Social Engineering Defense Contractors on LinkedIn and Facebook 3: Associating with Targets

This part is about the strategy Jordan Harbinger implemented to get in touch with targets and learn their additional personal details for a successful attack.

Step 3: Associate and gain rapport with targets

So, now I was in and it was time to see what I could dig up. I want to make sure that I get something cool, because joining this group is funny, but it’s not going to impress anybody in this room. So I called Chris Hadnagy and I was like: “No one is going to like my talk, what do I do now?” He said: “Get some information.”

I’m like: “Ok, I can do that.” So, now I can see the LinkedIn profiles and their CVs and their contact information and their job descriptions, and I know exactly which company they work for, and they decided to supply that for just about 8,000 people.

And the problem was that obviously these guys go through some training, so they know that if someone hits them up on a network like LinkedIn, they probably shouldn’t say anything about what they do. I mean, surely they have some training to that effect.

Not exactly; as it turns out, people who think they’re in similar companies, as I said before, actually don’t seem to have a problem discussing anything that they’re working on, even if it’s over the freakin’ Internet. Because, well, I’m in that group, so I must be TS cleared and probably I’m a good guy, and also, we’ll get into it as well, what do you think people are doing in that group in the first place? Does anyone want to guess what people are doing in that group? They’re looking for jobs, right. So, what do you offer people looking for jobs if you want them to talk? You offer them a job, nailed it!

You’d be surprised how many people want to help you when they think you’re going to mess with other people.

So, I needed to think about what I could offer these people job-wise that would make sense and wouldn’t arouse any suspicion. That wasn’t too hard, actually. The group exists, as you guys guessed, to help people with top secret level clearances find jobs. It seems to be a field in which a lot of guys bounce from one project to another, they come from the military and then they’re like: “How do I get a job in civilian life? I’m in freakin’ Kuwait right now, I can’t interview. How do I even start?” And this group is a good place for that. It’s very useful, which is why I’m destroying it in this talk right now.

So, I started a LinkedIn profile showing that I was a headhunter, so I can offer people jobs. And I made this credible simply by modeling it after other headhunters that were also in the group, or other people that were on LinkedIn, or people that I knew were headhunters, who I could call and say: “Hey, how do I make a fake LinkedIn profile that looks like a headhunter?” And they’re like: “Use mine, use this, just don’t use my pictures.”

Chameleon – expert in natural disguise

Chameleon – expert in natural disguise

So, that was really easy, and, in fact, you’d be surprised how many people want to help you when they think you’re going to mess with other people. And I’m really exploiting the principle that people trust their senses implicitly; they think that what they see is what is actually there, which is interesting. If you look at something like this, for example, the chameleon is a classic example of this, right? It sheds predators all the time by tricking them using their own senses, and it’s brilliant, because we don’t question those things.

Not being a real headhunter, I had to practice a little bit, so I even practiced with headhunter buddies and said: “Ok, what kind of questioning line do I do?” Because I assume that if you’re looking for a job, you’ve talked to maybe half a dozen headhunters already; you’ve already gone through this. So, if I call and I’m just like: “So, tell me what you’re working on right now,” that might not fit in line with what everybody else has done so far. So, I tried to get it and it was relatively simple, I mean, it was really, really simple actually.

I then found a few people looking for employment to see how easily I could get them to send over a copy of their resume with personal information on it and any other details on their projects and activities. I was especially looking to grab any information that I shouldn’t have ready access to, but that wasn’t classified of course, especially their specialties, or former jobs, or any projects they might have worked on in the past.

So, I indicated a preference for military in a very non-shady way by including a line that says: “We prefer supporting veterans wherever possible,” and that, basically, gets them all out of the woodwork. And it’s great because I like supporting veterans, but also somebody’s got to know that, again, if you’re looking to exploit that niche, the best thing you can do is flatter somebody or offer them something of value. And so I got more responses from active duty military than I thought I would.

And eventually I’d hit a digital wall, in which the targets have probably had enough contact from somebody that they didn’t know very well and I asked just a few too many questions. That’s when we get here:

Step 4: Lay groundwork for the attack

Getting connected with the target is not a problem I calibrated my approach a little bit and I requested certain information, and then I used the service called Jigsaw or something similar to grab their office number. And so, even if all I had was their name, I could call the company switchboard and get connected, which is really easy and very convenient if someone is legitimately trying to reach you.

Once connected, I would just feign a bad connection and have them call me back on their office phone to my burner, burner being a phone that I’m not going to use, or that I don’t use to call my parents and friends. And so I’d have their number on my caller ID; sometimes it worked, sometimes it didn’t.

I did this because in the future I wanted to have the option of calling those people back, spoofing their actual internal office phone numbers. So, in other words, I could call them from a colleague or an office across the country, or from IT support, or anything like that right from their own work phones, which actually worked a treat. Even on digital systems people just think: “Oh, there’s something weird going on,” because the whole number is showing up, not just the extension. They don’t go: “Hmm, somebody must be spoofing my number, because a week ago I got a call from a headhunter and I wasn’t even looking for a job.”

I can find out lots of stuff that you weren’t going to tell me.

Once I had a few telephone conversations with the target or even beforehand, I would ask them for their private email address, because I don’t want to send them the information about the job to their work email. And you guys probably all know what can be done with a private email address, using programs like Maltego, and looking on Facebook, just a simple Facebook search can bring up a lot.

Maltego So, I plugged it into Maltego. Does anybody know what Maltego is? Does everybody not have a clue what I’m talking about right now? I’ll just give a brief overview: Maltego is a program that can take little bits of information, such as an email address, and search the five corners of the interwebs and find everything that has that, so if you’re fishing and you use that email address on some forum where you talk about fishing and you post pictures of how many fish you catch and about your boat and the suspension on your car, I can find all that. And if someone’s dumb enough to post an email you sent them about something unrelated and post it in the forum or anywhere, Maltego will find it and I can take a look, and now I know what kind of brake issues you’re having on your Z3, Miata or whatever, I don’t care.

But I can find out lots of stuff that you weren’t going to tell me, and I can use that to create rapport: I can also use that to find your blog, I can use it to find your Facebook profile, and that’s where I really struck gold. So, it’s kind of the digital equivalent of fixing a GPS to your car and then downloading all that data later on; only I get it in, like, 10 minutes.

Facebook profile of Jordan’s assistant

Facebook profile of Jordan’s assistant

So, I created a fake Facebook account, a female, obviously; and I molded it after a big mixture of my female friends and someone who’s appealing, especially to an engineer type, but seems real enough and accessible enough that the guy thinks he stands a reasonable chance of maybe getting a date with that girl, or gets the idea in his head that that’s a good one.

So, here’s my assistant (see image), she looks ok from there; this isn’t the actual profile that I used, but it was very similar and her photos were up there. And her being an engineer, of course, that got a lot of attention from a lot of the guys that I was looking to talk to. And so, there she is, of course, because I knew you guys were going to look for that anyway, so I’ll save you the trouble.

Read previous: Social Engineering Defense Contractors on LinkedIn and Facebook 2: Selecting the Targets

Read next: Social Engineering Defense Contractors on LinkedIn and Facebook 4: Executing the Attack

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: