Social Engineering - Christopher Hadnagy [167]
I got the information I needed—it wasn’t one of his kids who had cancer. Again, I knew this wouldn’t stop a malicious social engineer, but I was very curious. Armed with this information I was ready to plan my attack vector.
I knew the CEO was originally from New York and his favorite restaurant was a place called Domingoes. He would bring his kids in often for a Mets game and then they would go eat at Domingoes.
He wrote some ratings on the place and talked about his top three favorite dishes. I knew his parents still lived close by and he visited often from some other things he wrote on Facebook.
I planned my attack vector to be a fundraiser for cancer research. It was for the tri-state area and for a small donation one’s name would be entered into a raffle. The raffle prize would be two tickets to a Mets game and a choice of three restaurant coupons, one of which was Domingoes.
I would pretend to be from New York myself, but relatively new, in case he threw things at me I didn’t know.
My end goal would be for him to accept a PDF from me that would be maliciously encoded to give me a reverse shell and allow me access to his computer. If he did not use a version of Adobe that would allow me access, then I would try to convince him to download a zip file and execute an enclosed EXE that would have the malicious file embedded.
I practiced the phone conversation I would use for my pretext, I tested my PDF and EXE files, and I had Google Maps open to the location of Domingoes so I could talk about that area openly. After I had my computer ready and waiting to receive the malicious payload from the victim, I was ready to place the call.
I placed the phone call around 4:00 p.m., because I found out through the company website that the office closes at 4:30 on Fridays. Because I wasn’t on the initial meeting phone call to set up this audit, (my partner was), the CEO would not recognize my voice.
“Hello, is Mr. Charles Jones available?”
“Sure one second.” The voice on the other end sounded tired and was ready to transfer me.
“Hello, Chuck speaking.”
“Hello, Mr. Jones, my name is Tony from the Cancer Research Institute of America. We are running an annual fund drive to support our research into cancers that plague men, women, and children.”
“Please, call me Chuck,” he interrupted.
This was a good sign because he didn’t give me any excuses or try to end the phone call saying he was busy; he took it upon himself to personalize the conversation. I continued, “Chuck, thank you. We are running a fund drive for companies who supported cancer funds before and are asking for small donations of $50–$150 dollars. The great part is that everyone who helps us out is being entered into a drawing for two great prizes. If you win you get two tickets to a Mets game in NYC and then a free dinner for two at one of three great restaurants. We are giving out five of those packages.”
“Mets game, really?”
“I know, if you don’t like the Mets the prize might not appeal to you, but the restaurants are good.”
“No, no, I love the Mets, that’s why I said that. I was happy.”
“Well think about this—not only are you helping out a great research fund but you get a good game in and you get to eat at Morton’s, Basil’s, or Domingoes.”
“Domingoes! Really! I love that place.”
“Ha, that is great. You know I just went there the other night for the first time and had their Chicken Portabella. It was awesome.” This was his third-favorite dish.
“Oh, if you think that is good, forget it, you need to try the Fra Diablo. It is really the best dish in there. I eat it all the time.”
“I am going there again over the weekend, I will definitely try it out. Thanks for the tip. Look, I know it is getting late. Right now I am not even looking for money, I don’t take money over the phone. What I can do is send you the PDF; you can look at it and if you are interested you can just mail the check in with the form.”
“Heck yeah, send it over.”
“Okay just a couple questions. What is your e-mail?”
“chuck.jones@company.com.