Social Engineering Defense Contractors on LinkedIn and Facebook 4: Executing the Attack

Jordan Harbinger highlights the use of social engineering while carrying out the attack, and provides the specific data he managed to retrieve via such tactic.

Step 5: Execute the attack

So, I added a bunch of my targets on Facebook and I was able to get the privacy settings down so that if I added a few people from one company, they wouldn’t necessarily see each other and be like: “Well, that’s weird, Chris is on there and Tim’s on there. Is my whole department quitting?”

Fat superhero – proof of concept

Fat superhero – proof of concept

One of the things I thought for sure was going to happen is people were going to go: “How do you know me?” But they didn’t; most of the time the guys were like: “Sweet, accept!” And 30% of the time at most guys would be like: “How do you know me?” And I go: “Oh, Facebook suggested we’d become friends,” and they were like: “Ok, fine, whatever.” There’s that little suggestion box, nobody thinks that’s weird for some reason. When it’s a guy, they’re like: ‘Delete’, but when it’s a girl that looks like that, they’re like: “Ok! Thanks Facebook, good looking out!”

Besides, our minds always want to believe what we want; we always want to think: “That type of girl totally would want to be friends with me.” And if this principle weren’t true, there would be a lot fewer people who would think they could walk around wearing spandex: you guys know who you are.

So, the female Facebook friend, of course, is also an engineer and she’s got a clickable resume on her Facebook profile, and that’s to another website. So, when you want to look at her resume, you can click on that, and, of course, when it goes to that website, I get the IP address, which leads to the location, and I get the browser and the OS and the language and stuff, and by that I can sort of figure out which person that might have been, which office that person might have been from; especially if I know that somebody with a really Chinese-sounding name who works in California and has their browser in Mandarin is looking at this at this time after I just friended him, like, 5 hours ago.

So, I can guess that’s who that is and now I know where they are, what browser they’re using, etc. And all you tech guys know what you can do with some of that, given a few other facts.

One of the vacation pics

One of the vacation pics

Now, of course, there’s also another link with her most recent vacation photos (see image), and that, not surprisingly, got a lot more clicks than her resume.

So, you guys could think: “Oh, great, so what? Your friend is some defense contractor on Facebook, who the hell cares?” And that’s fair. But the ‘damsel in distress’ type of ploy tends to be ripe proving grounds for eliciting information, and a pretty girl asking an engineer for confidential information or classified information theoretically, hypothetically, etc., is a lot easier than you might think.

And of course none of this is done in real time, so if I get a message with a question back, I have like 5, 10, 24, 72 hours to craft a pretty perfect response, and I can call people and ask what they would do, and if they would ask a career-specific question I can get a real answer from somebody who actually knows what they’re talking about. And that actually turned out to be shockingly easy, and you can do tons of research and prep on the fly.

There is also the fact that she’s sharing plenty of information about herself too, right? I’ve got a whole persona for her. I’ve got a matchmaker that works with us at The Art of Charm, so she’s helping me craft the perfect girl for each target. Like, this guy’s into this, he probably really loves this, this and this. Then our female engineer of course becomes that girl overnight immediately, within an hour phone call to the matchmaker.

The more she shares about herself, the more the target feels secure in sharing about himself.

So, even her resume is tailor-made to impress the target, and she makes him feel important by having him take a look at her resume as well. I created multiple profiles, just in case. I did have, like, a basic cookie cutter girl with a lot more blanks than information filled out so that I could fill it in with just whatever I needed to in the email. So, if the guy seemed like he wasn’t sporty, I didn’t have her be like “yoga, running, dancing,” because that would be a little intimidating. I’d have her be like: “movies, video games,” so you don’t want to write all these things in. Just saying, you know it’s true, no hate.

Robert Cialdini, a psychologist, has a principle called Reciprocity: the more she shares about herself, the more the target feels secure in sharing about himself. And in one case a more careful target was like: “I’m not going to tell you where I work, I’m not going to tell you my location, I’m not going to share project data with a recruiter online.” However, once she asked him to meet for coffee to talk about jobs, he could not wait to disclose his location, and his email address, and what he was doing, and that he was free for the next 18 days. And that was much faster than LinkedIn, because she would write back something like: “Listen, I don’t use this that much, but if you just send me an email, it’s a lot easier.”

Yelp data can prompt target’s location

Yelp data can prompt target’s location

So, I was then able to use his personal email to find his Yelp account, everyone probably knows what Yelp is, but if not – it’s a site where you do business reviews online, and judging from the approximate area by looking at what he’s reviewed, I can find out, basically, where he lives. So, if he’s reviewed 20 Thai restaurants and coffee shops in Albuquerque, I know he probably lives very close, or works very close, or lives there.

Now, of course, the girl was thinking of applying to his company and, possibly, moving closer to home, closer to her parents, in that case, and conveniently located in the area where she was working, so that was a great coincidence for him that this pretty girl in his field was thinking about maybe moving there, and he was going to do everything he could to sell that idea.

Let’s recap:

So, what have we got?

So, what have we got?

I know facility locations, department names, project names, target names, target resumes, spoofed internal phone numbers, and target social media profiles. And I’ve got that all without any real technical skill at all. The most technical thing I’ve done so far is look at a server log for their IP address, which everybody, my Mom probably knows how to do that. So there’s no real technical exploit here; there’s no systems that have been compromised; the only system that has been compromised is common sense and rationality, or due diligence on part of the target.

Read previous: Social Engineering Defense Contractors on LinkedIn and Facebook 3: Associating with Targets

Read next: Social Engineering Defense Contractors on LinkedIn and Facebook 5: Tactic for Eliciting Private Data

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: