Social Engineering - need some help

[williamc]

I'm doing a social engineering engagement. I used metagoofil to find about 40 email addresses, phone numbers, and names. I setup a fake login page for the company and sent out emails requesting them to login to the site. Once they enter their credentials, they are redirected to the company email portal. Meanwhile, I capture their ID and password. Out of 40 emails, I got 2 creds. Not too good.

I contacted the client and was told for my next scenario to make phone calls. However, they dont want me calling people I emailed. So....... they emailed me names of people to call. This presents a problem as I have no idea what I should do. If I could call the people I sent the emails to, I could attempt to get them to login to the fake page. It gives a sense of authenticity having a phone call with a legitimate looking email. But if you dont have the email as a verification, what the hell can I ask them to do?

"Hello sir, could you give me your password please?" Seriously, who the hell would go for that? I need some ideas of what I could try. I feel like I'm working with a hand tied behind my back. As if the client is expecting failure in order to make herself look good. Suggestions?

William

[rofler]

There are 2 logical ways to approach this:

1. Lie. Tell them that their account has a virus, and you need the password of their account to get to the root of the problem (as if the virus was on their account).

2. Tell the truth. This seems like the most logical approach. Tell them that you are auditing the network, and need their password for some urgent reason. Give them your credentials (but probably should give a fake name), what does it matter? If someone else was breaking into the network, they would give fake credentials, so why not supply the most authentic ones you can get your hand on (your own). If you convince them you were hired by the company, then you succesfully social engineered the password.

Just some ideas...

[squishyalt]

I'm doing a social engineering engagement. I used metagoofil to find about 40 email addresses, phone numbers, and names. I setup a fake login page for the company and sent out emails requesting them to login to the site. Once they enter their credentials, they are redirected to the company email portal. Meanwhile, I capture their ID and password. Out of 40 emails, I got 2 creds. Not too good.

I contacted the client and was told for my next scenario to make phone calls. However, they dont want me calling people I emailed. So....... they emailed me names of people to call. This presents a problem as I have no idea what I should do. If I could call the people I sent the emails to, I could attempt to get them to login to the fake page. It gives a sense of authenticity having a phone call with a legitimate looking email. But if you dont have the email as a verification, what the hell can I ask them to do?

"Hello sir, could you give me your password please?" Seriously, who the hell would go for that? I need some ideas of what I could try. I feel like I'm working with a hand tied behind my back. As if the client is expecting failure in order to make herself look good. Suggestions?

William

You should gather names of legit people in their IT pool that they would recognize. It is best to use a name of a legit IT person that is out sick or on vacation or out for some other reason. However, knowing this is not always possible. If you think that the legit IT person may actually be working that day, then move FAST....calling as many people as possible in the shortest time possible to avoid detection and get as many passwords as you can before the legit IT person catches wind of it.

The higher up in the company the legit name is that you can get, the less likely they are to see or talk to that person in a timely manner. That allows you more time to gather intel.

Do your calls on a Friday afternoon, if possible. Everyone is rushed to get out of the office. The odds of them getting in touch with your legit name holder are reduced and they have so much personal stuff going on, they are likely to forget all about your call as soon as they hang up. (This also gives you all weekend to use their info to do your bidding and gather more intel for your -- and their -- employer.)

When you call, say that "John" (or whoever the legit IT person is that they would recognize) "asked me to call and get your password to upgrade your account before Monday". The "upgrade your account" excuse usually works pretty well because (a) everybody wants and "upgrade", (b) most of them won't know what the hell "upgrade your account" actually entails and (c) they usually go along so as to not "look stupid".

You can usually figure out the username from their name (John Smith usually becomes john@company.com or jsmith@company.com or john.smith@company.com).

I NEVER ask for their email account! Most of the time they know that "John" knows all of the email accounts and this will just make them suspicious. I would avoid asking for the email accounts if at all possible. Once you have 2 email addresses from the company (an easy thing to get off of business cards or the website) you pretty much know how they use employee names to create email accounts.

If you POSITIVELY HAVE to ask for the email account also, say something like "I have you down as J SMITH at company dot com, is that correct?" This will allow for them to rationalize that there may be another person with the same first initial and last name as them. But, this only works in large corporations. Small company employees usually catch on to this type of inquiry because they know everyone there. Again, avoid asking for email addresses if at all possible.

And, if they hesitate for more than 2 seconds in giving you the password, quickly add that "John" will be coming around (or sending out an email on) Monday to give them instructions on their new account features. This breaks their train of thought from "I wonder why..." to "NEW FEATURES!!!! Weeeee!!!!! I wonder what they are?" or "Damn! I just learned the old stuff!". Either way, they aren't thinking about you or questioning your motives.

If you must, you can spit out some neat sounding features like "new antiviral heuristic analysis tools", "integrated data mapping" and "instant access remote profiles" (none of which mean cat piss), which will usually confuse them for a second or two - time enough for you to ask again for the password, but in a slightly pissed tone this time. (If they ask for details, say you'd love to go over everything, in detail, with them, but it's Friday afternoon and you've got a lot of passwords to get for John before everyone leaves. This will usually be enough for them.)

It's like talking to a little kid about a popsicle when he skins his knee. Never give them more than 2 seconds to think. Keep their mental targets moving and changing.

Only ask 2 or 3 times, then tell your target that you will put them on the late changeover list and let "John" speak to them about it later (being ambiguous also makes people nervous - and their internal chatter starts "Later? When is later? Will I be out of the loop? What will my boss think if I get on the late changeover list? I've already screwed up on that last assignment so I'd better not make any waves" and so on). Wait 2 seconds (enough time for them to possibly change their minds and stop you) then tell them to have a great weekend, hang up and move on to the next target.

Always keep them off balance mentally, keep moving and avoid answering questions like a politician avoids taking a stand. Every time you answer a question, they have another chance to detect you if you don't answer it correctly. If you MUST answer a question, do so with another question. When questions start coming your way it's time to get the hell off the phone and move on - they smell a rat. The person asking the questions is in control of the conversation.

If you can pull this off on Friday afternoon, always end every call by thanking them and telling them to have a great weekend (and actually smile when you say it - it comes through in your voice and is more reassuring to the target) - this gets their mind on their weekend and off of you.

If possible, hit targets that are not in cubicles or offices near one another. You don't want suspicious people to start talking before you can gather a good number of passwords.

And, when speaking, speak in an assertive tone, but not too fast. People naturally don't trust fast talkers and place more faith in the words of people who speak slowly and deliberately. The only thing you want to rush is their thinking - not your speaking.

This stuff is pretty basic.....you may want to get yourself a copy of "The Art of Deception" by Kevin Mitnik.

Good luck!

[imported_BaconZombie]

Try to find out if they have a out-sourced Helpdesk, I know from experience that the "people" on our helpdesk change on a weekly/monthly basis.
I often get IM, emails or calls from people I've never heard of saying they work on the helpdesk and I'm in IT and have a weekly call with the Helpdesk manger to discusses issues/problem.......

Also ring in as a company doing a survey and if anybody start asking you for details just say you've need giving a list of question to ask and don't know anything.... 60% of people will ask and normally give away alot of info that will help you....

[williamc]

Good info, thanks. I called my contact and they opened the scope up a bit. I can call anyone in my list, and email them if necessary. Im using a caller id spoofing service and a name from the help desk which I got by calling and asking to be transfered there. This along with my fake login page, I should be in good shape.

Update:
I called their 1-800 number on their website and got their tech support. I told them I was having a Lotus Notes problem and they transfered me to the "help desk". I asked for Nathan. Said I had a sticky on my monitor to call him. No Nathan worked there. I said "I must have read it wrong, who could it have been?" CHA-CHING! Every name was given to me. I even got the direct number and internal extension. Then, "oh, damn it, my cell phone battery is dead, I'll call back on a landline". CLICK.

Now, I can tailor my phishing email to reflect the correct name of the help desk, and can put a legitimate name on it. I dont know if any of them are on vacation though, so I'll go for the Friday afternoon "account upgrade" as mentioned above.
Thanks again everyone. I'll let you know how it works out.

William

[squishyalt]

Good info, thanks. I called my contact and they opened the scope up a bit. I can call anyone in my list, and email them if necessary. Im using a caller id spoofing service and a name from the help desk which I got by calling and asking to be transfered there. This along with my fake login page, I should be in good shape.

Update:
I called their 1-800 number on their website and got their tech support. I told them I was having a Lotus Notes problem and they transfered me to the "help desk". I asked for Nathan. Said I had a sticky on my monitor to call him. No Nathan worked there. I said "I must have read it wrong, who could it have been?" CHA-CHING! Every name was given to me. I even got the direct number and internal extension. Then, "oh, damn it, my cell phone battery is dead, I'll call back on a landline". CLICK.

Now, I can tailor my phishing email to reflect the correct name of the help desk, and can put a legitimate name on it. I dont know if any of them are on vacation though, so I'll go for the Friday afternoon "account upgrade" as mentioned above.
Thanks again everyone. I'll let you know how it works out.

William

Great job - especially the cell phone thing!

Good luck and good fishing!

[squishyalt]

Thanks again everyone. I'll let you know how it works out.

William

So......how'd last Friday go? Got intel?

[williamc]

Out of 30 calls, I got 12 credentials. Most of the people I called went to voicemail. One lady gave me her username and password over the phone. Another person couldnt find the email, but then checked the spam folder and found it. I had him click the link and enter his credentials too.
I used this website to spoof caller ID and record the phone calls:
https://www.spoofcard.com/

I found that reaching a company operator, you can get all kinds of great information. Just say your desk phone is having problems and you need the direct number and internal extension for whatever employee. They will give it too you and then you can call them saying "I thought your desk extension was 1234, but I couldnt get you, so I called through an outside line (spoofing the external company number)."
Thanks for the excellent ideas for the social engineering!

William

[ShadowKill]

That's great news. Glad to hear if worked out well for you....




AND





Wanna buy an iPhone anyone?!

[The_Denv]

williamc, I have enjoyed reading this thread. It is like a book/story and I didn't want it to end. I hope there is another chapter to this story, I was reading away sipping my coffee imagining the whole scenario.

Great read williamc, great tactics and a great example of a successful SE operation. I hope you continue the story man, honestly...great read! (Reminded me of The Art of Deception book, I loved that book).

Again, great story