Main:
This is an article on the many ways and how a person can preform Social Engineering
Human based SE
_____________________________________________________________________________________________________________________________________
Phishing:
I hope everyone knows what this is. but just in case you don't go to this link.
http://en.wikipedia.org/wiki/Phishing
You can use emails to gain information about a network or a person. Lets say you send an email to someone pretending to be Amazon.com saying their account is going to be deactivated unless they click on the link provided and update their credit card information. Once they click on the link they are sent to a fraudulent page where they unwittingly submit their credit card information.
This can be useful to gain information on the target such as SSN, DoB, Address, Full name, and Phone number.
_____________________________________________________________________________________________________________________________________
Impersonation:
There are several types of Impersonation so I will list them and explain them.
-------------------------------------------------------------------------------------------------------------------------------------
Pre-Texting
Pre-texting definition:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Example:
say you call a company and you want information about a person so you can use it against them. obviously the company is going to have security measures about to stop just anyone from accessing this information. if you have the persons SSN and their DoB you can do a lot as most companies in the US only require this. So if you call with this information you can most likely pretend to be them and gain further information about the person. this is not easy for some people to do as it require good bullshitting techniques.
Real Life Example:
A man calls a company help desk and says he's forgotten his password. In a panic, he adds that if he misses the deadline on a big advertising project his boss might even fire him. The help desk worker feels sorry for him and quickly resets the password unwittingly giving the person clear entrance into the corporate network.
This is a good example of using peoples good and caring nature against them.
In December 2006 the United States Congress approved a Senate sponsored bill making the pretexting of telephone records a Federal Felony with fines of up to $250,000 and 10 years in prison for individuals (or fines of up to $500,000 for companies).
Think about this before you try anything.
--------------------------------------------------------------------------------------------------------------------------------------
Quid pro quo:
aka something for something.
This is when you offer someone a service in order to gain what you want. Sometimes it is apparent and some time it is not.
apparent:
There a instances where you can come straight out and say "If you give me your password to your computer at work i will give you some chocolate" sorta like baiting them. This may be a dumb example but you can explore the possibilities of how to modify it to get what you want.
Not apparent:
Real Life Example:
You call random numbers at a company claiming to be calling back from technical support. Eventually you will hit someone with a legitimate problem. Them being grateful that someone is calling back to help them cooperates. You "help" solve the problem and in the process have the person type commands that give you access and/or launch malware.
---------------------------------------------------------------------------------------------------------------------------------------
Reverse Social Engineering:
A more advanced method of gaining illicit information is know as reverse social engineering.
This is when a you create a persona that appears to be in a position of authority so that employees will ask you for information rather than the other way around
The three parts of reverse social engineering attacks are sabotage, advertising and assisting.
Just think of what you can do to a company if the people you are talking to think you are an administrator. you could tell them to do things that would be detrimental to the company and possibly make them lose money.
_________________________________________________________________________________________________________________________________________
Curiosity:
You can take advantage of persons curiosity.
If you were to leave an infected disk or USB drive on the side walk, in an elevator, or in the bathroom and put a label on it that says something like Financial records 2007 or something creative. It is almost guaranteed that someone will be curious as to the contents of the disk or drive and put it on their computer not knowing they just ran a virus and now their computer is infected.
Example:You want to bring down this company. So you make a CD with malware on it and leave it in the bathroom on the floor. someone who works there picks it up and is curious as to the contents and puts the virus on their computer in the network. you now have a way in to doing what you want. But what if a good samaritan picks up the disk and turns it in to the front desk. Well if you have a creative label on the disk and perhaps some company logo the company might think it is their CD and it would be given to the appropriate employee or perhaps even an administrator of the company. In the end you win either way.
_____________________________________________________________________________________________________________________________________
Phishing:
I hope everyone knows what this is. but just in case you don't go to this link.
http://en.wikipedia.org/wiki/Phishing
You can use emails to gain information about a network or a person. Lets say you send an email to someone pretending to be Amazon.com saying their account is going to be deactivated unless they click on the link provided and update their credit card information. Once they click on the link they are sent to a fraudulent page where they unwittingly submit their credit card information.
This can be useful to gain information on the target such as SSN, DoB, Address, Full name, and Phone number.
_____________________________________________________________________________________________________________________________________
Impersonation:
There are several types of Impersonation so I will list them and explain them.
-------------------------------------------------------------------------------------------------------------------------------------
Pre-Texting
Pre-texting definition:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Example:
say you call a company and you want information about a person so you can use it against them. obviously the company is going to have security measures about to stop just anyone from accessing this information. if you have the persons SSN and their DoB you can do a lot as most companies in the US only require this. So if you call with this information you can most likely pretend to be them and gain further information about the person. this is not easy for some people to do as it require good bullshitting techniques.
Real Life Example:
A man calls a company help desk and says he's forgotten his password. In a panic, he adds that if he misses the deadline on a big advertising project his boss might even fire him. The help desk worker feels sorry for him and quickly resets the password unwittingly giving the person clear entrance into the corporate network.
This is a good example of using peoples good and caring nature against them.
In December 2006 the United States Congress approved a Senate sponsored bill making the pretexting of telephone records a Federal Felony with fines of up to $250,000 and 10 years in prison for individuals (or fines of up to $500,000 for companies).
Think about this before you try anything.
--------------------------------------------------------------------------------------------------------------------------------------
Quid pro quo:
aka something for something.
This is when you offer someone a service in order to gain what you want. Sometimes it is apparent and some time it is not.
apparent:
There a instances where you can come straight out and say "If you give me your password to your computer at work i will give you some chocolate" sorta like baiting them. This may be a dumb example but you can explore the possibilities of how to modify it to get what you want.
Not apparent:
Real Life Example:
You call random numbers at a company claiming to be calling back from technical support. Eventually you will hit someone with a legitimate problem. Them being grateful that someone is calling back to help them cooperates. You "help" solve the problem and in the process have the person type commands that give you access and/or launch malware.
---------------------------------------------------------------------------------------------------------------------------------------
Reverse Social Engineering:
A more advanced method of gaining illicit information is know as reverse social engineering.
This is when a you create a persona that appears to be in a position of authority so that employees will ask you for information rather than the other way around
The three parts of reverse social engineering attacks are sabotage, advertising and assisting.
Just think of what you can do to a company if the people you are talking to think you are an administrator. you could tell them to do things that would be detrimental to the company and possibly make them lose money.
_________________________________________________________________________________________________________________________________________
Curiosity:
You can take advantage of persons curiosity.
If you were to leave an infected disk or USB drive on the side walk, in an elevator, or in the bathroom and put a label on it that says something like Financial records 2007 or something creative. It is almost guaranteed that someone will be curious as to the contents of the disk or drive and put it on their computer not knowing they just ran a virus and now their computer is infected.
Example:You want to bring down this company. So you make a CD with malware on it and leave it in the bathroom on the floor. someone who works there picks it up and is curious as to the contents and puts the virus on their computer in the network. you now have a way in to doing what you want. But what if a good samaritan picks up the disk and turns it in to the front desk. Well if you have a creative label on the disk and perhaps some company logo the company might think it is their CD and it would be given to the appropriate employee or perhaps even an administrator of the company. In the end you win either way.
Posted by 
