Social Engineering is the art of hacking humans. It's when a person is manipulated into doing something that they do not realize, or wouldn't normally do. Social Engineering plays on human trust in fellow people. People naturally want to trust others.
When you see a not-so-well-to-do looking homeless person, you would occasionally give them money because they need it, right? What if that was wrong? What if that person dressed the way they do because they just want sympathy money? That is a Social Engineer.
In this Null Byte, I'm going to show you how I "could" use Social Engineering to my advantage to get free cell-phones. This is not something anyone should do in real life, but it does happen. The best way to defend yourself is to know your attacker, know how they think, and know their motivations: "If you know the enemy and know yourself, you need not fear the result of a hundred battles".
Now, before we begin, you must know that this isn't 100% effective. The only way to become a highly effective Social Engineer is to practice, have confidence, and know your target. Without these things, a person will listen to their gut, and not fall victim to your manipulative techniques. If that happens, how are you supposed to be weary when you fall victim to it? When the attack is transparent, how could you notice when it's happening? Learn the in's and out's of how the process works.
Step 1 Prepare for the Attack
If an attacker were to attempt social engineering, there are a few things he or she would set up and prepare before going through with the manipulation. For the sake of redundancy, I am going to refer to this person as "he" from here on out.
- He would have two cell phone stores in mind, of the same variety (Ex: Verizon). Preferably close together, so he would not have to drive or travel far.
- He would use a service like Telespoof , a caller ID spoofing service that allows one free call. You can make your number appear on someone's caller ID as anything you choose.
- A phone is needed to use with Telespoof. He could also use a VoIP service, such as Skype or Google Voice.
Step 2 Calling Target "A"
- The attacker would call the cell phone store of choice, in this case, Verizon (preferably, the one that is furthest away because this isn't the store the he would be traveling to).
- When an employee answers the phone, the attacker asks for the manager's name. He could say that he wants the name because he's calling corporate headquarters to say what great service the store provided last week. At this point, the attacker could use any story he desired, as long as it sounds legitimate. This will ensure that they don't know who the caller is, and will gladly give up the name. If the manager of the store isn't a male, he would have to try a different store until he found one, as this would obviously pose a problem when he tries to impersonate the manager later.
- The attacker then records the name of the manager, as well as the location of the store.
Step 3 Calling Target "B"
After the attacker gets the information needed, he then follows the below steps:
- Call the other phone store using Telespoof, and enter the first target's phone number as the displayed caller ID.
- Impersonate being the manager, using their name that he got from the other store.
- Use a story similar to the following:
"Hello, it's <insert name here> from the <insert location of the store> Verizon store. I have a customer here named <attackers name>, and this is embarrassing. They just bought one of those deals we are having on the new Moto Droid, the one where you get the phone free, and they signed the contract and everything, but we are all out of free phones. Can you help me out? If I send him down there, can you give him the phone?"
More than likely, the person will say yes, because people love to help out their fellow human beings.
Step 4 Going in for the Score
To finish the deal, the attacker then:
- Goes into the store called in Step 3, and asks for the employee whom he spoke with on the phone.
- Tells them who he is, and that he was told to speak with them regarding the phone ordeal that the "manager" of the other store spoke with them about.
- Receives his free phone, and walk out.
- Registers the phone to any plan he wants, sign up for a prepaid plan, or just sell the phone for profit.
Can you see how simple it would be to manipulate someone using simple mind-trickery, and pretending to be an "insider"? This is why Social Engineering is scary, and people need to be educated.
- Impersonating someone is illegal, this guide is made as a forewarning, and to educate people on how easy it can be to be manipulated, do not attempt or use this information in an illegal or malicious way. This is made so you can see an example of a technique a skilled Social Engineer would use to manipulate their target.
- Be more cautious, and alert to potentially manipulative traps.
- Ask for ID when speaking to someone. Always verify someone's identity when doing business of ANY kind, it's good practice.
Ask questions or start a thread in the Forums!