Sharon Conheady explains here how to use social networks to get to know your target, and provides some examples on how to social-engineer people using the retrieved data.
Social networks are fantastic for performing your research and your reconnaissance. So once you’ve identified who you are going to social-engineer, whether it’s a particular person or a particular organization, you are going to try and gather as much information as you can about them. And I will always start with LinkedIn. LinkedIn is superb for social engineers.
First of all, you can start by building an organization chart of the company you are trying to get into. You are going to establish who reports to who; who is the head of each department; you go through it and you identify the names of individuals working in there. You could target them, you could pretend to be them, or you could name-drop their names, like if you know the name of the CEO, if you know the CEO is on holiday, because maybe he has posted it with a TripIt plug-in for LinkedIn, so you know he’s out of the office and say: “He wanted me to do this work”, or “He is away in Spain and he needs this document, please send it to me so I can get it to him.” It gives you so much information.
Of course you can set up a fake LinkedIn profile and link in to your target. It’s pretty easy to image who should know who in any particular industry. And if people are friends on Facebook, like if John and Jane are friends on Facebook, and Jane doesn’t appear to have a LinkedIn account, set one up under her name and then send John a LinkedIn request, he is probably going to believe it. Lots of people accept LinkedIn requests from whoever sends them anyway, so you may not even have to set up a fake profile. And of course we receive LinkedIn requests nearly everyday, you know exactly what that email looks like – just spoof it.
So once you’ve got the name of individuals who work for your target organization on LinkedIn, look them up on other social networking sites, see what they have on their Facebook accounts, their Myspace accounts, do more tactical research on that person. Here is an example, you know these surveys that people fill in and like to publish online, they like to give away their dates of birth, they like to give away their home addresses, and more.
So you got your delivery shirts, order the Meat Feast pizza from Domino’s, collect it, go somewhere else, put on your delivery shirt and bring the pizza to Bob’s office. If he objects and says he didn’t order it, tell him one of his friends did, you got the names of all of his friends from his Facebook account. So you are in the office, plug in a wireless access point, plug in a keylogger, actually physically take the information away.
If you think this is too risky, how about you email Bob a voucher for a free pizza, maybe his birthday is coming up next week: “Hi Bob, thanks for being such a loyal customer for Domino’s pizza. We would like to offer you the next one on the house, print the attached voucher.”
This is another guy Joe, and Joe was really, really useful to us. Not only did he publish all the information about where he worked, where he was born, what school he went to – he also says what his income is as well. So from an attacker’s point of view, you know exactly how much you can take this guy for. So here are a couple of things on his survey that caught my eye: his goal this year is to give up smoking; his deepest fear is creepy-crawlies; and again, he’s got a favorite pizza in there. So how could you social-engineer this guy?
Here are a couple of ideas. He has got 45 friends on his Myspace page, you know when his birthday is. There are lots of birthday cards now that come with CDs in them. So send him a birthday card on behalf of one of his friends with the CD or USB key in it that supposedly has dancing ladies or something like that in it but obviously goes on to compromise his machine. Send him a ‘stop smoking’ pack – again, it’s some kind of media that he needs to plug in, or maybe even a link to a site he should visit. Or finally, you can threaten him with creepy-crawlies until he gives you the information that you want.Blippy.com is another fantastic resource, again, for social engineers (see screenshot). So you can register your credit card accounts to Blippy, you can register your online purchasing accounts like eBay or iTunes, or Netflix to Blippy, and every time you make a purchase, it appears there and people know exactly how much you paid for their gifts, or how much you paid for a bottle of wine that you’ve just brought to the party. It can be really useful for social engineers.
So take this example, this guy just rented a couple of movies at Netflix. He rented 2 ‘Spartacus’ movies. So email him or call him, say you are calling form Neflix and ask how did he like the ‘Spartacus’ movies, offer him the next one free of charge: “We would like to send you the third ‘Spartacus’ movie. What’s your email address? I will send you a voucher.”Foursquare.com, a kind of geotagging social networking site, is useful not only for social engineers but for burglars. And I am sure you’ve all seen the Pleaserobme.com project that knows the location of people and therefore when their houses are likely to be empty, using Twitter, Foursquare and other services. Here is an example: so you take this first guy; he left home and he is going to this lovely Irish pub in Paris. So if you are after this guy, go to that pub. He has got his photo there, you know what he looks like. Strike up the conversation with him, steal his bag. Or while he is out, rob his house, break in and probably he has lots of work stuff at home. There are so many things you can do once you have this information.