Welcome back, my greenhorn hackers!
Although we have focused primarily on technical hacks here, social engineering can sometimes be especially effective. This one requires a bit of technical skill, but not too much. In addition, it's limited by how specific a target you can choose—but it will work.
What Is Social Engineering?
Social engineering is the art of getting people to give you the information you are seeking, rather than breaking into a system to get it. Among the most sought after bits of information is the username and password. Many online systems—even financial websites—use your email address as a username. Then they ask you to provide a unique password.
Today's Social Engineering Hack
I've already covered one social engineering hack in my spear phishing with SET guide, and there have been numerous other social engineering hack guides posted here on Null Byte by contributors and past admins, most of which are still very useful today.
But today, we're going to focus solely on getting those much sought after email addresses and passwords. Let's concentrate on developing a website that targets a section of the population and have them create an account with their username (email address) and password.
Step 1: Choose Your Target Audience
The first step is too choose who or what industry you want to target. Let's imagine you want to target doctors. Since so many doctors are golfers, maybe you could create a special website that catered to golfing doctors. Maybe a website that ranked the best doctor golfers?
Step 2: Use Their Email Address as Their Username
Now that you have the site up and running, you will need an authentication mechanism. We might simply ask the doctors to enter their email address as a username. Since so many sites today use the user's email address as their username, few would be suspicious.
After they enter their username, they will have to select password to be part of our wonderful website!
Step 3: Promote the Website
This is the hard and costly part. You need to promote the website so that busy doctors will find it and open an account. You can create a Google AdWords account and pay for words that send our victims to view our site. These keywords might be golf, golf vacations, best doctor golfers, etc.
Of course, this might take a while, but to be a good hacker, you must be patient and creative. Some effective hacks take years to be completed.
Step 4: Open Their Email with the Password
Eventually, some erstwhile doctors with more interest in hitting the links than caring for patients will find your site and log themselves in. When they do, you will have both their email address and their password for your site.
Step 5: Find Other Accounts
Now, there is no guarantee that your visitors/doctors will use the same password on your site as their email account, but nearly all of us re-use the same password despite all the precautions against it, even after such events as Heartbleed.
Let's start with the email account. Let's navigate to Gmail (if it's a Gmail address) and try the email and password to get into his email account. It won't work every time, but it only has to work a few times.
When we successfully enter his email account, we can search his emails for other accounts such as his bank, brokerage, etc. Remember, when he opened that account, the website sent an email confirming it with his username and password.
Social Engineering Complete!
This little exercise, I hope, demonstrates that social engineering can be an excellent way to gain access to accounts that would be otherwise unbreakable. With a little imagination, hard work and patience, anything is possible!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
12 Comments
I dont think its hack, your just making a website, and then waiting for they "showing" you their password. I was just wondering about i could hack my friends email. Without we are on the same network?
You know how to do that?
Ps. I knew his email not the password
Use Hydra or Medusa.
This is social engineering.
yes. yes it is :)
^, Good to see my most used email's password is different to all others account.
https://xkcd.com/792/ (Yes, I know this post is a year old, I still deemed it a somewhat valuable comment.)
I want to be an hacker
Welcome to Null Byte, Joshua!
If you want to be a hacker, you are in the right place. You can start by reading at my article , "hacking for Newbies" or "How to Use Null Byte to Study to Become a Professional Hacker".
Best of Luck!
This Is beautiful Engineering
You can say that again!
Except.. You can't see your customers Email or Password when they sign up. I have this website that I created to hack a scammer victim and he signed up but I am unable to see his Email or Password. If you know how, please tell me.
If you created the website to steal creds it should steal creds. Unless you didn't code that into your site.
Share Your Thoughts