The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

Spying or Espionage

“Spies from all around the world are taught different methods of “fooling” victims into believing they are someone or something they are not. In addition, to being taught the art of social engineering, many times spies will also build on credibility by knowing a little or even a lot about the business or government they are trying to SE.”  Chris Hadnagy, Social Engineering, The Art of Human Hacking

Espionage, commonly known as spying, is the practice of secretly gathering information about a foreign government or a competing industry, with the objective of placing one’s own government or corporation at a strategic or financial advantage. However, espionage is not synonymous with all intelligence-gathering disciplines. For example, codebreaking (cryptanalysis or COMINT), aircraft or satellite photography, (IMINT) and open publications research (OSINT) are all intelligence gathering disciplines, but are not considered espionage. MI5’s official website comments on the shifting focus of espionage. In the past, espionage was typically focused on obtaining political and military intelligence. However, with the increase in technology the focus has broadened to include communications technologies, IT, energy, scientific research, aviation and other fields. The following examples of military and industrial espionage illustrate how influence tactics were implemented to carry out the social engineering attacks.


State Sponsored Facebook Fakes

In January 2017 the Israeli Defense Forces published a blog on their website describing an attack on their soldiers and it’s all about the influence tactic known as liking. The attackers (reportedly Hamas operatives) created fake Facebook profiles of attractive young women with the goal of enticing Israeli Defense Forces (IDF) soldiers to befriend them. After building trust and rapport through messaging and photo sharing the operative inquires if the soldier would like to video chat. To do so, requires installing an app that is actually a virus. Once installed the soldiers’ mobile device becomes an open book. Contacts, location, apps, pictures, and files are all now accessible to Hamas operatives.

'Elianna' sends a picture to an unsuspecting IDF soldier

‘Elianna’ sends a picture to an unsuspecting IDF soldier


Iranian Hackers/Spies, aka Cobalt Gypsy aka OilRig, Create ‘Mia Ash’

In early 2017 Secureworks unearthed a years-long campaign of espionage and possibly data destruction all centered around a pretty, but fake, photographer named ‘Mia Ash’. The ‘Mia Ash’ persona had active accounts on LinkedIn, Facebook, Blogger and WhatsApp. Once again, the influence tactic of liking is seen in this espionage campaign. After building rapport and trust through messaging and photo sharing, ‘Mia Ash’ would send a ‘photography survey’ to ‘her’ target. Usually a middle age man in the telecommunications, government, defense, oil, or finance industry. The ‘photography survey’ in reality was an attachment with concealed malware. The malware gave ‘Mia Ash’ complete control to the compromised computer with access to network credentials.

Timeline highlights sample activity involving the Mia Ash persona, including activity associated with two victims - Secureworks

Timeline highlights sample activity involving the Mia Ash persona, including activity associated with two victims – Secureworks


Fancy Bear aka APT 28 Spear Phishing Attacks Breach Podesta, Powell, and the DNC

The 2016 US presidential election will be remembered, among other things, for spear phishing attacks that targeted high profile members of government. On March 19, 2016, Hillary Clinton’s campaign chairman John Podesta, received an alarming email that appeared to come from Google informing him that someone had used his password to try to access his Google account. The phishing email included a link to a spoofed Google webpage informing him to change his password. Mr. Podesta clicked the link and changed his password, or so he thought. Instead, he gave his Google password to Fancy Bear, a Russian state-sponsored cyber espionage group.

Bronze Butler or Tick Suspected of Stealing IP From Japanese Enterprises

The attackers known as Bronze Butler and Tick continue to use spear phishing and watering holes to breach intellectual property. As reported on October 12, 2017 by Secureworks, the targets selected are related to technology and development, business and sales information, emails and meeting schedules, product specifications, and network and system configuration file.

The report does not include the specifics of the spear phishing emails, however the very nature of a spear phish implies that the attackers have spent time conducting OSINT. Using influence tactics such as authority, obligation, reciprocity the attackers can craft an email that caters to the recipient’s job, personal situation or preferences. For example, the email may claim to come from a company you do business with such as your bank, or the internet company you use like Google. Because spear phishing emails leverage a certain level of information about an individual they can be very difficult to detect or resist.

The Takeaway

  1.  Be security conscious when it comes to information you make public on any social media platform. As reported by naked security all IDF soldiers targeted by Hamas in the ‘Facebook Fake’ attack were found through public photos with tags and posts revealing they were active in IDF military service.
  2. The use of social media by Cobalt Gypsy and spear phishing by Bronze Butler highlights the importance of ongoing social engineering training. Clear guidelines for social media usage, as well as education or identifying potential phishing lures are essential for employees. Clear company policies should be in place for reporting potential phishing messages received through corporate email, personal email, and social media platforms.