Social Engineering has always been one of my favorite attack vectors when doing any penetration test. A big reason why our firm succeeds is that we as human beings forget the “Seven Deadly Sins”.
As I thought about social engineering attack vectors for previous engagements, I noticed I always had a few common attack vectors I utilized, but they always focused on a few key vectors that can always be attributed to the Seven Deadly Sins.
The Seven Deadly Sins, for those not familiar with them, are: Lust, Gluttony, Greed, Sloth, Wrath, Envy, and Pride. Let me give some examples:
- Lust – Those wonderful emails promising a wonderful time with beautiful women or a sexual temptation
- Gluttony – Free Gift Cards to some retailer in some huge sum
- Greed – Nigerian emails or those wonderful email scams promising lots of money (gift cards to retailers can also fall under this category)
- Sloth – Easy money by working at home
- Wrath – Maybe not so much outrage or anger towards an individual, but a situation or outcome, like poor orphans, or a major disaster situation like the recent Typhoon Haiyan
- Envy – Free iPads, iPhones or some beautiful electronic device
- Pride – Involves stroking one’s ego in the email, calling them a valuable person or asset and that they are needed. Insecurity is a form of pride, where rather than building one’s ego, they tear them down and make one feel insecure about themselves.
In all cases, they are all emotional outbursts that can motivate someone to donate in the spirit of aid such as Typhoon Haiyan, or play on someone’s envy because a friend has nice shiny toys that they desire.
Either way, be conscious about these social engineering attempts, in your business and personally. These seven social engineering attack vectors will always net at least one win and the adversary only needs a single win.