Social Engineering, Part 1: Scoring a Free Cell Phone

Scoring a Free Cell Phone

This Null Byte is the first part in a mini-series on the art of Social Engineering. I will be teaching you how to effectively defend yourself against it.

What is Social Engineering?

Social Engineering is the art of hacking humans. It's when a person is manipulated into doing something that they do not realize, or wouldn't normally do. Social Engineering plays on human trust in fellow people. People naturally want to trust others.

When you see a not-so-well-to-do looking homeless person, you would occasionally give them money because they need it, right? What if that was wrong? What if that person dressed the way they do because they just want sympathy money? That is a Social Engineer.

In this Null Byte, I'm going to show you how I "could" use Social Engineering to my advantage to get free cell-phones. This is not something anyone should do in real life, but it does happen. The best way to defend yourself is to know your attacker, know how they think, and know their motivations: "If you know the enemy and know yourself, you need not fear the result of a hundred battles".

Now, before we begin, you must know that this isn't 100% effective. The only way to become a highly effective Social Engineer is to practice, have confidence, and know your target. Without these things, a person will listen to their gut, and not fall victim to your manipulative techniques. If that happens, how are you supposed to be weary when you fall victim to it? When the attack is transparent, how could you notice when it's happening? Learn the in's and out's of how the process works.

Step 1 Prepare for the Attack

If an attacker were to attempt social engineering, there are a few things he or she would set up and prepare before going through with the manipulation. For the sake of redundancy, I am going to refer to this person as "he" from here on out.

  • He would have two cell phone stores in mind, of the same variety (Ex: Verizon). Preferably close together, so he would not have to drive or travel far.
  • He would use a service like Telespoof , a caller ID spoofing service that allows one free call. You can make your number appear on someone's caller ID as anything you choose.
  • A phone is needed to use with Telespoof. He could also use a VoIP service, such as Skype or Google Voice.

Step 2 Calling Target "A"

  1. The attacker would call the cell phone store of choice, in this case, Verizon (preferably, the one that is furthest away because this isn't the store the he would be traveling to).
  2. When an employee answers the phone, the attacker asks for the manager's name. He could say that he wants the name because he's calling corporate headquarters to say what great service the store provided last week. At this point, the attacker could use any story he desired, as long as it sounds legitimate. This will ensure that they don't know who the caller is, and will gladly give up the name. If the manager of the store isn't a male, he would have to try a different store until he found one, as this would obviously pose a problem when he tries to impersonate the manager later.
  3. The attacker then records the name of the manager, as well as the location of the store.

Step 3 Calling Target "B"

After the attacker gets the information needed, he then follows the below steps:

  1. Call the other phone store using Telespoof, and enter the first target's phone number as the displayed caller ID.
  2. Impersonate being the manager, using their name that he got from the other store.
  3. Use a story similar to the following:

    "Hello, it's <insert name here> from the <insert location of the store> Verizon store. I have a customer here named <attackers name>, and this is embarrassing. They just bought one of those deals we are having on the new Moto Droid, the one where you get the phone free, and they signed the contract and everything, but we are all out of free phones. Can you help me out? If I send him down there, can you give him the phone?"

More than likely, the person will say yes, because people love to help out their fellow human beings.

Step 4 Going in for the Score

To finish the deal, the attacker then:

  1. Goes into the store called in Step 3, and asks for the employee whom he spoke with on the phone.
  2. Tells them who he is, and that he was told to speak with them regarding the phone ordeal that the "manager" of the other store spoke with them about.
  3. Receives his free phone, and walk out.
  4. Registers the phone to any plan he wants, sign up for a prepaid plan, or just sell the phone for profit.

Can you see how simple it would be to manipulate someone using simple mind-trickery, and pretending to be an "insider"? This is why Social Engineering is scary, and people need to be educated.

Warnings

  • Impersonating someone is illegal, this guide is made as a forewarning, and to educate people on how easy it can be to be manipulated, do not attempt or use this information in an illegal or malicious way. This is made so you can see an example of a technique a skilled Social Engineer would use to manipulate their target.

What You Should Have Learned

  • Be more cautious, and alert to potentially manipulative traps.
  • Ask for ID when speaking to someone. Always verify someone's identity when doing business of ANY kind, it's good practice.

Ask questions or start a thread in the Forums!

14 Comments

Awesome Idea... just kinda sad it's illegal xD (and I don't got the balls to do it xD :D ) but Awesome! :D

Well...only the impersonation part is illegal ;D.

You can kind of take it in any direction you want. This is just an example on how it's done. For example, say you were at an amusement park and didn' t want to pay to get in. Show up an hour after opening, and say to the person who give stamps to get back in, "I ran outside because I was told I left my car lights on, and there wasn't anyone there to give me a stamp." Then hold your hand out to them in a suggestive maanner. You'll get in. ;p

Hahahha Great dude! :D xD :D But in Denmark they got a really strict system often.. and I don't own a car xD :D and I'm 15... xD :D but great idea :D Just have to make up a good excuse! :D !!

It's the power of suggestion that really seals the deal on it, you sticking your hand in their face insinuates that you are telling the truth, because a liar would be too timid to do so ;p. Clever, eh?

You sound skilled xD :D :D haha yeah clever! :D Be confident! :D

lol I used to work at verizon, this wouldnt work... unless the employees were total idiots they'd ask for some sort of documentation stating that you actually signed a two year contract... also, be sure that the stores you're calling are related, some cell phone stores are franchises or "authorized retailers" or "premium retailers" etc.

Yeah, I am with Matt. You definitely need to do some serious reconnaissance before you ever attempt a social engineering attack on a company, particularly when it's illegal. When it's not illegal you will just blow their trust, they can't actually charge you with anything...Reminds me of when Regina George calls her best friend's boyfriend's girlfriend's mom impersonating Planned Parenthood to tell her "her test results are in" so she won't be able to go out, hahaha! :) Nice article, I am particularly intrigued with telespoof, I think I could use that in some useful ways? ;)

Shouldn't you credit Kevin Mitnick for writing this article for you? Come on... this was ripped directly from Chapter 4 (Building Trust) of his book, The Art of Deception. Looks like he's not the only con! LOL Spankings upon your ass for plagarism... in journalism/blogging, at that! Even my 4th grade teacher would have given me an F for this, then called the police to arrest me.

We were all (well, more specifically "all of us that went to college") forced to adhere to that wretched MLA syntax and made to painstakingly cite every last reference, spending countless hours piecing together those soul-crushing, listless bibliographies (or "works cited" sections, depending on how old you are). Great sacrifices were made on their behalf. I had to turn down freaky-ass sorority slut threesomes because of those damned things! You could have at least mentioned his name or typed one brief sentence pointing out that this was totally snagged from his book!

I'm bitter about it? Absolutely! To this day, I still wake up drenched in sweat, gasping for air... reliving this traumatic moment, over and over:

"Oh my god, I would love for you and your insanely hot twin sister to come over and help each other blow me until I'm shooting blanks! That's incred-- wait... I can't. No, I'm serious. I have to finish up the works cited for my term paper... but thank you for the offer-- that's really just a profound tragedy that I'm going to miss out on that and never have the opportunity again in my entire life. Truth be told, it makes me want to die, so bad..."

Kevin's book covers something similar, but it's a far cry from plagiarism. That said, thanks for turning me on to it. Lots of good stuff. Here's the PDF for anyone else interested. Oh. And bummer about the threesome. You made the wrong choice if you ask me.

I found the PDF online, too (and was going to link to it, but no need now), and have pretty much the same thing to say as Jon—it's similar, but definitely not plagiarism—and also thanks for giving me something to add to my reading list.

I hate to be argumentative, but reference page 49, "The One-Cent Cell Phone". Let me compare:

---------------------------------------------------------------------
Kevin Mitnick's:
(C)I've got a customer who came in for that one-cent cell phone program.(C)...

(You still have some of the phones that go with that plan?)

...(C)I just sold one to a customer.(C)
(D)The guy passed credit; we signed him up on the contract(D).
(E)I checked the damned inventory and we don't have any phones left.(E)
(A)I'm so embarrassed.(A)
(B)Can you do me a favor? I'll send him over to your store to pick up a phone.(B)"

---------------------------------------------------------------------

Alex Long's:
(C)I have a customer here named <attackers name>, and...

(A)this is embarrassing.(A)

...(C)they just bought one of those deals we are having on the new Moto Droid, the one where you get the phone free(C), and

(D)they signed the contract and everything(D),
(E)but we are all out of free phones(E).
(B)Can you help me out? If I send him down there, can you give him the phone?"(B)

---------------------------------------------------------------------

How can you NOT see that? The similarities are just too "coincidental". Even the wording is almost matching at times.

I didn't change the flow/order, but I split the lines for clarity of comparison.

(B) is undeniable, and (A) is about the same. I fkn reference coded the matches so it can't possibly be overlooked. Do you still disagree?!

Ok, he changed "one cent" to "free".

Seriously, though-- I obviously threw humor in to not try and come off as an abrasive, trolling a$$hole, but the fact of the matter (I believe) deserved to be pointed out, if nothing else so people could know about the book and have the option to read the whole thing if they wanted, right?

The denial is what prompted me to really point it out.

Plagiarism isn't just "word for word", it's also taking someone else's fundamental ideas and using them as your own.

pla·gia·rism - noun

an act or instance of using or closely imitating the language and thoughts of another author without authorization and the representation of that author's work as one's own, as by not crediting the original author.

"plagiarism." Dictionary.com Unabridged. Random House Inc. 17 Jan. 2013. http://dictionary.reference.com/browse/plagiarism.

LOL.

Oh-- and you're welcome for pointing its existence out. Hope you enjoy it as much as I did.

BTW, that's my very point in the other comment... had I NOT brought the book to attention, it looks like you two guys might not have had the pleasure of reading it.

Do you see the merit in simply mentioning it? Even if the idea was only roughly adapted (which I have to completely disagree with, personally)... what is the sin in just a quick mention like, "This article was adapted from a story/idea from Kevin Mitnick's book, The Art of Deception"? Was the reason laziness? Pride? I can't say.

You know, I just thought of a new possibility that I hadn't considered before: Alex MAY have read the idea on another website or a source other than the book itself-- and that person may have been at fault for not citing the original. Even still, NOTHING was credited. It's highly improbable that this, with so many parallels, happened to be 100% original (that is, it just popped into his head and the details of execution just happened to be this similar). I'm not trying to be a troll, I just believe in being fair when it comes to Other People's Penmanship... Oh, wait. LOL. Naughty by Nature - OPP. Except that actually was pure coincidence; I didn't notice it until after I'd typed it... but it made me laugh, so I left it... ;)

I just know that if I had created something and put my time, effort and heart into it-- be it a book, song, piece of art... anything creative or artistic... I'd be pissed if someone copied it and didn't ask me or credit me.

But, it happens every day, so it's not like he's the first person to ever have adopted an idea and reproduced it. I'm not militant about it-- whatever... again, just wanted ppl to know about the book, cause it's very good and should be read! That was my 1st intent; making a solid joke was a close 2nd... putting the dude on blast was not a huge concern-- I mean, I said that he deserved spankings! Haha...

It's a great book. I consider it a "mandatory read".

Another A+ book is Dale Carnegie's classic "How To Make Friends and Influence People" if you haven't read it (it's old, but everything is still applicable, since it also focuses on human nature). It's pretty much the original "social engineering" book, in my eyes. Though its intentions are far more "white hat" than Mitnick's-- it still contains valuable lessons that anyone could benefit from. It helped me tremendously. It's nothing new, but it brings back to conscious thought what we know, innately, but we never tend to examine, because they're so mundane and obvious. Once I read it, I was a lot more aware of those things and intently applied those principles-- with great success. Years later, it all has assimilated itself into my personality and it's second nature.

I think his book, paired it's evil twin, Mitnick's... are a powerful synergy/dichotomy of social influence. If you read both, and really incorporate those techniques in your day to day life, you will find it becomes very easy to bend situations to your favor. That doesn't automatically mean being "selfish" or "taking advantage" of people; it's just about knowing how to guide them towards the outcome of your decision. As will be said, when applied effectively, the person will view the outcome as unbiased and will never know the difference. Are you really doing harm if they feel content and agreeable with the end result?

Combining the lessons learned, it's really up to the person to decide how to reach a goal... there's versatility; you can do it the "nice way" or the "hard way"-- e.g. to take the good or the bad angle, depending on the situation. The greatest skill is being adept at both approaches, and having the intuition to choose/use the most effective method.

Share Your Thoughts

  • Hot
  • Latest