I originally wrote this about hacking Facebook, but overall its a step by step how to social engineer.
Facebook and other online accounts can be "hacked" or accessed by people other than the account owner. From phishing pages and remote access tools to security vulnerabilities unknown to Facebook, many "hacks" exist, however I will post the most successful hack if I was to break into someone's account:
Just ask for the password.
A fake caller ID # pops up on your target’s cell phone from his office main line, he answers and a sexy woman’s voice on the other end of the phone claims to be a coworker at his company, she even mentioned his boss’ secretary’s name. She’s been told he is a wiz at computers and is having a hard time accessing her accounts. Within minutes of the flirty conversation she has learned enough about the target to guess his backup password. With nothing to lose she asks for his current Facebook password, without question provides it over the phone. Target owned, no computer skills needed.
How the hack works:
The above scenario sounds fake, if not next to impossible. However surveys have shown “34% of respondents volunteered their password when asked without even needing to be bribed and 79% of people unwittingly gave away information that could be used to steal their identity when questioned.” Need higher chances? Another survey showed “More than 70% of people would reveal their computer password in exchange for a bar of chocolate.” Add some social engineering tricks; intel about your target (boss’s secretary name from linkedin), caller ID spoofing and you will increase your chances to the high 90% range.
This may look like a non-technical hack, but the social engineering, digital trickery and data mining is done at a high level if you want a 90% success rate. The key to this is making someone think it's ok to give you their password, which most of us are programmed not to do. By providing a wealth of inside information and misdirection your target's password can come out naturally. Even if 10 minutes after the call your target releases their mistake, it's too late, you got into their account and you viewed what you needed.
In each of the hacks there are going to be very specific instructions to make the hack work. In this tactic you need to be creative and witty on your own, so step by step details are suggestive only vs. the rest of the book the tactics are very structured around the use of software and other tools. Feel free to follow the steps listed below, but make sure to shape them to your target's own story.
1) Gather Intel-
Learn everything you can about your target. Print out their facebook, linkedin, anything you can find about them online. Search their usernames on Google, search their address, phone number, forwards and backwards. For a few dollars, youReverse Phone Lookup
or other data mining tools (Search People. Reunite.
) to get really personal details like addresses, phone numbers, neighbors, etc. Although there is some cost, the $5 you spend can be priceless. Also don't forget to print the information you find out no matter if its Facebook, the county clerk's office or craigslist posts. Later you may need to quickly access an unknown fact and having this data laid across your desk will save you.
2) Build a Story- Looking at what you have, start to build a story around the data. Who is going to ask for your target's password and why? A basic survey call is impersonal and may be rejected quickly. But asking for help, showing a connection to the subject and being friendly will go a long way. Most people like helping others, so the best story is putting yourself in need and allowing the target to be a hero and help you. It offers them a sense of control and can be awarding, lowering their guard.
3) Build Your Story Deeper- I know you have a story in mind, but how deep does your lie go? Can you pretend to be your target's secretary? Do you know her name? The Boss's name? The fact that he is traveling in the Bahamas right now? This data can be collected online and with other social engineering calls. Start by finding this information by calling the target's company and asking for his boss to file a complaint. When the boss answers hang up. You have his name now. Look him up on LinkedIn, Facebook. Learn about him. Now call the boss' secretary. Tell her you are a friend (pick a name from his wall posts) that wants to surprise visit him for lunch, find out his schedule. Don't book anything, say you will get back to her later, be thankful and pleasant. See how you are now collecting intelligence. In two phone calls you just gained some valuable data, but most valuable of all, you were successful. Your success in gaining that information will help you project confidence when you call your target. No secretary? Try the IT department, teacher, neighbor, family member. Your options are unlimited.
4) Write Your Attack- This is not a hack you shoot from the hip with little care. You need to write your script and practice it over and over until it sounds normal. The key of this attack is gut feelings. People will not give out their password if there is no warm and fuzzy. If you are a male, I recommend you use a female friend to help. A woman's voice can let a target's guard down instantly. Give them that normality by being just that, normal. Using employee only language like "By the way, have you got that TPS report done" or "This is Mike, from Starbucks #321, you have a moment" adds a subconscious misdirection to the target. Who really knows what a TPS report or local Starbucks store number is? Only insiders. The more inside hints you give the more realistic the conversation will go and the more likely he or she will give up their password or password hints.
4.5) Practice, Practice- Does this need explaining? If you don't you will fail.
5) Use Your Facts-
As suggested in the scenario use what you know to add realism to the attack. Use a caller ID spoof app or Caller ID Spoofing, Voice Changing & Call Recording
to change your caller ID to your target's school, work, girlfriend, whatever your story needs. It's one thing to answer an unknown phone number and start giving out personal details, it's another to see a trusted phone number pop up. It must be IT calling, its from the University's prefix or 800 #. Even text messages can be spoofed if needed (just remember if they reply to the person you are impersonating you might get burned. Better yet, during the conversation send a spoofed email from your fake personality to the target. Sites like Emkei's Instant Mailer
will send free spoofed emails. That's right, you can pretend to be any email address and send untraced emails. During your conversation send a fake screenshot of the "issue" you are having from IT's email account to add that deep level of realism.
6) Use your Gut Too- So you have a plan together, you are going to be an IT guy calling about a virus spreading on campus from the target's computer. While talking to the target he is listening, working with you, trying to help you, but your gut says he doesn't trust you enough to ask for his password. Then don't. End the call, thank him or her and try again later. You just praised the target for helping save your ass at work, a foundation of trust was just made. Call back in a week with your same story apologizing and reminding them how thankful they were a week ago. Now go in for the kill.
This all sounds difficult but is used every day by law enforcement, intelligence agencies and hackers to get any information they want. For more detailed stories by one of the most famous hackers, check out Kevin Mitnick's The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Most of his book isn't even about hacking, but how to gain people's trust to get passwords, access non-public systems, even get free pizza.
Don't sit here reading this and say "I'm not that dumb, I would never give out my password." The odds are 70% of you will. So how can you get into a good habit of stopping an attack like this? Ask questions. No one will know everything about you, your company or who they are impersonating. The old Jedi mind trick of asking "Is your mom feeling better after breaking her ankle?" will force the hacker to answer "She's better" vs the real person saying "When did she break her ankle?" Another simple tactic is asking for a call back number because you are too busy to talk at the moment. It's one thing to spoof a phone number for outgoing calls, but not incoming. Suddenly the number on the caller ID screen is not the number they are offering (and can be identified). In my experience most social engineering hackers hang up at this point defeated.
Moral of the story "Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers."