Scripting Social Engineering Attacks
Dave Comstock at BSides Boston 2017
Script all the things! Streamline phishing, vishing, and gaining physical access to restricted areas by using modular social engineering scripts and pretexts. Gaining physical or virtual footholds is a crucial first step in a successful exploit chain.
People are often times the weak-spot in company security so it only makes sense to start our attempts there. We'll focus on building up a playbook of various different characters, outfits, tools, and pretexts to use while exploiting self-interest, standard operating procedures, common corporate policy, social norms/taboos, and cognitive biases for maximum effect.
Characters can range from posing as support roles such as IT, HVAC, plumbing, electrical, and other contractors to a newly hired employee, corporate auditor, market researcher, vendor rep, or job recruiter depending on pretext and what your goals are.
People are often times the weak-spot in company security so it only makes sense to start our attempts there. We'll focus on building up a playbook of various different characters, outfits, tools, and pretexts to use while exploiting self-interest, standard operating procedures, common corporate policy, social norms/taboos, and cognitive biases for maximum effect.
Characters can range from posing as support roles such as IT, HVAC, plumbing, electrical, and other contractors to a newly hired employee, corporate auditor, market researcher, vendor rep, or job recruiter depending on pretext and what your goals are.