She did great on that social engineering attack. The crying baby on YouTube was a nice touch. The overall segment illustrates many aspects of psychological manipulation that can be used to successfully con a support person. A believable scenario, something people might sympathize with, a sense of urgency, further but brief engagement with questions/answers, and gratitude for their participation.
This stuff was always tricky to train people to defend against. I need to update my links to good presentations on this subject for attack and especially defensive training for employees. So, what do you people have to go in that collection?
Note: OP video led to autoplay of No Tech Hacking by Johnny Long. I recall someone recommending me read the book by same name. So, nice accidental reminder.
Note 2: Bejtlich's comment on NTH on Amazon reminded me that we should probably always list Mitnick's Art of Deception and Abignale's Art of the Steal in these threads for useful examples they had. They each extracted much mileage out of social engineering.
> A believable scenario, something people might sympathize with, a sense of urgency, further but brief engagement with questions/answers, and gratitude for their participation.
Yep, pretty much nailed it right there. I think the fact that she acted surprised/confused at some of the security policies, rather than getting aggressive, helped sell her as a real customer that just needed some help.
I mean, not that real customers aren't assholes sometimes. It's just less likely that customer support will want to help them.
Ugh, so this is why banks ask you to type your cart number and call support password before they connect you to a real person. And then he asks you your some private informations, then fills them on the program, only after this he can give you a support.
Usually. It's also why some institutions will lock you out entirely without a visit for a photo ID check. Pre-designated people in some high-security settings with optional tokens or biometrics.
Now, some measures you run into will exist because a non-security expert formulated them to cover their ass after reading something online or in a bookstore. Or by security people who also have to comply with a policy or regulation of varying degrees of sanity. So, it's not always a real attack or risk inspiring specific measures but often is for verification during support.
In that video Dan Tentler talks about how he hacked the journalist by prompting fake system messages to input his password.
I've always wondered when using Ubuntu, how paranoid should one be regarding the prompts to auto install updates? Anyways, if you've been owned to that extent already, your adversary could always use a key logger, instead, so I guess it's maybe not worth worrying about.
"I stole your onepassword keychain". Wow. Actually was pretty smart, he signed up for squarespace because the mark had a squarespace blog and used emails to get him to give up passwords then downloaded a ton of maliscious software onto his computer.
Pictures of the webcam every 2 minutes were creepy as hell.
Another aspect of social engineering that is seldom discussed: Women will have a higher success rate at any sort of information-extraction, in fact, I would say that it is a "social engineer" method in itself. The crying baby sound-effect? Simply icing on the cake.
If a male with a naturally brooding voice contacted a service provider to extract a password, his chances of success are lower because he is less trustworthy by nature, which increases the odds of the operator on the other end raising suspicion.
I've seen a lot better ones than this at HOPE. I honestly don't think I would have bought her story -- and I have history of working the phones for stuff. It comes across as too contrived. She would have fooled me better by just sounding bored.
While I am not an artist, I always had a distaste for the phrase "scam artist". It didn't seem appropriate to elevate someone who commits fraud to the level of "artist".
But my hope was the phrase would shift out of the professions entirely. And certainly not into my own profession.
"Engineered" and "artistic" seem apt descriptions of parts of the scam: the skillful, creative, and well though out parts. Just like "criminal" and "scammer" address the other side of the same activities.
It does seem to be a euphemism, one used to paint scammers in a better light. Remember, 10 years ago we were calling social engineering hackers scammers and con men.
This stuff was always tricky to train people to defend against. I need to update my links to good presentations on this subject for attack and especially defensive training for employees. So, what do you people have to go in that collection?
Note: OP video led to autoplay of No Tech Hacking by Johnny Long. I recall someone recommending me read the book by same name. So, nice accidental reminder.
https://www.youtube.com/watch?v=N4kfsxF8Tio
Note 2: Bejtlich's comment on NTH on Amazon reminded me that we should probably always list Mitnick's Art of Deception and Abignale's Art of the Steal in these threads for useful examples they had. They each extracted much mileage out of social engineering.