Chapter 26 Exercises: Social Engineering Attacks

Ethical Boundaries: Social engineering exercises must only be performed against yourself, willing participants, or within properly authorized assessment engagements. Never attempt social engineering against unwilling targets or without explicit authorization. These exercises are designed for learning in controlled environments.

Exercise 1: Psychological Principles Analysis

Collect five real phishing emails from your spam folder or from publicly available phishing databases (such as PhishTank). For each email, identify every psychological principle (Cialdini's principles, cognitive biases) being exploited. Write a detailed analysis explaining why each technique might be effective and what red flags should alert recipients.

Difficulty: Beginner Objectives: Develop the ability to recognize psychological manipulation techniques in phishing communications.

Exercise 2: OSINT Self-Assessment

Conduct a thorough OSINT assessment of your own digital footprint. Search for your name, email addresses, usernames, and associated information across social media, public records, data breach databases (such as HaveIBeenPwned), and search engines. Document everything an attacker could find about you and create a plan to reduce your exposure.

Difficulty: Beginner Objectives: Understand the information available to social engineers through OSINT and improve personal security hygiene.

Exercise 3: Phishing Email Creation

Design three phishing email templates targeting different scenarios: (a) a mass phishing campaign impersonating a popular service, (b) a spear phishing email targeting a specific role (e.g., finance manager), and (c) a whaling email targeting an executive. For each template, document the psychological principles used, the pretext, and the expected action. Do NOT send these emails to anyone -- this is a design exercise only.

Difficulty: Intermediate Objectives: Understand the craft of effective phishing email creation for authorized testing.

Exercise 4: GoPhish Lab Setup

Install GoPhish in a lab environment and execute a complete phishing campaign workflow:

  1. Installation: Download and install GoPhish. Configure config.json with appropriate listener addresses for your lab environment
  2. Sending profile: Configure an SMTP sending profile using a local mail server (such as MailHog or hMailServer) or a test email service. Verify the sending profile works by sending a test email
  3. Email template: Design a convincing phishing email template using GoPhish's template editor. Include HTML formatting, a spoofed sender display name, urgency language, and a call-to-action link using GoPhish's tracking URL placeholder ({{.URL}})
  4. Landing page: Build a credential harvesting landing page that mimics a login form. Configure GoPhish to capture submitted credentials and redirect users to the legitimate site after capture
  5. User group: Create a target group containing your own test email addresses (at least three to see varied results)
  6. Campaign execution: Launch the campaign and interact with the phishing emails from different devices/browsers. Click some links, submit credentials on some, and ignore others to generate varied results data
  7. Results analysis: Examine the GoPhish results dashboard -- open rates, click rates, credential submission rates, and timeline data. Export the results and create a summary suitable for a client report

Difficulty: Intermediate Objectives: Gain hands-on experience with professional phishing assessment tools. Note: GoPhish is an open-source tool designed for authorized phishing simulations. Always obtain proper authorization before conducting phishing campaigns against anyone other than yourself.

Exercise 5: SET Credential Harvester

Using the Social Engineering Toolkit (SET) in a Kali Linux lab, set up a credential harvesting attack using the website cloner. Clone a login page (use your own test application, not a real service), serve it locally, and submit test credentials to verify the capture. Document the process and identify how a user could detect the cloned page.

Difficulty: Intermediate Objectives: Understand SET's credential harvesting capabilities and their detection indicators.

Exercise 6: Vishing Script Development

Write three detailed vishing scripts for authorized testing scenarios: (a) an IT help desk calling about a security incident, (b) a bank fraud department verifying transactions, and (c) a vendor requesting updated payment information. For each script, include the opening, key talking points, responses to common objections, and the desired outcome. Include notes on tone, pacing, and background elements.

Difficulty: Intermediate Objectives: Develop realistic vishing pretexts for professional social engineering assessments.

Exercise 7: Phishing Email Header Analysis

Obtain headers from five legitimate emails and five phishing/spam emails (from your spam folder). For each email, perform a detailed header analysis:

  1. Sender verification: Compare the From: header, Reply-To: header, Return-Path: header, and envelope sender. Identify any mismatches that indicate spoofing
  2. Authentication results: Locate and interpret the Authentication-Results: header. Record the SPF, DKIM, and DMARC results for each email. Note which phishing emails pass authentication and which fail
  3. Relay chain analysis: Trace the Received: headers (read bottom-to-top) to map the email's journey from sender to recipient. Identify the originating IP address and look it up for geolocation and reputation
  4. X-headers: Examine custom X-headers for indicators such as X-Spam-Score, X-Mailer, or security gateway verdicts
  5. Timing analysis: Check for timestamp inconsistencies that might indicate forged headers

Create a reference guide with a table showing: header name, what it reveals, what legitimate values look like, and what suspicious values look like. Include at least 10 key header fields in your guide.

Difficulty: Intermediate Objectives: Develop email header analysis skills for phishing investigation and defense. Tools: Use Google's "Show original" feature in Gmail, "View source" in Outlook, or copy headers from any email client. Online tools like MXToolbox Header Analyzer can help visualize relay chains.

Exercise 8: Physical Security Walkthrough

With proper authorization (e.g., in your own workplace or school), conduct a physical security assessment observation. Without actually bypassing any controls, identify potential physical social engineering vulnerabilities: doors that could be tailgated, areas without camera coverage, visible sensitive information, unlocked workstations, and unsecured access points. Document your findings and recommend mitigations.

Difficulty: Beginner Objectives: Develop observation skills for physical security assessment.

Exercise 9: Security Awareness Training Design

Design a 30-minute security awareness training module focused on social engineering defense. Include: an introduction to social engineering concepts, real-world examples relevant to the target audience, interactive scenarios where participants identify attacks, a quick reference card for employees, and a post-training quiz. Make the training engaging and non-punitive.

Difficulty: Intermediate Objectives: Develop skills in creating effective security awareness training materials.

Exercise 10: BEC Attack Simulation Design

Design a Business Email Compromise simulation for an authorized assessment. Define the target organization (fictional), develop the OSINT-based pretext, create the email sequence (initial contact through financial request), and design the verification controls that would prevent the attack. Document each stage of the BEC kill chain.

Difficulty: Advanced Objectives: Understand BEC attack methodology and defensive controls.

Exercise 11: Deepfake Awareness Exercise

Research current deepfake generation capabilities and create an educational briefing for a non-technical audience. Include examples of real deepfake incidents (the 2024 Hong Kong video call fraud, political deepfakes), demonstrate detection techniques, and provide practical guidance for verifying the authenticity of voice and video communications. Include a list of verification procedures organizations should implement.

Difficulty: Intermediate Objectives: Understand the deepfake threat landscape and develop educational materials for organizational defense.

Exercise 12: Phishing Domain Analysis

Research and document five techniques for creating convincing phishing domains: typosquatting, homograph attacks, subdomain mimicry, keyword domains, and TLD variations. For each technique, provide examples, explain detection methods, and describe defensive technologies (domain monitoring services, browser protections, DNS filtering) that can mitigate the threat.

Difficulty: Intermediate Objectives: Understand phishing infrastructure and domain-based detection strategies.

Exercise 13: Social Engineering Report Writing

Write a professional social engineering assessment report based on a fictional engagement. Include: executive summary, scope and methodology, campaign details (phishing, vishing, physical), quantitative results with charts, anonymized examples of successful and unsuccessful attempts, analysis of trends, and prioritized recommendations. Follow industry-standard formatting.

Difficulty: Advanced Objectives: Develop professional reporting skills for social engineering assessments.

Exercise 14: MFA Bypass Research

Research how tools like Evilginx2 bypass multi-factor authentication through real-time phishing proxies. Document the attack flow, the technical mechanism, and the types of MFA that are and are not vulnerable. Create a comparison table of MFA methods ranked by phishing resistance. Recommend the most appropriate MFA solution for different organizational contexts.

Difficulty: Advanced Objectives: Understand advanced phishing techniques that bypass MFA and identify phishing-resistant alternatives.

Exercise 15: USB Drop Attack Lab

Using a Rubber Ducky or Bash Bunny (or a simulation using a Raspberry Pi Pico), create a benign USB payload that, when plugged in, opens a text file explaining that the user has been part of a security awareness test. Deploy the device in your own lab environment and verify the payload executes correctly. Document the technical setup and discuss the ethical considerations of USB drop testing.

Difficulty: Intermediate Objectives: Understand USB-based attack vectors and their use in authorized security assessments.

Exercise 16: Social Engineering Kill Chain Mapping

Select three real-world social engineering attacks (such as the Twitter 2020 breach, the RSA SecurID compromise, and the DPRK cryptocurrency scams). For each attack, create a detailed kill chain mapping:

  1. Target selection: Who was targeted and why? What made them attractive targets?
  2. Information gathering: What OSINT or reconnaissance was conducted? What information was gathered about the targets and organization?
  3. Pretext development: What pretext was used? Why was it convincing for the specific targets?
  4. Attack planning: What infrastructure and tools were prepared? What contingencies were planned?
  5. Execution: How was the attack delivered? How did the targets respond? Were there multiple attempts?
  6. Exploitation: What was achieved? How did the attacker leverage initial access for further objectives?

For each attack, identify: (a) which phase was most critical to success, (b) at which phase defensive controls could most effectively have disrupted the attack, and (c) what specific training or controls would have prevented the attack.

Create a comparison table showing the three attacks side by side across all kill chain phases, highlighting commonalities and unique aspects.

Difficulty: Intermediate Objectives: Develop analytical skills for understanding social engineering attack methodology through real-world case studies. Research Sources: Use the chapter's case studies, published incident reports, FBI/CISA advisories, and news coverage as primary sources.

Exercise 17: Pretexting Exercise

Working with a willing partner, practice pretexting scenarios in a role-play exercise. One person plays the attacker, the other plays the target. Run through three scenarios: (a) calling a help desk to reset a password, (b) requesting entry to a building as a vendor, and (c) asking a colleague to share a sensitive document. After each scenario, debrief: what worked, what raised suspicion, and what training would help the target resist.

Difficulty: Beginner Objectives: Develop practical pretexting skills in a safe, controlled environment.

Exercise 18: Comprehensive Social Engineering Assessment Plan

Design a complete social engineering assessment plan for a fictional mid-size organization (500 employees, multiple offices, mixed remote/on-site workforce). Include: scope definition, authorization requirements, target selection methodology, phishing campaign plan, vishing campaign plan, physical assessment plan, infrastructure requirements, timeline, metrics to track, reporting plan, and ethical safeguards. This exercise synthesizes all concepts from the chapter.

Difficulty: Advanced Objectives: Develop comprehensive planning skills for professional social engineering assessments.