10 Simple Social Engineering Tactics: Mass Deception in Action

By Ava McKinneyOnline Safety

Mass Deception Weapons: 10 Simple Social Engineering Tactics Explained

Social engineering is usually seen as part of a targeted attack, but what happens if you use these tactics on a mass scale? I developed and tested ten such scenarios to see how people would react and what the consequences might be.

It’s often said that social engineering is the most destructive and dangerous type of attack on organizations. But if that’s true, why doesn’t every cybersecurity conference dedicate a special section to it?

Most case studies in the Russian-speaking internet are borrowed from foreign sources or stories about Kevin Mitnick. I’m not saying there are few such cases in the Russian internet, but for some reason, they’re rarely discussed. I decided to find out just how dangerous social engineering really is and what the consequences of its mass use could be.

What Is Social Engineering?

In cybersecurity and penetration testing, social engineering is usually associated with targeted attacks on specific organizations. In this collection of cases, I want to look at several ways social engineering can be used in mass (indiscriminate) or mass-targeted (by industry) attacks.

Let’s clarify the terms. I’ll use “social engineering” to mean: “a set of methods to achieve a goal by exploiting human weaknesses.” It’s not always criminal, but it definitely has a negative connotation and is associated with deception, fraud, manipulation, and similar things. Simple psychological tricks to get a discount at a store, for example, are not social engineering.

For the record, I acted only as a researcher in this field. I did not create any malicious websites or files. If someone received an email from me with a link, the site was safe. The worst thing that could happen was user tracking via Yandex.Metrica.

You’ve probably heard of spam with “work completion reports” or contracts containing trojans. Accountants aren’t surprised by these anymore. Or pop-up windows recommending you download a plugin to watch a video—boring. I developed several less obvious scenarios and present them here as food for thought. I hope they won’t become a how-to guide, but instead help make the Russian internet safer.

What’s Easier to Hack: Software or People?

  • Software. You can study it bit by bit without raising suspicion and find new vulnerabilities yourself.
  • People. Exploits get outdated quickly, but people have standard, vulnerable behavioral patterns.
  • Hybrid attacks are more effective. Take popular software and think about how to use it to exploit human weaknesses.

1. “Verified Sender”

Sometimes, website admins forget to filter the “Name” field in registration forms (like for newsletters or applications). Instead of a name, you can insert text (sometimes kilobytes of it) and a link to a malicious site. In the email field, you put the victim’s address. After registration, the person receives an email from the service: “Hello, dear…”, followed by your text and link. The service’s message is at the bottom.

How do you turn this into a mass weapon? Simple. In one case, I found a search engine in December 2017 that allowed sending messages via a backup email form. Before I reported it through their bug bounty program, it was possible to send 150,000 messages per day—just needed a bit of automation.

This trick lets you send phishing emails from the real support address of a website, with all the digital signatures and encryption. The top part of the email, though, is written by the attacker. I’ve received such emails myself, not just from big companies like booking.com or paypal.com, but also from lesser-known sites.

In my test, about 10% of recipients clicked the link. Enough said.

2. Emails from Google Analytics

Here’s a fresh example from April 2018. I started getting spam from Google Analytics’ [email protected] to several of my addresses. After some digging, I found out how it was being sent.

How could this be used? A scammer could write a message so that when a user clicks the link, they’re taken to a fake site and asked for their password. This kind of password harvesting can be done not just individually, but on a mass scale, by automating the collection of domains with Google Analytics and parsing emails from those sites.

3. “Curiosity”

This method to get someone to click a link takes some prep. You create a fake company website with a unique, attention-grabbing name—say, “ZagibaliVygibali LLC.” Wait for search engines to index it.

Then, come up with a reason to send out greetings from this company. Recipients will immediately Google it and find your site. Make the greeting unusual so it doesn’t get tossed in the spam folder. In a small test, I easily got over a thousand clicks this way.

4. “Fake Newsletter Subscription”

This is a super simple way to get someone to click a link in an email. Write: “Thank you for subscribing to our newsletter! You’ll now receive a daily price list for reinforced concrete products. Regards, …” Then add an “Unsubscribe” link that leads to your site. Of course, no one actually subscribed, but you’d be surprised how many people rush to unsubscribe.

Who Falls for Targeted Phishing Most Often?

  • Regular employees. They don’t know much about IT (65%)
  • Security staff. They think they’re smarter than hackers and break their own rules (21%)
  • Managers. Their accounts give access to trade secrets (14%)

5. “Email Mining”

To build your own database, you don’t even need to write a crawler to scrape sites for exposed addresses. Just get a list of all Russian-language domains (about five million). Add info@ to each, check which addresses work, and you’ll have about 500,000 valid emails. You can do the same with director, dir, admin, buhgalter, bg, hr, etc. Prepare a message for each department, send it out, and get hundreds or thousands of replies from people in specific fields.

6. “What Does That Say?”

To lure users from a forum or site with open comments, you don’t need a catchy text—just post a picture. Pick something eye-catching (like a meme) and compress it so the text is unreadable. Curiosity will make users click the image. In my experiment, I got about 10,000 clicks this way. I also know of a case where this method was adapted to deliver trojans via LiveJournal.

7. “What’s Your Name?”

Getting someone to open a file or even a document with macros isn’t that hard, even though many people know the risks. In mass mailings, just knowing the person’s name greatly increases your chances of success.

For example, send an email like “Is this email still active?” or “Please send me your website address.” In 10–20% of cases, the reply will include the sender’s name (especially in large companies). Later, write: “Alena, hello. What’s going on with your site (see attached photo)?” or “Boris, good afternoon. I can’t figure out the price list. I need item 24. Price list attached.” The price list contains the classic “Enable macros to view content…” and the rest is history.

In general, personalized messages are opened and acted on much more often.

8. “Mass Reconnaissance”

This scenario is more about preparation than attack. Suppose you want to find out the name of an important employee—say, the accountant or head of security. It’s easy: send an email to someone who might know, asking, “Could you please tell me the director’s patronymic and the office hours? I need to send a courier.”

Asking about office hours is just to make it look natural, and asking for the patronymic is a trick to avoid revealing you don’t know the name and surname. Both are likely to be included in the reply: full names are usually given. In my research, I collected the full names of over 2,000 directors this way.

If you need the boss’s email, just write to the secretary: “Hello. Haven’t spoken to Andrey Borisovich in a while, is his address [email protected] still active? I didn’t get a reply from him. Roman Gennadievich.” The secretary sees the email, which is made up based on the director’s real name and the company’s domain, and gives you the real address.

9. “Personalized Evil”

If you want to get a reaction from a large number of organizations, look for pain points. For example, send stores a complaint about a product and threaten to escalate: “If you don’t solve my problem, I’ll complain to the director! What did you deliver to me (see attached photo)?! Archive password: 123.” For auto repair shops, send a photo of a breakdown and ask if they can fix it. For construction companies, send a “house project.” In my small study, at least 10% of recipients responded to such emails.

10. “Site Not Working”

A database of websites with owner emails can easily be turned into traffic for any other site. Send emails like, “For some reason, your site’s page www.site.ru/random.html isn’t working!” And the classic trick: the link text shows the victim’s site, but the actual link leads somewhere else.

11. “Multi-Landing”

This method takes some prep. Create a one-page site styled as a news resource. Add a script that changes the text depending on which link the visitor used to get there.

Send out emails to a database of addresses and company names. Each email contains a unique link to your news site, like news.ru/?1234. The 1234 parameter is tied to a specific company name. The script on the site detects which link was used and displays the company name in the text, matching the email database.

When an employee visits the site, they see a headline like “Company … (victim’s company name) is at it again.” Then comes a short fake news story, with a link to an archive of “exposing materials” (actually a trojan).

Conclusions

It’s clear that mass mailings won’t work for attacks on large organizations—you need a personal approach there. But small businesses, which have never even heard of social engineering, can easily fall victim to these attacks.

Leave a Reply