Social Engineering - Christopher Hadnagy [18]
How can you gather information?
What sources exist for social engineers to gather information?
What can you glean from this information to profile your targets?
How can you locate, store, and catalog all this information for the easiest level of use?
These are just a few of the questions that you will need to find answers for in order to accomplish proper and effective information gathering. With the plethora of social networking sites out there, people can easily share every aspect of their lives with anyone they choose, making potentially damaging information more readily available than ever before. This chapter focuses on the principles of information gathering by presenting examples of how it can be used in social engineering and the devastating effects some of the information people release on the Web can have on their personal and business security.
Many of the skills or methods that a social engineer may use come from other fields. One field that is superb at gathering information is sales. Salespeople tend to be very talkative, easygoing, and very good at collecting data about those with whom they interact.
I once read a book on sales in which the author encouraged salespeople to gather referrals from the buyer—something along these lines: “Can you tell me one person who you think could benefit from this product as much as you will?”
Using simple wording can get a person to open up and refer family, friends, and maybe even coworkers. Harvesting, or gathering this information and then storing it, allows the sales people to have what they call “warm leads” to call on. A warm lead is where they have a person with an “in,” a way to get in the door without having to cold call.
The salesperson can now call on those referrals and say something like, “I was just at Jane’s house two doors down, and she bought our premium policy. After reviewing the benefits and paying for the year upfront she said you might benefit from the same coverage. Do you have a minute for me to show you what Jane purchased?”
These skills used by salespeople are often mirrored by social engineers. Of course a social engineer is not asking for referrals, but think about the flow of information in and out of this conversation. The salesperson gathers information from his present client, then he relays that information in a way that will make the new “target” more susceptible to listen and let him in. In addition, by dropping hints on what the first customer bought and using words like “premium” and “in advance” the salesperson is preloading the new target with the keywords he wants to use on him in just a little while. This technique is effective in that it builds trust, uses familiarity, and allows the target to feel comfortable with the salesperson, or the social engineer, giving their mind a bridge over the gap that normally would exist there. This chapter, as well as the following chapter, will delve deep into these topics.
As a social engineer, both angles are of vital importance to understand and then to use effectively. To return to the illustration used in Chapter 1 of being a chef, a good chef knows all about how to spot good quality products, fresh vegetables, and quality meats. They are knowledgeable about what goes into the recipe, but unless the right quantities are used the food may be too bland or too strong or not good enough to eat at all. Simply knowing that a recipe calls for salt doesn’t make you a chef, but knowing how to mix the right amount and types of ingredients can help you master the art of cooking. A social engineer needs to master the type and quantity of skills to be used (the “recipe”). When that is done they can become a master social engineer.
This chapter helps identify this balance. The first ingredient in any recipe for a social engineer is information (detailed in the next section). The higher the quality of the information the more likely you are to achieve success. This chapter begins by discussing how to gather information. Then it moves on to discuss what sources