welcome to Ultimate Social Engineering Season -1
Although we’ve targeted totally on technical hacks here, social engineering will generally be particularly effective. This one needs somewhat of technical talent, however not too much. additionally, it’s restricted by how specific a target you’ll choose but it’ll work.
Social engineering is the art of getting people to give you the information you are seeking, rather than breaking into a system to get it. Among the most sought after bits of information is the username and password. Many online systems—even financial websites—use your email address as a username. Then they ask you to provide a unique password.
social engineering can prove to be very effective. But a social engineering attack is only as good as the engineer. Every successful hack must be backed by reconnaissance, this even applies to social engineering. This type of reconnaissance is slightly different however, it isn’t recon of the machine, but of the user. Recon for social engineering can be done thorough watching the user’s activity, seeing what sites they visit, and if they exhibit certain kinds of behavior. These are some of the things we’ll be discussing here.
For recon, we simply need to watch the user, and to look for signs of certain personality traits. For example, if we’re watching a victim’s web traffic through a MITM, we can gain a better understanding of the way that user thinks.
By understanding the user’s behavior, we can build a better attack. For example, if a user exhibits erratic behavior, we’ll need to build something more eye catching to attract their attention. The best thing to watch for when evaluating behavior is patterns. If you manage to identify enough patterns, you can get a good idea of a person’s traits.
People are vulnerable, much like the systems they use. If you can identify a person’s traits, you can build an attack optimized for them. By doing thorough reconnaissance and evaluating the user’s behavior, you can find vulnerabilities in the person.
So, in summary, social engineering can be taken to the next level with the addition of some simple psychology. Learning more types of behaviors will increase your arsenal of exploits.
This is simply an introduction to a much larger topic, there are many different behavior types that have an array of ways to exploit them. (credits to -Defalt )
Today, we’re going to concentrate exclusively on getting those much looked for email addresses and passwords. Let’s concentrate on developing a website that targets a section of the population and have them create an account with their username (email address) and password.
Step 1: Choose Your Target Audience
The first step is too choose who or what industry you want to target. Let’s imagine you want to target celebrity. Since so many celebrity are golfers, maybe you could create a special website that catered to golfing celebrity. Maybe a website that ranked the best celebrity golfers?
Step 2: Use Their Email Address as Their Username
Now that you have the site up and running, you will need an authentication mechanism. We might simply ask the celebrities to enter their email address as a username. Since so many sites today use the user’s email address as their username, few would be suspicious.
After they enter their username, they will have to select password to be part of our wonderful website!
Step 3: Promote the Website
This is the hard and costly part. You need to promote the website so that busy celebrities will find it and open an account. You can create a Google AdWords account and pay for words that send our victims to view our site. These keywords might be golf, golf vacations, best celebrity golfers, etc.
this might take a while, but to be a great hacker, you must be patient and creative , Some effective hacks take years to be completed.
Step 4: Open Their Email with the Password
Eventually, some erstwhile celebrities with more interest in hitting the links than caring for patients will find your site and log themselves in. When they do, you will have both their email address and their password for your site.
Step 5: Find Other Accounts
Now, there is no guarantee that your visitors/celebrities will use the same password on your site as their email account, but nearly all of us re-use the same password despite all the precautions against it
Let’s start with the email account. Let’s navigate to Gmail and try the email and password to get into his email account. It won’t work every time, but it only has to work a few times.
When we successfully enter his email account, we can search his emails for other accounts such as his bank, brokerage, etc. Remember, when he opened that account, the website sent an email confirming it with his username and password.
this ultimate social engineering season -1 demonstrates that social engineering can be a magnificent approach to access accounts that would be generally unbreakable. With a little creative energy, diligent work and persistence, anything is possible
stay turned for our next article 🙂 bookmark us