Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: The Art of the Con

  1. #1

    The Art of the Con

    Here's a short intro to the idea of social engineering. Criticism is welcome.
    ______________________________________________________________________________

    Many people acquainted with the world of computers often wonder how much technology the hacker must have experience in to steal passwords. The sad truth--none. Anybody trained in SOCIAL ENGINEERING can simply call some one up and ask for a password.

    Take the following example. A hacker wants administrative access to a competitors web site. He know the site is part of the SUPERSITE NETWORKS, a free hosting company. He also knows that he is a SirenAlert Firewall customer. To get the password, he goes through the following steps:

    He begins by signing up an e-mail address under the name of SUPERSITE SECURITY. He has it cleverly (and illegally) disguised as a SUPERSITE IT office. Now for the social engineering kill. His first letter:

    Dear SUPERSITE customer,
    on 8/13/04 a computer with this your IP address gained illegal access to confidential database files. Your site will be suspended from the SUPERSITE NETWORK for 365 days, until 8/13/05. If there is some mistake please contact us at SUPERSITESECURITY@itpros.com

    Sincerely,
    David Chang
    SUPERSITE Security Manager

    His second letter:

    Dear SUPERSITE customer,
    on 8/17/04 your computer attempted to access a confidential database file. This is your second violation of SUPERSITE security. This is a strict violation of SUPERSITE Security Polocies and License Agreement. This is also a violation of Federal Law. Your site will be deleted from the SUPERSITE NETWORK, and we will take prompt legal actions.

    If you have any questions, please contact me at SUPERSITESECURITY@itpros.com

    Sincerely,
    David Chang
    SUPERSITE Security Manager

    His third letter:

    Dear valued SirenAlert Firewall customer,
    our logs show that remote access was taken of your computer on 8/13/04 and 8/17/04. Because we value our customers' privacy, we would like to tell you that if remote access is taken of your computer it may be due to a firewall defect. To download a patch for this, go to sirenalertsecure.com

    SirenAlert Team

    In the process of this, the attacker also gains access to the victim's credit card number when he downloads the 'update' for his firewall. The victim doesn't even remember that SirenAlert's real URL is sirenalert.com.

    In a panic, and fearful of being sued in federal courst, the victim responds:

    Dear Mr. Chang,
    I in no way tried to access SUPERSITE's database. I recently received a notive from SirenAlert, my firewall provider, that some one gained remote access to my computer on the very dates your database was hacked.

    Sincerely,
    Chris Tomforde

    Now the social engineer sees an oppurtunity to come up huge:

    Dear Mr. Tomforde,
    I am sorry to hear that some one gained remote access to your computer and sincerely believe you. You have my deep apologies, but SUPERSITE NETWORKS does not allow computers with security faults to access their server. If you would like to discuss this further, feel free to call me from 10:00 AM to 5:00 PM at 882-335-7797.

    Sincerely,
    David Chang

    After the lighthearted mood and easy belief of Chris' story, Chris calls the attacker to discuss this in-depth.

    Attacker: Hello, David Chang, how may I help you?
    Chris: Hi, it's me, Chris Tomforde from the Network. You know, I'm the one whose computer was hacked...

    A: Oh yes. Actually there is an alternative to being suspended from the Network. You could sign up for a Secure Account, which would still allow you to run and administer your website.

    C: Oh Great! Can I do that?

    A: Sure, you just have to verify your old account. What was your username and password?

    And, just like that, the attacker has his username and password.

  2. #2
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Originally posted here by Nielsosky13
    If there is some mistake please contact us at SUPERSITESECURITY@itpros.com
    Shouldn't it be something more along the lines of Admin@SuperSiteSec.com... seriously when is the last time you've been the victum of YourBank@Yahoo.com

    Originally posted here by Nielsosky13
    Dear valued SirenAlert Firewall customer,
    our logs show that remote access was taken of your computer on 8/13/04 and 8/17/04. Because we value our customers' privacy, we would like to tell you that if remote access is taken of your computer it may be due to a firewall defect. To download a patch for this, go to sirenalertsecure.com
    Wow a trojan... thats pretty god damned elite. Its really funny how the guy had no idea WTF the problem was then two seconds later he pulls a patch right out of his stinking ass? Wow and the guy didn't even ask what kinda firewall was installed in the first place. Thats amaseing!

    No wait... whats really great is how the site was suspendid then after all those emails nobody even bothered to check on their own site. It isn't really security related... hell it really isn't a tutorial to begin with... not unless its a tutorial on how to email like a idiot or have phone sex. You could have atleast added "and the moral of this story is don't be stupid" to make it seem more security oriented.

    But in the end it still wouldn't change the fact that this thread sucks donkey balls.

  3. #3
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    nonetheless, the point is still the same
    The command completed successfully.


    \"They drew first blood not me.\"

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    159
    Nielsosky13 .. You should read few Tutorials posted on AO....

    And if u further read the requirements for posting tutorials... u would have known the effort and pain that it takes for a tutorial to be appreciated here..... It is simply not a cut and copy board..

    Tutorials present here can act as chapter for mini reference book for the subject.....

    I know u are new here.... But never mind Its only human to make errors....

    I guess ur tutorial lacked the objective......

    It didn't teach a reader anything new.. neither did it try to explain the concept of Social Engineering.

    It lacked on specific lookouts where every user has to be careful so as not to be fooled by social engineering ... Finally u could have given an real life example and could have ellobrated on the subject....

    Above were just few tips to help u write better tutorials in future...

    Best of Luck for future tutorials...
    ****** Any man who knows all the answers most likely misunderstood the questions *****

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Moved from Security Tutorials to Misc Security. Might prove a better discussion than a tutorial.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Neilsosky13, it seems that you've incurred the wrath of a few people and have mamanged to earn yourself some negative antipoints.

    I can help with that.

    Send me a PM with your AO password and I should be able to make a difference to you plight.

    HTH
    Steve

    <smilies implied!>
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  7. #7
    Junior Member
    Join Date
    Feb 2004
    Posts
    8
    I've gained access to many things using social engineering. Normally it takes a while but you must always tell yourself your not lying to them, so you convince yourself you arent lying, which makes you more convincing!
    you want commitment put on your best suit, get your arms around me now we\'re goin\' down down down

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Typographical and grammatical errors...........................a dead giveaway IMHO

    Yet people still fall for it?

    OH well

    Cheers

  9. #9
    Now that was just a pointless read wasn't it.
    Tip: next time maybe read some of the Other Tut's on Social Engineering, and maybe provide more information, improve spelling, and like yeah there's always next time, don't take the critism personall man, it's just if you wanna submit a Tutorial you gotta make it damn good, other wise it's like been fed to the Sharks so to speak...

    cheers
    ..::front2back::..

  10. #10
    i'm just reading the book "art of deception" by keven d. mitnick, and i must say that there are some incredible things possible with a little balls and some research, great subject of security!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •