is a crucial one then the attacker might be able to do a spearphishing attack. By obtaining basic information about a person and their characteristics, a social engineer can start to impersonate that person by making a fake account. With a fake account in hand, the attacker can now plan to deceive and attack work colleague to steal credentials or gather more information.

Consider how the information gathered can be leveraged to attack an organisation?

IT Farm Phishing Email

A simple way to start and attack could be started with a fake account. By impersonating Phil with all the information acquired, an attacker could convince some friends like Linda or Sophia and ask about what work Phil undertook with IT Farm. The project might be still in progress or a completed one. With the project’s information in hand, social engineer’s have the opportunity to attack IT Farm with an excuse of a revision to the project. The attack could be in a form of a phishing email to infect the company’s network and steal data or a ransomware attack. The attacker could easily gain trust as Philip by posing himself as a good friend of James Carter or making the email as James Carter’s request.

Compromising Google’s classified company and employee information

Some basic personal info can be obtained from Phillip’s social media account. For example, his first pet might be a dog. Informations could also be obtained from friends. For Instance, a social engineer could establish contact to Anna Young through a mutual interest of music or even from Phil’s wife Nina with the means of getting information like Phil’s mother maiden name. Therefore, resetting Phil’s Google account password might be possible through some known security questions. Assuming that this method turns out to be successful, the attacker now have access to Phil’s Google account and able to collect classified company information.

Besides that way of extracting information, a social engineer could also impersonate as Phil to send a phishing email to another employee by requesting for their credentials therefore having access to their account. By doing that, the attacker could also plant a malware or extract other sensitive information from the company and have access to Google’s data.

Critical thinking and analysis

Social engineering attacks are getting more and more frequent even though systems security has come a long way. Some say the weakest link to a security is human. And sadly most of the times it is true. A social engineering attacks is likely to manipulate an individual feeling of uneasiness or worry and use it as their advantage to expose their sensitive information. Thankfully, a phishing email attack which asks for credentials won’t be a problem if people take more safety precautions.

Providing policies and procedures that aims to mitigate social engineering attacks would be one of the way to secure company assets better and safer. It should be a clear and comprehensible policies and procedures knowing that not all employee knows about technical understandings. But before that, training is also a crucial knowledge for employees to have. Most people are not aware of the dangers from social engineering attacks and how it could affect a company.

From a technical point of view, the security department should always be aware of threats and have track on potential future attacks. Regularly updating software would be the simplest mitigation action that they could do to keep most software vulnerabilities secure. A filtering system through firewalls and antiviruses would also be useful to minimize the risk of attacks. But most importantly, companies should assess their risk and vulnerabilities thoroughly to make sure their assets are not easily compromised. Therefore, security measures could be focused on specific departments with higher risk.