Social Engineering - Christopher Hadnagy [22]
“Going somewhere warm and sunny, I hope?” I ask this knowing that I am probably getting close to my point where I need to cut it off.
“Taking the wife on a cruise south.” I can tell he doesn’t want to tell me where, which is fine, so we shake hands and part ways.
Now could he have been blowing me off? Probably, but I have some valuable information:
His direct number
When he is leaving for vacation
What type of vacation
That he is local
The name of his company
His title in his company
That he recently relocated
Of course, some of this information I already had from previous information gathering, but I was able to add a substantial amount to it after this meeting. Now to launch the next part of the attack, I call his direct line the day after he is supposed to be gone and ask for him, only to be told by his receptionist, “Sorry, Mr. Smith is on vacation—can I take a message?”
Excellent. The information is verified and now all I need to do is launch the final phase, which means dressing up in a suit and taking my $9 business cards to his office. I enter, sign in, and tell the receptionist I have an appointment with Mr. Smith at 10:00 a.m. To which she replies, “He is on vacation, are you sure it is today?”
Using my practice sessions on microexpressions, a topic addressed in Chapter 5, I show true surprise: “Wait, his cruise was this week? I thought he left next week.”
Now this statement is vital—why?
I want the appointment to be believable and I want the receptionist to trust me by proxy. By stating I know about his cruise this must mean Mr. Smith and I have had intimate conversation—enough so that I know his itinerary. But my helplessness elicits pity and right away the secretary comes to my aid. “Oh, honey, I am sorry, do want me to call his assistant?”
“Ah, no.” I reply. “I really wanted to leave some information with him. How about this—I will just leave it with you and you can give it to him when he gets back? I am terribly embarrassed; maybe you can avoid even telling him I did this?”
“My lips are sealed.”
“Thank you. Look I am going to crawl out of here, but before I do can I just use your bathroom?” I know that I normally would not be buzzed in, but I hope the combination of my rapport, my helplessness, and their pity will lead to success—and it does.
While in the bathroom, I place an envelope in one stall. On the cover of the envelope I put a sticker that says PRIVATE. Inside the “private” envelope is a USB key with a malicious payload on it. I do this in one stall and also in the hallway by a break room to increase my chances and hope that the person that finds one of them is curious enough to insert it into their computer.
Sure enough, this method seems to always work. The scary thing is that this attack probably wouldn’t work if it weren’t for a useless little conversation in a coffee shop.
The point is not only about how small data can still lead to a breach, but also how you collect this data. The sources that you can use to collect data are important to understand and test until you are proficient with each method and each source of collection. There are many different types of sources for collecting data. A good social engineer must be prepared to spend some time learning the strengths and weaknesses of each as well as the best way to utilize each source. Thus the topic of the next section.
Sources for Information Gathering
Many different sources exist for information gathering. The following list cannot possibly cover every source out there, but it does outline the major choices you have.
Gathering Information from Websites
Corporate and/or personal websites can provide a bounty of information. The first thing a good social engineer will often do is gather as much data as he can from the company’s or person’s website. Spending some quality time with the site can lead to clearly understanding: