Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Friday, April 25, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 28
Guests Online: 25
Members Online: 3

Registered Members: 82906
Newest Member: ilija
Latest Articles

Social Engineering: Part II

Arrow Image Who's to say you don't always get what you want? Put a little social engineering into your life and you'll never have to beg for anything again.

Social Engineering

Social engineers are all over. If you work at rather large corporation, then you will be or already have been a victim of a social engineer.

These con artists / expert swindlers / grifters will cover you with a blanket of attractiveness, trust, security, and friendship. While you are feeling comfortable about what the stranger has to offer, he is pumping you for information.

Surely, at your work you have some sort of code or maybe just lingo that only the employees know and use. You use the terms and codes all day, writing them on documents, punching them into phone calls, telling other employees, etc. How could it be important if so many people know it?People tend to judge a book by it's cover. A social engineer who speaks like an insider might be taken as an employee. If he asks for a code, there would be no reason to question him.

Let's take Hank for example. He works at a computer research lab called "Salligin Tech." Over at Salligin, they have a database of all employee records and what not.

*His phone rings at his desk

Hank: Salligin Tech, Hank speaking...

Lance: Hello, Hank. My name is Lance. I'm from Hierarchy Ltd. in Georgia. My company and yours are currently pondering on a merge. May I ask you a question?

Hank: Sure

Lance: My boss has spoken to the CEO over there at Salligin and they've combined our databases. What is the pass number when trying to edit information within the EMP DB?(yes, E M P D B. It was the lingo for Employee Database)

Hank: Hold on, let me check.
Hank: 99487

Lance: 9 9 4 8 7?

Hank: Yeah.

Lance: Thank you, Hank.

Hank: No problem.

Lance: Have a nice day.

Later that day, Lance used TELNET to connect to Salligin Tech's employee db and erased an employees entire table. This erased his AuthID, computer name, entry code, and all other things that the employee needed to have.
Lance was a crooked private eye and was given the task to remove a certain client's foe's existence from the company he worked for.
As you see, Hank willingly told the pass number with out a bit of doubt. Why should he have? A fellow employee of a company that was merging with his needed help. The stranger on the phone was so nice and sounded professional.

Let's examine one more social engineer attack...

David is a new employee at BestPurchase. As any newb would, David wanted to make a good impression and to delight his boss. Here's how it went--

*The phone at David's register rings

David: You've reached BestPurchase, this is David. How can I help you?

Brad: Hi David, my name is Brad. Is Natalia there? (Brad learned that Natalia was the manager-- the Big Guy, er Big Girl. He also knew that she was on vacation)

David: No. I'm sorry. Natalia is out on vacation until August.

Brad: Oh. Darn. Would you happen to know anything about the "Sign-Up Tab" program Natalia launched before she left?

David: No, sir. This is my first day.

Brad: Oh, I see. Well it's basically this thing where workers write down a list of friends and family on a sheet and then those select few can come in and just sign the receipt and the worker will pay for it at the end of the month.

David: That's cool.

Brad: Yeah. So anyways, my name is written down on Natalias list. I'll be going into town to get a few things, would you be ready for me to show up and sign a receipt?

David: I don't know. How do I know that you're on Natalia's list?

Brad: Go fetch her list from her office if you don't believe me.

David: I'm not allowed in there.

Brad: You don't have to mess with anything. Just go fetch her list and get out.

David: No No... what was your name?

Brad: Brad King. Now am I going to have to call Natalia in Florida right now and tell her that I can't get my new laptop because you're holding me up?

David: *sigh* So I just give the receipt to Natalia when she gets back and she pays for it?

Brad: Right.

David: OK. I'll see you soon then.

Brad: Bye

A little later, "Brad" comes into BestPurchase, grabs his laptop, and goes up and down the aisles until he sees a man with the tag: David. David scans the item, prints out a receipt, "Brad" signs it, and walks out the door with the best laptop in there that he got for FREE. Once Natalia returns, David gets fired explaining it, and all they have for evidence is a receipt signed by a non-existent "Brad King."

You'll notice that David wasn't going to give in at the start. Brad had to pull two tricks on him. The first one was that Brad kept talking to David as if he was a dog. "FETCH her list","Just go FETCH it." We don't like to be talked to like that, so David did what "Brad" wanted him to do: not look for a list.
Then "Brad" didn't really threaten David, but it came close. When Brad mentioned about how he's gonna have to call Natalia now and complain about the service. David got nervous. It was his first day, and having the top knotch get called because he wouldn't listen to a man was pretty scary.
Finally, David was won over.



BluMooseon November 15 2005 - 20:19:13
Really great article Pfft Shame the SE bot doesnt act like a normal person Sad
Trojanman15on February 03 2006 - 06:03:21
heh i might try the laptop thing Pfft Pfft Pfft
darkwizzardon June 17 2006 - 22:44:51
Fine article. Good example of SE. I'll rate it Very Good.
darkwizzardon June 17 2006 - 22:46:56
Why not make it awesome Smile
Deviance_13on October 28 2007 - 16:31:14
Don't make fun of meSad it was my first day!:vamp:
DonMilanoon April 14 2012 - 12:19:57
amazing Grin u rock. thx
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.