Best way to social engineer one's way into a social media account?
#1
I was wondering if anyone had any ideas they would be willing to share with me. I'm going to begin with the method posted on the incredibly helpful thread posted by MLT. Any and all ideas greatly appreciated.
Reply
#2
Is it a specific social media account? Like twitter? Do you know the person who owns the account already? Other info may be useful.
Reply
#3
I wouldn't say there's a best method for any social engineering scenario, probably depends on a case to case basis. Different advesaries might have different security in place and will require different approaches.

One normal and average approach if your victim is careless with his security questions is basically to dox or gather as much info you can on the victim in question. And then try to recover through a secuity question, for example if the question is "What's your maidens name?" or "What's the name of your favorite pet?" you might find such trivial details on facebook.

There was also a case where you can use phising to trick people, Iranian hacker used this against activists on their gmail. By sending them fake google documents and then redirecting a phising page asking for text message verification for security, in this case the hackers were waiting live for the victim to enter the page. And then proceeded to actually recover their real account, making google sending the real security code to their phone, but tricking them into sending this security code into the fake phising page. Quite elaborate scheme with the potential of hijacking phones with 2factor authorization that relies on text messages.

Then there's the common method of just guessing password, if you have enough information doxed you can use automated tools based on those keywords (eg dob, name, pets name, family names etc) generate likely passwords (Can't remember the name, but it's included in Kali Linux iirc). Or the more widespread method maybe these days, to use your DB collection to lookup emails and usernames to gain their old passwords. Many twitter accounts and such has been hijacked using that method, many people use the same passwords on many sites after all.

Maybe not exactly right on topic, but I really recommend the book "Art of Human hacking" for learning human manipulation, it's a really great book.
Reply
#4
I'd say if you're lying to a person, detail is key.

Instead of "the car was going fast" say "The red car was going east at 60 miles an hour down Trenton Blvd", and while doing this throw in what you wanna know. "Dude, I love dogs! I had a little boxer once, my first pet, and I remember Spot, and Spot had these brown spots allll over his body and when it would rain he would run in the mud and you wouldn't even see his spots! Ahh good times. Do you remember your first pet?"
"I remember once in <college/school/work/something> they told us that our roots could be traced back on the internet more than like 15 generations! You can do it with your parents names, but I need your mothers maiden name"

Just slide in your malicious info and get them to give it to you thinking it's something completely different. Do this by distracting them and steering the subject from everything but what you actually care about, then find a way to slip it in. I recommend doing this by figuring out what you're gonna say and build around it. So say you want the name of their elementary school. Build a story around that.


Elementary School
-This kid who went to my elementary school was so weird he... blah blah blah
-I remember my teacher used to blah blah blah...
-They named my elementary school after this was hero. It's weird how they do that. What did they name your after?

So on so forth.

TL;DR :

Build around your lie
Reply
#5
Very funny and true method.
To some it comes naturally and hearing this put a
huge grin on my face reminding me of far too many times this was applied.

Some good advice is to simplify what your goal is.
IF, youre looking at gaining access to any account with very low
outcomes financially or in resources. Youre already doing too much...
A wise friend always made it clear, if we must go out of our way to access or gain any
specific resource(s) make sure we always get more then enough.. more
importantly take the most logical methods (Which is key in most situations)
since I am full on blackhat, my methods are surely different from what you would
consider logical.

If youve got some skill in SE or anything Blackhat for the matter, pm me for some quick $
Reply
#6
This stuff is fascinating to read. I've always known human are the weak link in security. Cool stuff. Thanks for sharing.
Reply
#7
The easiest way in my experiences is to make your own copy of the social media sites password recovery email (html, etc) and page, then put it on a domain that could be inconspicuous to a non-techie (facebookserv.net). Send them out the bogus, offical-looking warning that 'their accounts been compromised' and to 'follow the link to reset'. People are so panicked, they don't think.

Usually can get a double-whammy with an IP if you're smart about it.
Reply
#8
Not really a good way to "SE" this aside from some kind of phish (UTF/text hacking, spoof'd headers, fake reset/login emails etc).

OSINT might be more helpful (look for shared passwords between reused usernames/other accounts they have).

If they have 2FA SMS you can text their phone something like:

"Hey, I used to have this number and just asked <X company> to send me a security code. Can you forward that over to me? SO sorry about this!"
Reply
#9
Those may work, but I would try this 2FA phishing project: https://github.com/kgretzky/evilginx2
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  collegiate social engineering CTF!? QMark 0 1,861 09-06-2020, 02:08 AM
Last Post: QMark
  Practical Examples of Social Engineering Insider 2 2,691 08-15-2020, 11:03 PM
Last Post: Insider
  Which is the best type of public speaking to help with social engineering? QMark 0 2,017 08-06-2020, 08:25 AM
Last Post: QMark
  how do I get Facebook to approve my account quicker? QMark 12 7,408 05-06-2020, 04:44 AM
Last Post: QMark