What Is Social Engineering?
Social engineering is the art of getting people to give you
the information you are seeking, rather than breaking into a system to
get it. Among the most sought after bits of information is the username
and password. Many online systems—even financial websites—use your email
address as a username. Then they ask you to provide a unique password.
Today's Social Engineering Hack
I've already covered one social engineering hack in my spear phishing with SET guide, and there have been numerous other social engineering hack guides posted here on Null Byte by contributors and past admins, most of which are still very useful today.But today, we're going to focus solely on getting those much sought after email addresses and passwords. Let's concentrate on developing a website that targets a section of the population and have them create an account with their username (email address) and password.
Step 1: Choose Your Target Audience
The first step is too choose who or what industry you want to target. Let's imagine you want to target doctors. Since so many doctors are golfers, maybe you could create a special website that catered to golfing doctors. Maybe a website that ranked the best doctor golfers?Step 2: Use Their Email Address as Their Username
Now that you have the site up and running, you will need an authentication mechanism. We might simply ask the doctors to enter their email address as a username. Since so many sites today use the user's email address as their username, few would be suspicious.After they enter their username, they will have to select password to be part of our wonderful website!
Step 3: Promote the Website
This is the hard and costly part. You need to promote the website so that busy doctors will find it and open an account. You can create a Google AdWords account and pay for words that send our victims to view our site. These keywords might be golf, golf vacations, best doctor golfers, etc.Of course, this might take a while, but to be a good hacker, you must be patient and creative. Some effective hacks take years to be completed.
Step 4: Open Their Email with the Password
Eventually, some erstwhile doctors with more interest in hitting the links than caring for patients will find your site and log themselves in. When they do, you will have both their email address and their password for your site.Step 5: Find Other Accounts
Now, there is no guarantee that your visitors/doctors will use the same password on your site as their email account, but nearly all of us re-use the same password despite all the precautions against it, even after such events as Heartbleed.Let's start with the email account. Let's navigate to Gmail (if it's a Gmail address) and try the email and password to get into his email account. It won't work every time, but it only has to work a few times.
When we successfully enter his email account, we can search his emails for other accounts such as his bank, brokerage, etc. Remember, when he opened that account, the website sent an email confirming it with his username and password.
Social Engineering Complete!
This
little exercise, I hope, demonstrates that social engineering can be an
excellent way to gain access to accounts that would be otherwise
unbreakable. With a little imagination, hard work and patience, anything
is possible!