Social Engineering - Christopher Hadnagy [166]
I spent some more time on Google and Maltego to harvest as much information I could. Maltego has this great transform that allows me to search a domain for any files that would be visible to a normal search engine.
I ran the transform against the company’s domain and was greeted with an amazing number of files for my browsing. Maltego doesn’t stop with just providing filenames with this transform. Many files contain metadata, which is the information about the dates, creators, and other little juicy tidbits about the file. Running Maltego’s metadata transform showed me that the majority of these files were created by a “Chuck Jones.” Much of the content in the files talked about him as the CEO.
This was the confirmation I needed, but during my browsing one file had caught my eye—InvoiceApril.xls. Upon reading that file I discovered it was an invoice from a local bank for a marketing venture Chuck was involved in. I had the bank name, the date, and the amount, but I didn’t have the event the company was a part of.
I did a quick search of the bank website but because the event was six months earlier it was not listed on the site. What could I do?
I decided to place a call to the marketing person from the bank:
“Hi, this is Tom from [CompanyName]. I am trying to organize our books and I see an invoice here from April for $3,500 as a sponsorship package. I don’t see the event name—can you please tell me what that invoice was for?”
“Sure, Tom,” she said and I heard some clicking noise in the background. “I see that was the bank’s annual Children’s Cancer Fund Drive and you were part of the Silver Package.”
“Thanks a lot; I am new here and I appreciate your help. Talk with you later.”
I was beginning to see a picture of a possible attack vector that I could use, but I needed some more research and I needed to make a very carefully planned phone call.
I found a few articles on the Web about this fundraiser and how many companies came from all over the community to support it with money for cancer treatment research. In addition, the more digging I did into the CEO the more I found out about him. I had his parents’ names, his sisters’ names, pictures of his kids that he has on Facebook, the church he went to when he lived near his parents, a review he wrote of his favorite restaurant, his favorite sporting team, his oldest son’s favorite sporting team and where he attended college, where his kids go to school, and the list goes on and on.
I wanted to find out why the company donates to the Children’s Cancer Fund. Although many malicious social engineers exploit others’ emotions, and I realized I might have to go down that path as well, I wanted to know whether the fund was something he was involved in because one of his sons has cancer. I placed a call to the marketing director of the company:
“Hello, this is Tom from XYZ. I was hired by First National Bank in town to call those who took part in the April Children’s Cancer Fund and I was wondering whether I could take a few minutes of your time to get some feedback?”
“Sure,” Sue, the marketing director, said.
“Sue, I see that you were part of our Silver Package in April. Did you feel the marketing you received was worth the price you paid?”
“Well, this is something we do every year and it does get us a lot of press time in the local area. I guess I wouldn’t mind seeing a little more on the website for the Silver Package.”
“Excellent; I will note that. Every year—yes, I can see you do this every year. I am wondering personally, with so many fundraisers out there why did you choose this one?”
“I know Chuck has always been particular to this one. He is our CEO and I think someone in his family battled cancer.”
“Oh my; I am sorry to hear that. It isn’t his own children is it?”
“No, I think a nephew or cousin. We didn’t really talk about it.”
“Well, we certainly appreciate your donations and support.”
I finished up with a few more questions and then