Social Engineering - Christopher Hadnagy [156]
After you write a script you should practice it over and over so you sound real, genuine, and believable,
This is where your information-gathering sessions will become vital. The better the information the social engineer gathers the clearer the script will become. I find it useful to read a few facts on the hobbies and interests of the target so I can use that to build rapport.
Once you have all the information laid out it can be helpful to then outline a plan of attack. In the case discussed previously—the CEO of the printing company—I had to develop an outline that would allow me to utilize the key parts of my pitch, high points I wanted to hit, as well as notes to myself like, “speak clearly,” “don’t forget to push the charity,” “slow down,” and so on, which kept me focused during the call.
Using a script or outline versus a fully written out manuscript will keep you fluid and natural and allow creative freedom when presented with things you didn’t plan for.
The telephone is still a deadly tool for the social engineer and when used with the principles mentioned so far in this book, it can lead a social engineer down the path of success.
Password Profilers
Another set of tools that bear mentioning help you profile targets and the passwords they may use. After you have all the information on a target you can gather, your next is to develop a profile. A profile is where you plan out a few attack vectors you feel will work and also where you can start to build a list of potential passwords to try in brute force attacks. From a tool perspective, having a list of possible passwords can assist in expediting a hack if you are presented with that option. This section covers a couple profilers that are available.
Password profiling tools can take hours or even days off the work that you need to do.
Each year the number of people falling prey to simple attacks increases, despite the many warnings that are issued. The number of people who list all sorts of information about themselves, their families, and their lives on the Internet is amazing. Combining a profile built from their social media usage, what is found elsewhere on the web, and using the tools discussed subsequently, a social engineer can outline a person’s whole life.
One of the reasons this works so well is the way that many people chose their passwords. It has been proven that many people will use the same password over and over again. What is worse is that many people choose passwords that can be easily guessed with little to no skill.
Recently, BitDefender, an Internet security firm, performed a study that proved this fact. BitDefender analyzed the password usage of more than 250,000 users. The results were amazing: 75% of the 250,000 used the same passwords for email as well as all social media accounts. This should be especially scary considering the recent story of how 171 million Facebook users had their personal information released on a torrent. The full story can be found at www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email.
In 2009 a hacker by the nickname of Tonu performed a very interesting bit of research. With no malicious intent he obtained a recently dropped URL of a popular social media site. He spoofed the page, then for a brief period of time logged the attempts of people trying to log in.
You can view the results at www.social-engineer.org/wiki/archives/BlogPosts/MenAndWomenPasswords.html.
Some of this data will shock even the most seasoned security professionals. Out of 734,000 people, 30,000 used their first name as a password and almost 14,500 used their last name. Although those numbers are shocking what was found next was mind blowing—the top eight most commonly used passwords are outlined in the following table.
Password Gender Number of Users
123456 M 17601
password M 4545
12345 M 3480
1234 M 2911
123 M 2492
123456789 M 2225
123456 F 1885
qwerty M 1883
17,601 males used the password 123456? Staggering statistics.
If this