Social Engineering Testing
professional social engineering testing services
The purpose of the social engineering test is to examine the information security awareness and readiness of the organization’s employees towards various types of social engineering attacks like phishing, vishing, spoofing and many more.
Types of Social Engineering Methods
The aim is to gather as much exposed information as possible about the target organization, such as vendors, email, and contact numbers.
The collected details will be facilitated to perform the social engineering testing.
Condition Zebra will perform passive information gathering on public resources for instance website, Google Hacking, WHOIS, reverse IP Lookup to gain more knowledge on the organization.
Information obtained including:
- IP addresses
- Email addresses
- Contact numbers
Phishing emails will be sent by impersonating and trick employees to click on the embedded link to visit a certain website.
Condition Zebra will test the awareness of malicious hyperlinks, giving of credentials (Quid pro quo) and executable files among the staff. For example, a giveaway URL is embedded in a phishing email. The hyperlink will redirect the staff to the phishing website created by Condition Zebra. The website will capture the data key-in by the staff.
This method could also examine whether the employees will report/document a cyber-security incident to the relevant department.
Remark: On the occasion that the malicious emails sent are filtered by the company’s email filtering system, then it will be responsible to whitelist/ release the email to reach the recipients’ inbox
A phone call will be made to retrieve sensitive organization information.
Condition Zebra will impersonate as a trusted third-party vendor to call and ask for credentials from the staff to allow them access to sensitive company information, like passwords.
An email will be sent by impersonating the trusted email address of the organization.
Email spoofing works parallel with phishing assessment. Phishing mail will be sent to impersonate the email from a trusted organization or the email from higher management to increase the trust of the victim and increase the chance of phishing attack success.
Phishing messages will be sent by impersonate and trick employees to click on the embedded link to visit the crafted site via WhatsApp
Condition Zebra will test the awareness of company staff by presenting malicious hyperlinks. For example, a giveaway URL is embedded in a phishing message via WhatsApp. The hyperlink will redirect the staff to the phishing website created by Condition Zebra. The website will capture the credentials key in by the staff.
Malware is attached to the email, website, USB drive or other forms.
Condition Zebra will attach malicious documents in email, followed by monitoring and identifying the person who executed the document.
The Malware is customized to allow the devices to send the request to Condition Zebra’s monitoring machine. Once the staff click on the malware from a phishing email or a USB drive, the malware will be triggered.
Observation is a part of reconnaissance, which is information gathering. Observing the employees’ activities toward security within a working environment.
Condition Zebra’s testers will move around the target location to check on sensitive information leakage. Shoulder surfing is performed to get the login credentials from staff when they are typing.
Other than that, Condition Zebra’s engineer will jot down when staff is leaving the computer screens turned on when they leave their desk. The environment in the office is examined such as passwords written on the whiteboard or stickers on the desk.
Entry to a restricted area in an organization by following the person who is using the access card.
A tailgating attack also referred to as “piggybacking,” involves attackers seeking entry to a restricted area without proper authentication. In it, the perpetrators can simply follow an authorized person into a restricted location. They can impersonate delivery men carrying tons of packages, waiting for an employee to open the door.
After tailgating is completed, the attackers have successfully infiltrated the restricted area.
A malicious mobile application developed will be installed on the staff’s mobile phone.
Condition Zebra will impersonate a promoter to encourage the staff to download the malicious mobile application in order to get a secret code to unlock the promotion. This method tests the awareness of staff for application permission before installing any apps on their mobile phone. Once the application is installed and executed, the mobile phone number of the staff will be sent to the Condition Zebra monitoring server.
Autorun is enabled to execute the Malware once the pen drive is plugged into the machine.
The way to conduct this testing is similar to a mobile application. A USB drive will be given to the staff. If the filtering agent is not implemented, the Malware will be executed to send the IP address and the MAC address of the victim to the Condition Zebra monitoring server.
value driven service
Benefits of Social engineering testing
- Improve specific areas of weakness and prioritize incident response plan with simulated social engineering attacks.
- Peace of mind against social engineering attacks.
- A more comprehensive detailed reports and applicable recommendations for increased overall organizations IT security.
4. Your clients, employees, suppliers and other stakeholders will trust and have more confidence in your organization when you prioritize cybersecurity.
5. It’s better to prevent cyber-attack than to deal with their consequences which will be more likely to cost greatly due to loss of business.