Social Engineering Attack Report

Target Organization: XYZTelecom

Objective: Assess the effectiveness of social engineering techniques in compromising security while ensuring ethical considerations.

Step 1: Define Scope & Ethical Considerations

  • Permission obtained from the organization.

  • No actual harm or data theft only gathering security insights.

  • Educating employees on security awareness as a primary goal.

Phase 1: Research & Information Gathering

Step 2: Collect Publicly Available Information

  • OSINT Techniques Used:

    • Google Dorking (site:XYZTelecom.com filetype:pdf to find internal documents).

    • LinkedIn Scraping (Identified IT support personnel).

    • Email Permutations (Hunter.io used to identify potential email formats).

Step 3: Identify Target Individuals

  • Primary Targets:

    • IT Helpdesk employees (for password reset attempts).

    • HR employees (for impersonation attempts).

    • New employees (more susceptible to social engineering).

Phase 2: Attack Execution

Step 4: Phishing Attack (Email-Based)

  • Method: Sent a fake email from a domain resembling @XYZTelecom-support.com.

  • Payload: Embedded a malicious link to a cloned login page.

  • Email Content: Urgent password reset request.

  • Outcome: 3 out of 10 recipients clicked the link, but no credentials were entered.

Step 5: Vishing (Phone Call-Based Attack)

  • Method: Called IT support, impersonating an employee with an urgent issue.

  • Tactics Used:

    • Created a sense of urgency.

    • Used insider terminology to sound legitimate.

    • Requested a temporary password reset.

  • Outcome: IT support asked for verification but didn't reset the password indicating good awareness.

Step 6: Tailgating (Physical Social Engineering)

  • Method: Followed an employee into the building, acting as a delivery personnel.

  • Tactics Used:

    • Held a large package to justify needing assistance.

    • Engaged in casual conversation to lower suspicion.

  • Outcome: Successfully entered the premises but was stopped by security before accessing restricted areas.

Phase 3: Analysis & Findings

Key Takeaways:

  • Phishing emails had a 30% success rate (clicking but no credentials entered).

  • IT Helpdesk successfully resisted vishing attempts, showing good training.

  • Tailgating was partially successful, revealing physical security gaps.

Recommendations:

  1. Improve Email Awareness Training Employees should verify links before clicking.

  2. Enhance IT Helpdesk Verification Procedures Multi-factor authentication for password resets.

  3. Strengthen Physical Security Policies Require visitor verification and badge scanning.

PreviousInformation Gathering & ReconnaissanceNextHash Cracking

Last updated