Social Engineering Defense Contractors on LinkedIn and Facebook 5: Tactic for Eliciting Private Data

Having obtained basic data on the targets, Jordan Harbinger makes a bold move to get their almost intimate details by applying more advanced social engineering.

Step 6: [Hypothetically] Elicit classified info

Spy vs spy

Spy vs spy

Now that I have tons of information about the company, the facilities and how things work from the inside, from the types of computers they use and even their phone systems, I know that I can call target number 2, maybe a supervisor, but not the target’s actual supervisor. And I can call from an internal number or an employee’s cell phone, and since I have plenty of knowledge about the company itself, I can ask about: if I was meeting with a headhunter for a job, what information should I not discuss?

So, now I’m getting: “Make sure you don’t talk about this, this and this,” all these things that I didn’t know existed before. And I cannot take that innocuous information and repeat this process over and over: “Hey, I was wondering if I could discuss this, but I’m wondering what aspects of this are really under the table, and what else I can talk about.” Well, let’s break this down into 5 parts.

Now I can start mapping some of the things they were talking about in detail, and you’ll be surprised: once somebody knows a little bit, it’s like a keyhole, you can really go in there, you can open that door and people are like: “Well, if you know that much, you obviously know all this other stuff, so let’s just recap that right now.”

Investigating things a little deeper I discussed vaguely what I was working on, and I asked which topics I should avoid, and I’d love to share this cool list of stuff that I got with you, but of course our lawyer at the EFF put a kibosh on that really fast. So, my original goal with the experiment was just to do that. But that was so easy I thought I would take things up a notch.

So, once I found somebody willing to jump ship, I decided to contact them privately through email and I enticed them enough to want this information about this new job.

In order to get this new job I needed them to sign an NDA, because it’s a pretty sensitive career, so I made sure they get sent over an NDA to get signed and then sent back to me. So, now I had their signature. And despite having not yet applied for the job, I needed to do more to protect myself, so I made sure that NDA was comprehensive, as comprehensive as possible, and had address information and name and everything that I could just verify that I knew. And I had it all in one place, and of course I had their signature right below that. That was so that I could kick off a preliminary background check on the target, which is great, because people with security clearances are really used to people looking into their business and they are willing to give out all kinds of information that they shouldn’t so that people can do that, if they think you’re legit.

The inventory obtained

The inventory obtained

So, now I’ve got Social Security Number, mother’s maiden name, address, last few addresses, employment history, signature, resume – everything. There’s not a lot that I cannot do with that information, and I could maybe reset their password for online banking, I could reset their PayPal password, which shows which banks they use. If I got into their banks or their credit cards, I could find out which financial transactions they were doing, where they were spending most of their money, whether they had a lot of debt.

I could also figure out whether or not they were using a cell phone – of course, everyone was; which carrier they were using, and then of course I would go into their cell phone call records and go: “Ok, cool, this is probably their Mom, this is where they grew up, because that’s where the area codes were concentrated; here’s their best friend, here’s their office; here’s all the people they text all the time.” So, think about that: the call history shows me who your closest friends and family are, and I already have all this information.

I also have your direct deposit in your bank account, so I know how much you get paid, which is good, because as a recruiter I want to make you a juicy job offer that pays you quite a bit more money than you’re making now, but not a ridiculous amount that’s off par with market or something that makes you go: “Wait a minute, what? I don’t understand this,” and raises any red flags.

If I can do this in just a few hours, imagine what could be done with a budget or a team.

So, more importantly, I can see if somebody has debt and how much, because that’s really the key: you can make a million dollars a year, but if you owe people 10 million, you’re broke. And I can also now call tech support for this guy’s company, prove that I’m him and have them help me install a VPN on my computer so that I can log in to the machines at that intranet while I’m away on business, which is great, because I already know when he’s working remotely or out of town anyway, because I have his Facebook and everything else, so I’m monitoring all that.

And even more devious: if I was a real bastard, I could use TripIt or just his Facebook status updates and I could see when he’s travelling for work or he’s not home, and I could probably go house sit for a few hours and clone any hard drives I wanted or take a look at anything I really wanted in his personal office.

Imagine the consequences with that. I’m an honest dude for the most part, with an iPhone, a laptop and Internet connection, and way too much time on my hands, and if I can do this in just a few hours, imagine what could be done with a budget, or a team, or people who don’t care about U.S. law, for example.

And instead of waiting for a business trip of unknown duration, if I had a budget for this, I could just fly the target out along with his whole family to ensure an empty house, to nice recruiting retreats, which I’m sure plenty of you guys have seen, you know, they’re: “Oh, come work for us, look, we’re going to have this thing in these resorts, you can go there with your family, most of it is free time and you just have to attend a few presentations about our company so we can entice you to work here.” Meanwhile, their house is empty and the rest of my team is in their garage looking under the hood of their car, etc.

Call records

Call records

Bank statements

Bank statements

There are some call records, just in case you don’t know what your call records look like – looks pretty much like that (see left-hand image), and I can see your texts too, but I can’t see the actual messages, of course, without a court order, not that I would need to if I know who you’re talking to anyway.

This is actually corporate bank statements (see right-hand image above) which are surprisingly disorganized. This check I freakin’ found online; somebody scanned this and put it online – unreal. So, here is what I’m doing while you’re away – I’m breaking into your place.

Read previous: Social Engineering Defense Contractors on LinkedIn and Facebook 4: Executing the Attack

Read next: Social Engineering Defense Contractors on LinkedIn and Facebook 6: Preventive Measures

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: