It is known that employees are the weakest link in the chain in terms of information security for corporations. Therefore, In the social engineering simulation tests, generally, an e-mail containing a real social engineering scenario is sent to the customer’s e-mail addresses to measure employee information security awareness. At the end of the tests, customers can have detailed information about their employees’ information security awareness. Such as following;
- How many employees clicked the link sent
- How many employees entered their information after clicking the link
- How many credentials submitted are really true
- Which department employees have information security awareness.
We also have many social engineering scenarios where we can meet different scenario needs of customers such as Vishing (practice of eliciting information or attempting to influence action via telephone, may include such tools as “phone spoofing”) and Impersonation attacks (practice of pretexting as another person with the goal of obtaining information or access to a person company, or computer system).
Some of our social engineering attacks steps during the tests;
- Discovering email address of employees
- Discovering employees and their emails via Linkedin
- Identifying authorized employees via whois
- Discovering webmail services
- Discovering VPN service s
- Identifying softwares(email server, spam gateway etc) of the customer
- Identifying email address policy
- Identifying all remotely accessible authenticated services of the customer
- Identifying new website names that is similar of the customer website name
- Information gathering via FOCA,Maltego
- Content and scenario preparing for the phishing attacks
- Malicious file preparing(reverse_tcp, fake update etc)
- Using antivirus bypass methods whilst preparing malicious files
- Cloning webmail/VPN webpages to credential harvesting
- Phishing attack scenario via phone calling
- Information gathering related to approaching activities in the customer.
- Preparing a same email signature with the customer’s signature policy.
- Try to find out the cases that will be accept by the mail gateway of the customer
- Mail gateway bypass methods(zip, password protection etc)
- Try to send multiple email to employees with open source tools
- Try to send multiple email to employees with commercial tools
If you would like to find out how Social Engineering Scenario Service can be beneficial for your company or more information about our service, please contact our security experts to get a free quick consultation.