Social engineering
Social attacks are just as effective at getting privileged information as complicated zero-day exploits or carefully crafted phishing scams.
By now most people are aware of the run-of-the-mill, tech-support phone scams where marks are tricked into giving remote access to a caller, who can then install keyloggers and harvest bank details, passwords or address books to use in further attacks. However, other forms of attack are possible. For example, in the attack on Reddit’s servers reported at the beginning of August 2018, attackers were able to defeat SMS-based two-factor authentication (2FA) on admin’s accounts, partly by known weaknesses in the cellular network, and partly through Verification Code Forwarding Attacks (VCFA). By sending a legitimate-looking message that asks the user to resend the 2FA token sent by the provider, the attackers get access.
Social attacks are much more efficacious the more is known about the victim. Criminals will often spend time to sleuthing high-profile targets and customising their attack. This practice is known as ‘whaling’, in contrast to the more standard ‘phishing’. Most people have some kind of a web presence these days, even if they’ve locked down their social media accounts. Looking through public information sources is known as Open Source Intelligence (OSINT). Diligent OSINT takes time and effort, but the popular Maltego can automate this process. By using a variety of data sources (‘transforms’) from the Shodan server search engine, to the blockchain, to Twitter posts and GeoIP databases, all kinds of relationships can be deduced.