Editor’s Note – This excerpt is taken from Leonard Chin’s whitepaper “5 Phases Every Hacker Must Follow” and has been reprinted with permission. This is the third installment of the series. You can also find part 2 of the series here.
After scanning is complete, hackers can use many methods to gain unauthorized access. Hackers’ skills are often more important that the weaknesses of the target. A hacker skilled in attacking websites will move on to a different target if a website is all they have.
Hackers are skilled enough that they can develop a variety skills and tools to attack different targets. This article will cover some of the tools and methods used to gain access.
Hackers use the term “social engineering” to describe tricking people into giving access. This is usually done by asking for log in credentials. Although it sounds like a scam, it can be quite sophisticated. It can be very effective and even more important.
Cybersecurity experts estimate that more than 80% are launched using stolen credentials. Once an attacker has the victim’s password and user ID, they can log in to the system and do whatever they like. Although it is unlikely that anyone would divulge their passwords to hackers it happens quite often.
It is as easy as pretending to someone in authority and asking for credentials to use social engineering. Hackers will call an organization to request permission to transfer to another person (which can conceal the fact that it is an external call). The hacker pretends to be an IT employee and is trying to solve the problem. To fool an employee, the hacker must follow these steps:
The hacker must have information about the company or employee in order to be able use context. This gives credibility. They might say, for instance, “Joe Jones asked” to investigate the matter personally, even though Joe Jones is actually the COO.
The scammer must create a crisis. They might say, “I’m in such trouble, my boss is going to be mad at me ” Or, they might say that someone was browsing some shopping websites on this machine, which is against company policy. We have an audit next Wednesday and I don’t want you to get into trouble. I will erase your history. The scammer will then ask for the employee to perform a small task. Open a command prompt and type in “netstat”. This will fill the screen in with technical jargon, which is used to scare employees.
Once the hook has been set, the scammer will ask the employee for their ID number and password in order to continue solving the problem. This usually occurs right before lunch or after midnight, when the employee is ready for work. This is only one way to trick employees. There are many ways to impersonate customers or vendors.
We’ve only covered a low-tech method to get a password. There are many more sophisticated ways. Hackers often use the Social Engineering Toolkit (SET), which is a free program. This tool is used by hackers to visit a website that the victim is most likely to use. The hacker usually visits a bank or credit-card company’s website. The tool can copy the login page of a website to create a fake website by copying the image.
Anyone who reads the text would not notice the difference. The hacker then sends an email to the victim asking them to click on a link to log in. Usually, the hacker will send an urgent email asking the victim to log in.
The attacker links to the victim and takes them to a fake site.