Social Engineering - Christopher Hadnagy [30]
Feedback: What is your desired response? The desired response is to have the majority of the employees you send this email to click on it. That is ideal; of course, you might be happy with just a handful or even one, but the goal, the desired feedback, is to have the majority of targets click on the phishing link.
Receivers: This is where your information gathering skills come in handy. You need to know all about the targets. Do they like sports? Are they predominantly male or female? Are they members of local clubs? What do they do in their off time? Do they have families? Are they older or younger? The answers to these questions can help the social engineer decide what type of message to send.
Message: If the target is predominantly 25–40-year-old males, with a few being part of a fantasy football or basketball league, your targets may click on a link about sports, women, or a sporting event. Developing the email’s content is essential, but also grammar, spelling, and punctuation are very important to consider. One of the biggest tip-offs to phishing emails in the past has been the bad spelling.
Getting an email that reads like this: “Click here and enter ur pasword to verify ur account settings,” is a dead giveaway to its being a non-legitimate email. Your email must be legit with good spelling and an appealing offer that fits the target. Even with the same goal the message will change depending on gender, age, and many other factors. The same email would probably fail if the targets were predominately female.
Channel: This answer to this element is easy, because you already know it is going to be an email.
Source: Again, this element is a no-brainer, because you, the social engineer, are the source. How believable you are depends on your skill level as a social engineer.
Scenario One: Phishing Email
The targets are 45 males ranging from the age of 25 to 45. Out of the 45 targets, 24 are in the same fantasy basketball league. They all go daily to a site (www.myfantasybasketballleague.com) to register their picks. This is verified by posts on the forums.
The goal is to drive them to a site that is available and that you now own, www.myfantasybasketballeague.com, which is a slight misspelling. This site is a clone of the site they visit with one change—it has an embedded iframe. There will be a Login button in the center of the page that when clicked, brings them back to the real site. The delay in loading and clicking will give the code the time it needs to hack their systems.
How would you write the email? Here is a sample that I wrote:
Hello,
We have some exciting news at My Fantasy Basket Ball League. We have added some additional features that will allow you more control over your picks as well as some special features. We are working hard on offering this to all of our members but some additional service fees may apply.
We are excited to say that the first 100 people to log in will get this new service for free. Click this link to be taken to the special page, click the gray LOGIN button on the page, and log in to have these features added to your account. www.myfantasybasketballeague.com
Thanks,
The MFBB Team
This email would mostly likely get at least the 24 who are already in the league interested enough to click the link and check out the site and try these new features for free.
Analyze that email. First, it contains an offer that would attract the present members of that fantasy league. Many of them realize the offer is limited to only the first 100, so they would click on it soon as they get the email, which more than likely is at work. The site that the email drives them to has the malicious code and although the majority will fall victim, all the malicious social engineer needs is one victim.
Also notice that the email contains good grammar and spelling, an enticing hook, and enough motivation to click quickly. It is a perfect email based off a solid communication model.
Scenario Two: USB Key
The onsite scenario is a little more difficult to do