Phishing, phoning, USB killer...
Social Engineering consists in bypassing the vigilance of an employee in order to obtain sensitive information or to carry out malicious actions (opening files, scamming the CEO, etc.). Synetis auditors can adopt an awareness-raising offensive approach by contextualizing their attacks (USB dropped, phoning, etc.).
In 2015, it was estimated that one in five employees tended to use a USB keys that they found lying around thinking that it had been “lost” or “belonged to no-one”. Without any prior precautions, this behavior can be dangerous for several reasons, such as infections via ransomware or other, use of the USB Killer device, etc. Synetis is able to create malicious USB keys and then “abandon” them in order to trap employees.
Phishing is a method widely used by attackers to launch their malicious charges directly on your organization’s network. These types of attacks can also invite users to log on to fake authentication test patterns in order to compromise secrets.
We can carry out social engineering type campaigns using several vectors:
- Phishing by email (using a domain name close to the company such as the typosquatting or “forgotten” domain) or phone call
- Phishing with USB key bombs
We are able to make statistics of connection to test patterns, USB key connections…
Phishing remains one of the main vectors of cybercrime. This type of attack is aimed at getting the recipient of a seemingly legitimate e-mail to give out bank details or login credentials (for example, to financial services in order to steal money). Phishing can be used in more targeted attacks to try to get an employee’s credentials to access professional networks that they can access or to execute code contained in a malicious attachment.
Below, two phishing campaigns carried out by Synetis :