The Social Engineer's Playbook Read online

  6.If the target complies with the request, I recommend telling the target the situation has been resolved instead of leaving the issue open ended.

  7.If possible, it is recommended that a female carry out this pretext. Alternatively, it may be possible to use a voice changer that can convincingly alter a male voice to sound like a female.

  Attack of the Phones

  Objective To assess the targets susceptibility toward divulging confidential information

  In this pretext, the social engineer attempts to gain sensitive information from the target by purporting to be an automated call from the Internal Revenue Service. The social engineer uses a text-to-speech program to “speak” to the target asking him/her to wait for a representative. Then the target is asked to validate their identity by entering their social security number in by keypad. Meanwhile, the numbers are recorded by the social engineering that will then decode them using a DTMF decoder.

  Description

  While this pretext uses the IRS as its pretext and social security number as its objective, these attributes can be adapted to better compromise the target.

  Prerequisites •Knowledge of the target’s phone number

  •Mobile phone with SpoofCard application

  Tools & Equipment •Recording device to capture the target’s social security number

  •Playback device to play the text-to-speech recordings

  •DTMF decoder, such as: http://dialabc.com/sound/detect/

  •Text-to-speech program, such as: http://www.readspeaker.com/voice-demo/

  1.Use a text-to-speech program to speak the following text (see ReadSpeaker). Then use a recording device to capture the audio (e.g.: computer’s mic).

  Play “Hello, this is an automated call from the Internal Revenue Service regarding your [year] income taxes. Please hold for an IRS representative, who will be with you momentarily. For security purposes, please enter your social security number, followed by the pound or hash sign.”

  2.Once the audio pretext has been captured, ensure that it can be played back during the pretext call

  3.Ready the recording device. By having your phone in speakerphone mode, a computer’s microphone should be sufficient enough to record the target’s social security number

  4.Queue the audio pretext for playback

  5.Launch SpoofCard app or mechanism with similar functionality

  6.Spoof your phone’s outgoing phone number and call the target

  7.Set the recording device to record

  8.When the target answers, play the audio pretext

  9.Hang up after the target enters their social security number

  10.If using the suggested DTMF decoder (http://dialabc.com/sound/detect/), you must save the recording as a WAV audio file and upload it to the site to decode the tones

  Car Tow

  Objective To assess the targets susceptibility toward divulging confidential information

  In this pretext, the social engineer attempts to gain information about a target by pretending to be a representative from a vehicle towing company. The social engineer convinces the target he/she is towing the vehicle because the target parked in an area where the city is performing construction that day. The car must be towed in order for the city to perform the work and the typical towing fee is $225.

  Description In order to gain the target’s information, the social engineer provides an alternative to the costly towing fee. The social engineer’s alternative is to move the target’s vehicle to the next parking stall for only $14.

  In doing so, the social engineer creates a sense of urgency by indicating the vehicle is already in the lift and the target must make a decision immediately whether he/she wants to be moved to the next stall. To be moved, the target must give the towing company representative a credit card number to process or the vehicle will be impounded.

  Prerequisites •Most effective on a target whose working at a location where the target’s vehicle is not within close proximity to the victim (parking ramp)

  •Knowledge of the target’s phone number

  •Knowledge of the vehicle’s color, make and model

  Tools & Equipment •Mobile phone with SpoofCard application

  1.Launch SpoofCard app or mechanism with similar functionality

  2.Use the voice change feature and select a gender appropriate voice or simply alter your natural voice

  Play 3.Be sure to place the call using phony office background noise. This may be helpful: https://www.youtube.com/watch?v=D7ZZp8XuUTE

  4.Telephone the target and adapt this sample pretext to better fit your scenario:

  “This is [fake towing company name]. Do you own a [vehicle color] [vehicle make and model]?”

  [Target responds]

  “[Ma’am/Sir], you are parked in a stall that has been reserved for minor construction by the city. Our truck has your vehicle up on the lift, but since the stall next to yours is open, we can have our truck move your vehicle over instead of impounding it today. All I need is [very low dollar amount] by credit card.”

  [Target responds]

  5.Speak with an unsympathetic attitude, authoritative tone and a monotone voice. However, don’t be rude.

  6.The target will likely be upset and may complain about the absence of a posted sign. Simply state that a sign was posted and re-iterate the alternative offer.

  7.Do not allow the target to consume too much time on the phone. He/she may be on their way to the location on foot. Be short with answers.

  8.Be very brief with verbal communication and re-iterate the low cost alternative. But, do not oversell the alternative. For a more convincing pretext, play it as if you don’t care if the target’s vehicle is impounded.

  9.If the target complies with your request, indicate the situation has been resolved and end the call swiftly. Hanging up immediately after receiving the information will raise immediate suspicion.

  Baiting

  Baiting, or media baiting, involves the attacker “baiting” a target into using a piece of malware-infected media by piquing the target’s curiosity into inserting it into their computer. Typically, the infected media would covertly launch a malicious program unbeknownst to the user, once he or she inserts the media into their computer.

  Oldie but A Goody

  Objective To assess the targets susceptibility toward inserting untrusted media into their computers

  Description This is a classic baiting maneuver. In this maneuver, the social engineer would infect several USB drives configured to launch a malicious program when inserted into a computer. SET is used to create an infected Metasploit payload and autorun.inf designed to connect back to a listener.

  •Knowledge of the physical location(s)

  Prerequisites •Close physical proximity to the target location(s)

  Tools & Equipment •Several U3 USB flash drives

  •Social Engineer Toolkit (SET)

  •Metasploit Framework

  1.Launch SET, select Infectious Media Generator from the main menu, then select Standard Metasploit Executable

  2.SET will create a PDF payload and autorun file. Copy the contents of the folder to a CD/DVD/USB to autorun.

  3.Start the listener using your publicly available IP address and preferred port

  Play 4.Label the USB drives with the following labels, “Private Pics,” “Payroll,” and “Beach Pics, Videos”

  5.Leave the USB drives at the target location near public doors, parking lot, walkways closest to the target.

  6.Monitor for results and wait for targets to connect.

  Blazing Fast Interwebs

  Objective To assess the targets susceptibility toward inserting untrusted media into their computers

  Description In this maneuver, the social engineer would infect one or more USB drives configured to launch a malicious program when inserted into a computer. SET is used to create an infected Metasploit payload and autorun.inf designed to connect back to a listener.

  T
he infected drive will be mailed to the target under the false pretenses it is a company marketing campaign.

  Prerequisites •Knowledge of the target(s) mailing address(es)

  •One or more U3 USB flash drives

  Tools & Equipment •Social Engineer Toolkit (SET)

  •Metasploit Framework

  •Microsoft Word or Photoshop

  Play 1.Launch SET, select Infectious Media Generator from the main menu, then select Standard Metasploit Executable

  2.SET will create a PDF payload and autorun file. Copy the contents of the folder to a CD/DVD/USB to autorun.

  3.Start the listener using your publicly available IP address and preferred port

  4.Create an advertisement flyer to be included in the mailing. The flyer must entice the target into plugging in the USB device.

  5.Utilize the following pretext:

  a.Amazing Internet Accelerator Device: This is a promotional flyer purporting to be a major Internet provider (e.g., Comcast) or Google that introduces “innovative” technology that triples Internet speeds by way of technology on the enclosed USB device. Free of charge and no setup required; simply connect and go. Microsoft Templates Online could be used to design a promo flyer for the phony product.

  6.Mail the infected USB drives.

  7.Monitor for results and wait for targets to connect.

  Save Big Money!

  Objective To assess the targets susceptibility to inserting untrusted media into their computers

  In this maneuver, the social engineer would infect one or more USB drives configured to launch a malicious program when inserted into a computer. SET is used to create an infected Metasploit payload and autorun.inf designed to connect back to a listener.

  Description

  The infected drive will be mailed to the target under the false pretenses it is a company marketing campaign.

  Prerequisites •Knowledge of the target(s) mailing address(es)

  •One or more U3 USB flash drives

  Tools & Equipment •Social Engineer Toolkit (SET)

  •Metasploit Framework

  •Microsoft Word or Photoshop

  1.Launch SET, select Infectious Media Generator from the main menu, then select Standard Metasploit Executable

  2.SET will create a PDF payload and autorun file. Copy the contents of the folder to a CD/DVD/USB to autorun.

  3.Start the listener using your publicly available IP address and preferred port

  4.Create an advertisement flyer to be included in the mailing. The flyer must entice the target into plugging in the USB device.

  Play 5.Utilize the following pretext:

  Coupon book on USB: a promotional flyer would be developed to masquerade as a company who delivers free coupon books for big box stores (Target, Best Buy, WalMart, Cabella’s, Sears) via USB drives. The flyer should promise sensational savings of over 50% off. Microsoft Templates Online could be used to design a promo flyer for the phony product.

  8.Mail the infected USB drives.

  9.Monitor for results and wait for targets to connect.

  Recalling All Cars!

  Objective To assess the targets susceptibility toward inserting untrusted media into their computers

  Description In this maneuver, the social engineer would infect one or more USB drives configured to launch a malicious program when inserted into a computer. SET is used to create an infected Metasploit payload and autorun.inf designed to connect back to a listener.

  The infected drive will be mailed to the target under the false pretense that the target’s vehicle requires a grave recall needing immediate attention.

  Prerequisites •Requires knowledge of the make/model of the target vehicle. This can be obtained through surveillance of the target or via online intelligence gathering techniques (Maltego, Social Media).

  •Optionally, if the target’s vehicle make/model are unknown, the content of the formal business letter could be made to generically reference the vehicle without specifying this information.

  •Requires knowledge of the target’s mailing address

  •U3 USB flash drive

  Tools & Equipment •Social Engineer Toolkit (SET) • Metasploit Framework

  •Microsoft Word or Photoshop

  1.Launch SET, select Infectious Media Generator from the main menu, then select Standard Metasploit Executable

  2.SET will create a PDF payload and autorun file. Copy the contents of the folder to a CD/DVD/USB to autorun.

  Play 3.Start the listener using your publicly available IP address and preferred port

  4.Create a formal business letter to be included in the recall mailing. The letter must entice the target into plugging in the USB device in order to obtain critical information for the processing of his/her vehicle’s recall.

  5.Use and adapt the following content for the recall letter

  Dear Customer,

  This notice is sent to you in accordance with the requirements of the National Traffic and Motor Vehicle Safety Act.

  [Company name] has decided that a defect, which relates to motor vehicle safety, requires immediate replacement. Therefore, please follow the instructions below.

  1). Plug in the enclosed USB drive into your computer.

  2). Navigate to the USB drive and open the PDF file titled [PDF file name].

  3). Read and print the recall form.

  4). Sign the form and mail it using the enclosed pre-addressed postage ready envelope.

  We apologize for this situation and want to assure you that, with your assistance, we aim to remedy this condition immediately. Our commitment, together with your dealer, is to provide you with the highest level of service and we stand by that commitment.

  At [company name], we genuinely care about quality and the safety of our customers.

  6.Mail the infected USB drive to the target along with the formal business letter.

  7.Monitor results and wait for the target to connect.

  Bank Security Software

  Objective To assess the target’s susceptibility toward inserting untrusted media into their computers

  Description This is a media baiting adaptation of the spear phishing pretext called, “Bank Security Email Alert.” In this maneuver, the social engineer would infect one or more USB drives configured to launch a malicious program when inserted into a computer. SET is used to create an infected Metasploit payload and autorun.inf designed to connect back to a listener.

  The infected drive will be mailed to the targets under the false pretenses their bank has noticed suspicious activity on the target account. And the enclosed USB drive contains secure software to disinfect their computer and ensure secure connectivity to the bank website.

  •Knowledge of the target email address

  Prerequisites •Knowledge of the target’s bank. This may be learned through surveillance, dumpster diving or GPS tracking.

  •One or more U3 USB flash drives

  Tools & Equipment •Social Engineer Toolkit (SET)

  •Metasploit Framework

  •Microsoft Word or Photoshop

  Play 1.Launch SET, select Social Engineering Attacks -> Spear-Phishing Attack Vector -> then select Perform a Mass Email Attack

  2.Select Adobe PDF Embedded EXE Social Engineering and opt for the built-in BLANK PDF, then select the Windows Reverse TCP Shell.

  3.Enter your IP address for the payload listener and the listening port (443)

  4.Create a formal business letter to be included in the recall mailing. The letter must entice the target into plugging in the USB device in order to obtain critical information about the suspicious activity and the security software.

  5.Use the following text: Dear Customer

  You are receiving this message because you are a current [bank name] customer.

  Our Fraud & Prevention department has detected several suspicious transactions on your account originating from multiple overseas merchants. These charges Our policy states that we require your ass
istance in determining the legitimacy of any suspicious charges totaling over $10,000. Your cooperation is appreciated.

  To ensure your computer is protected and to facilitate secure connectivity to the Internet, please follow the instructions below.

  1). Plug the enclosed USB drive into your computer.

  2). Navigate to the USB drive and open the PDF file titled [PDF file name].

  3). Review each suspicious transaction shown along with the merchant, date and transaction amount.

  4). Observe and note any transactions as suspicious charges to the best of your ability.