Practical Examples of Social Engineering
#1
Practical Examples of Social Engineering
Credits: dual_parallel
Source: http://www.oldskoolphreak.com


Humans. These creatures are involved in every system that hackers encounter. Guess what - humans are the most vulnerable component and a fruitful target for information gathering. Surrepitiously gaining what you desire is called social enginneering (SE). Surrepitiously, here, does not mean without the target's knowledge. It means the target does not have knowledge of your motives or who you really are. This is not to say social engineering always occurs face-to face. Social engineering can be used through the telephone, electronic mail, physical mail, or through another person.

This article will demonstrate (and hopefully inspire) the use of social engineering, not through fictional scripts, but through real world examples from the author's experience or those he has witnessed.

Retail Paging Systems
Wal-Mart store phones have clearly marked buttons for the paging system.  Wal-Mart is the exception, not the rule.  So how do you get on the paging system to have a little fun when you're bored out of your mind shopping with your girlfriend? Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op. The key here is to become a harried employee, saying something similar to..."This is Bill in shoes.  What's the paging extension?" More often than not, you'll get the extension without another word.  Now, get some by saying something sweet over the intercom.

Airport White Courtesy Phones
Imagine you've already been stripped searched and you're waiting for your delayed flight.  Naturally, you gravitate to a phone.  Is it white?  Then you've got a free call right in front of you.  Just pick up to get the op.  "This is Bill at Southwest, Gate A5.  We're swamped and our phones are tied.  Can I get an outside line?" If the phone does not have DTMF, or the op wants to dial the call for you, do not call a number related to you.

Hotels
Hotels hold such promise.  Some hotels have voice mail for each room, guests receiving a PIN when they check in. Hotels also have "guest" phones; phones outside of rooms that connect only to rooms or the front desk.  Pick up a guest phone, make like a friendly guest and say, "I forgot my PIN.  Could I get it again? Room XXX." Knowing the registered name of the target room helps, for the Hotel and Restaurant Management Degree Program graduate may ask for it.

Do not follow through with the next social engineering example.  Or, like the author, try it on a friend.  Go to the front desk and tell the attendant that you've locked your key (card) in the laundromat, in your room, lost it, etc.  Do not try this with the attendant that checked you in.  And again, do not enter someone's room without permission.

Calling Technical Support
So you've found a new-fangled computerized phone and you want to learn more about it. Do the same thing you do when you have trouble with your AOL - call tech support. First, do a little planning (after getting the tech support number off of the phone or the web).  Get some info on the phone, like phone number, model number, other identifying numbers, etc.  Also, know the name of the facility in which the phone is located.  Now that you've got some ammo, you're ready to make the call.  Posing as an employee of the facility, call tech support and make up a problem for the phone you've identified.  Act a little dumb and be apologetic, acting like you don't want to waste their time.  All the while, pumping them for information - "I hate to bug you for this, but <insert problem here>."  <You'll get some info from tech support here.>  <Build on what you've learned and curiously ask another question.>  And so on until you reach the point where you can feel that it's time to end the call. Occasionally acting amazed at their knowledge may be helpful.

Calling AS Technical Support
The most famous examples of social engineering are the SE panels at HOPE.  H2K2 saw Emmanuel change some poor soul's dinner reservations and obtain customer credit information from a randomly chosen Starbucks. He called the Starbucks as tech support.

When you've determined what you want and where you want it from (don't call MIT as tech support, by the way), make up a "report" of a problem.  More than likely, there will be a problem, or the person you call will have a question.  Questions are gold! Even if you have no idea what the target is talking about, you can of course fake it and use that question as leverage to gain more information.

Practice these easy-to-do examples of social engineering and then extend the skills you gain to larger projects.  And no, Dade, do not be funny when social engineering - that'll get you nowhere.  Most importantly, do not use you SE skills for evil.  Have some fun, gain the "forbidden" knowledge, and use your skills wisely.
Reply
#2
(08-15-2020, 02:21 PM)Insider Wrote:
Practical Examples of Social Engineering
Credits: dual_parallel
Source: http://www.oldskoolphreak.com


Humans. These creatures are involved in every system that hackers encounter. Guess what - humans are the most vulnerable component and a fruitful target for information gathering. Surrepitiously gaining what you desire is called social enginneering (SE). Surrepitiously, here, does not mean without the target's knowledge. It means the target does not have knowledge of your motives or who you really are. This is not to say social engineering always occurs face-to face. Social engineering can be used through the telephone, electronic mail, physical mail, or through another person.

This article will demonstrate (and hopefully inspire) the use of social engineering, not through fictional scripts, but through real world examples from the author's experience or those he has witnessed.

Retail Paging Systems
Wal-Mart store phones have clearly marked buttons for the paging system.  Wal-Mart is the exception, not the rule.  So how do you get on the paging system to have a little fun when you're bored out of your mind shopping with your girlfriend? Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op. The key here is to become a harried employee, saying something similar to..."This is Bill in shoes.  What's the paging extension?" More often than not, you'll get the extension without another word.  Now, get some by saying something sweet over the intercom.

Airport White Courtesy Phones
Imagine you've already been stripped searched and you're waiting for your delayed flight.  Naturally, you gravitate to a phone.  Is it white?  Then you've got a free call right in front of you.  Just pick up to get the op.  "This is Bill at Southwest, Gate A5.  We're swamped and our phones are tied.  Can I get an outside line?" If the phone does not have DTMF, or the op wants to dial the call for you, do not call a number related to you.

Hotels
Hotels hold such promise.  Some hotels have voice mail for each room, guests receiving a PIN when they check in. Hotels also have "guest" phones; phones outside of rooms that connect only to rooms or the front desk.  Pick up a guest phone, make like a friendly guest and say, "I forgot my PIN.  Could I get it again? Room XXX." Knowing the registered name of the target room helps, for the Hotel and Restaurant Management Degree Program graduate may ask for it.

Do not follow through with the next social engineering example.  Or, like the author, try it on a friend.  Go to the front desk and tell the attendant that you've locked your key (card) in the laundromat, in your room, lost it, etc.  Do not try this with the attendant that checked you in.  And again, do not enter someone's room without permission.

Calling Technical Support
So you've found a new-fangled computerized phone and you want to learn more about it. Do the same thing you do when you have trouble with your AOL - call tech support. First, do a little planning (after getting the tech support number off of the phone or the web).  Get some info on the phone, like phone number, model number, other identifying numbers, etc.  Also, know the name of the facility in which the phone is located.  Now that you've got some ammo, you're ready to make the call.  Posing as an employee of the facility, call tech support and make up a problem for the phone you've identified.  Act a little dumb and be apologetic, acting like you don't want to waste their time.  All the while, pumping them for information - "I hate to bug you for this, but <insert problem here>."  <You'll get some info from tech support here.>  <Build on what you've learned and curiously ask another question.>  And so on until you reach the point where you can feel that it's time to end the call. Occasionally acting amazed at their knowledge may be helpful.

Calling AS Technical Support
The most famous examples of social engineering are the SE panels at HOPE.  H2K2 saw Emmanuel change some poor soul's dinner reservations and obtain customer credit information from a randomly chosen Starbucks. He called the Starbucks as tech support.

When you've determined what you want and where you want it from (don't call MIT as tech support, by the way), make up a "report" of a problem.  More than likely, there will be a problem, or the person you call will have a question.  Questions are gold! Even if you have no idea what the target is talking about, you can of course fake it and use that question as leverage to gain more information.

Practice these easy-to-do examples of social engineering and then extend the skills you gain to larger projects.  And no, Dade, do not be funny when social engineering - that'll get you nowhere.  Most importantly, do not use you SE skills for evil.  Have some fun, gain the "forbidden" knowledge, and use your skills wisely.

I like this explanation. My only question is I heard someone say that using humor can be disarming. How is that different from "being funny?"
Reply
#3
(08-15-2020, 10:28 PM)QMark Wrote: I like this explanation. My only question is I heard someone say that using humor can be disarming. How is that different from "being funny?"

This is kind of an ancient doc back in the day when phone phreaking scene was still at the top Big Grin Although that's why I shared it, a lot of the concepts and explaination still applies today. Being funny and using humour; you're right there's no difference.

I can't speak for the author. But I think the point of "don't try to be funny" must have been a joke reference or something. I see no harm in using some humour in social engineering.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  collegiate social engineering CTF!? QMark 0 1,458 09-06-2020, 02:08 AM
Last Post: QMark
  Which is the best type of public speaking to help with social engineering? QMark 0 1,514 08-06-2020, 08:25 AM
Last Post: QMark
  can someone with autism and psychosis learn social engineering? QMark 5 4,955 04-03-2020, 08:46 PM
Last Post: Insider
  Social Engineering: Your deadliest tool Insider 3 10,795 04-25-2019, 05:54 PM
Last Post: enmafia2