Ransomware Social Engineering

1.???? Target company – ‘ACME’

2.???? Target company employee – ‘PAT’ – Find worker from target company on LinkedIn, preferably I.T. administrator/engineer/architect as these personnel are likely to have elevated permissions within the company infrastructure. This account will likely have access to read the company directory such as Active Directory, export and analyze to understand account naming patterns to learn of service accounts and administrative accounts.

3.???? Social engineer target company employee – Using a recruiter like profile, reach out to potential employees at target company with “job opportunities” as bait to encourage target company employee to relinquish sensitive PII such as personal email address, personal phone number, and resume, which either confirms the personal information or provides additional such as additional personal ?phone numbers and email addresses, home address, full name as appears on resumes, and a detailed list of their work history.

The reason this works is human’s desire. An enticing job opportunity will have a high rate of success phishing for personal information. If the social engineering went as far as pretending to submit the candidate for the opportunity, these calls usually end with confirmation of identity often being 1) birth date and month and 2) last 4 # of the SSN. The year someone is born is not hard to find online.

The attacker can learn the work email of ‘PAT’ generally by making a request to the company front desk by stating they need to contact that person for a seemingly valid reason. Email addresses are usually not considered sensitive information for non-executives.

After a brief intro on LinkedIn, the attacker has learned through social engineering:

• If ‘PAT’ is an active employee of ‘ACME’.
• If ‘PAT’ is a contractor of ‘ACME’.
• If ‘PAT’ has the access needed for the attack at ‘ACME’ because they have the resume.
• If ‘PAT’ is a choice ‘ACME’ account to compromise.
• ‘PAT’s Work email address
• ‘PAT’s Full Name
• ‘PAT’s Personal address
• ‘PAT’s Personal phone number(s)
• ‘PAT’s Personal email address(s)
• ‘PAT’s Detailed work history
• ‘PAT’s DOB
• ‘PAT’s last 4 of ‘PAT’s SSN

Is ‘ACME’ prepared for the attacker to have all this information?

The attacker calls the IT helpdesk pleading for assistance logging into a new computer. “Normally the username is there… since my old computer won’t start, I can’t verify.” Some may not think twice about confirming a username… the attacker has enough information to make a guess. And if that doesn’t fix the problem… it’s time to try a new password. The attacker has enough information to proactively inform the IT department that they changed their phone #, confirm the old number, then provide a new number for MFA.

What happens now? https://itngen.com