Most of our social engineering jobs begin the same way – researching our “victims”. Whether it’s the accounts manager that we want to coax into paying a fake invoice, or the security guard who we need to convince to let us in through the staff door, getting to know our target helps us formulate our plan.
OSINT Like a Car Bonnet
OSINT (Open Source Intelligence) is always a great starting point for intelligence gathering. One of the best places to start is the company website. If we’re lucky, there’s an “About Us” page which has the names and faces of the team members, along with their job titles.
This is a priceless source of information to a criminal – and to us on our social engineering missions. Sometimes each staff member will even have a little bio so we can find out more about them.
If we can’t get much information from the company website, the next logical step is often LinkedIn. It’s the perfect tool for gathering the names, photos, and even email addresses of employees. Once we know what they look like, we can enter the next stage – social media.
#DeleteFacebook is trending on Twitter again this week, for yet another reason. It’s no secret that Facebook is inundated with issues regarding privacy and data, but one of the biggest problems lies within the information we ourselves choose to share, and what can be done with it.
Often we put our job titles and company name on Facebook. This could be to make it easier to connect with colleagues, or because we’re simply proud of our achievements. Whatever the reason behind it, we could actually be aiding criminals in their research. If you have a commonly-used name such as Amy Smith, a criminal might struggle to find you on Facebook to further their research. When you add “customer service manager at X Company” to your profile, it suddenly becomes much easier to track you down.
Once a criminal has found you, it’s just a case of how much information they can siphon from your profile. If it’s totally public, they will have a field day. They can take notes of places you’ve been, meals you’ve posted pictures of, and groups and pages you’re interested in.
This kind of information can be used to trick and manipulate you – but we’ll get to that shortly.
The list of reasons to delete Facebook is forever growing, but if this isn’t practical for you (we know, it’s easier said than done!) you should at least take steps to ensure your information is private.
Change the privacy of your posts and photos so that only people on your friends list can see them, and consider whether information about your job really needs to be there.
Be wary of accepting any friend requests from people you don’t know. Is it just another random, weird stranger, or it is a criminal attempting to gain access to the information on your profile?
Following the Trail
Once a criminal has your Twitter handle or Facebook URL, they can follow this trail across the internet. Your Pinterest account, GitHub library, even accounts for adult websites – if you use the same username across accounts, a criminal can easily track them down.
The more we can learn about the victim, the better, as often during our tests we will have to think on our feet, so any intel we have that can coax the target into doing what we need is invaluable.
Finding Common Ground
Now we’ve completed the intel gathering stage, we can move onto the attack. The importance of learning everything we can is apparent in our penetration tests, as we rely on manipulation.
Whilst the disguise itself may be enough to get past the receptionist, pair it with a personalised touch, and it’s hopefully plain sailing.
People love connecting with others about things they’re passionate about. This could be anything from a love of dogs, a passion for war documentaries, or an interest in politics.
Let’s say we found the receptionist, Dale, on Facebook. We rooted through his profile for any information that could come in useful. We hit gold when we found out he moved to Sheffield from Australia five years ago.
Creating common ground is a simple way to expedite the rapport-building process. Strolling into the office and hitting Dale with a simple “G’day mate” can be enough to flip the switch.
It’s easy to imagine Dale looking up from his desk and asking the visitor if he is Australian. Whilst saying yes to this question might be a hard story to stick to, explaining no, but you visited Melbourne last month and are still in holiday mode, would usually be enough.
It’s then time to engage Dale in a conversation about how he used to live in Australia. Listen to him and nod as he explains everything he misses about Australia and how Sheffield is so cold. This sort of interaction can result in a quick building of trust and distract someone from what they’re supposed to be doing.
Once the conversation is coming to a close, you can finally tell Dale the reason for your visit and ask him to open the door. Is he really going to start interrogating you when he has just spent the last five minutes recounting the time he came home to find a kangaroo blocking his gate, whilst you listened in awe?
Nothing is Out of Bounds
Such a simple piece of information can go such a long way when it comes to manipulating people. The key is finding the right information.
We’re not ashamed to say that a tactic we’ve used in past social engineering attempts is pretty unusual – however we are there to simulate what real criminals would do, so nothing is out of bounds.
Last minute research will often yield the best results. We might know who the receptionist is and their age, but have no other useful information. Sometimes you just need to look in the right places.
Standing outside the office complex, our social engineering consultant loads up Tinder. Sets the age range to encompass that of the receptionist, Dawn, and changes the radius to only check for women within 1km.
Of course sometimes, we get nothing from this, as not everyone is on online dating platforms. However we’ve struck gold more than once.
Suddenly, up pops Dawn’s photo along with a little bio. She likes dogs, art, and is currently learning Spanish. This is more than enough information to go on, but the other key takeaway is that she’s on Tinder. She’s single, and she’s actively looking for a partner.
This is where our consultant can strut in, flash Dawn his best smile, and compliment her outfit. We know, it seems very manipulative…that’s because it is. This is the sort of thing that a criminal wouldn’t think twice about doing, so we’re here to test its effectiveness.
Then the bottom line is that Dawn either melts at our feet and hands us the key to the castle, or she remembers the visitor policy and sends us back out into the foyer to wait for a member of staff.
Keep Your Friends Closer
Not all criminals will come disguised as friendly, charismatic individuals. And not all friendly, charismatic visitors are criminals.
The key lesson is to never take a visitor at face value. Just because they seem awfully nice and make you feel like you’ve known them forever, it doesn’t mean that they’re trustworthy.
Make sure you always adhere to your organisation’s visitor policy and take time to stop and check the credentials of someone before you allow them access to confidential spaces.
Want to know if your receptionist is on Tinder? Take a look at our penetration-testing services and talk to us about how we can help improve your site security.