Social engineering and trust as a human factor
This is my first posting on Habré and it’s still difficult to predict the reaction of the local public to my actions. The point is this.
The reasons for which "divert" email addresses or social network accounts are completely different. But when close people knew my reason, I received condemnations. To some extent, I always understood that the purpose of gaining access to the social networks of the victim in order to receive a certain correspondence is very immoral. On the other hand, I consoled myself with the thought that if the comrades were already hooked on such a hook, then that was what they needed.
These were the two victims who had the information I needed. Both are men. I could only find out this information from them, but I was barely familiar with one, and the second was my sworn enemy. Their frequent activity in social networks gave hope that they would discuss what I needed with someone in the correspondence.
It was so important to me that for a couple of days I only thought about how to get information. The thought of "hacking" came. But how? Especially in recent times, all have become more or less literate (set good passwords). In addition, today's applications have achieved a high level of protection. Therefore, technical hacking was dropped almost immediately in thought. I decided to use social engineering. In this case, the method should not be too complicated.
')
Various ideas and thoughts came to mind. I went through the different weaknesses of each of them. And suddenly it dawned on - these are women. He immediately wrote to a friend, asking if she wanted to take part in one extravagant affair. They pondered different scenarios, but eventually abandoned this idea, since everything was too complicated.
As a result, another idea came.
I registered a fake account. In the same social networks I found a very pretty girl in some Ukrainian small town. The main thing is that it does not intersect with fake. After that, he began to fill out a questionnaire on facebook, uploaded some photos. For truthfulness, I needed "friends." I prosherstil different people who are very active (they, as a rule, add friends indiscriminately), filled the base of 10 people, and then many themselves began to ask for friends. Since my fake girl turned out to be very pretty, I already had over 50 friends in the evening.
The next day I was in for a fiasco. Facebook suspected something and suggested some photos of my friends, where I asked to sign these photos with the question "Who is in the photo". Of course, I did not know a single person and could not restore my account. And everything went anew, but gradually.
Friends have already been added selectively. Often these were those whom I knew even by memory and could bypass this test. Joined the same groups in which those same victims participated. I found some articles that were thematically relevant for these groups and began to publish. All this took about five days. I had a lie, which, if opened once, could not be repeated, so I acted very carefully and without haste.
One day I waited and began to receive comments on publications in the group from the victim. I deliberately published the most interesting topics for a particular person. It was not difficult to learn his interests, it was enough to look at which publications he actively reflects on. At first there were just some formal replies, but I was waiting for an interactive and it happened, some kind of conversation started. From the usual comments under the publications, we gradually moved to personal correspondence. After that, he observed his “likes” in “his” photographs. After some time, they were offered a long-awaited friendship that flowed into an acquaintance.
- Girl Nastya. Very nice. I work in an IT company as a very ordinary employee and try to become a programmer. If I can cope with one task, then I will definitely be raised up the career ladder and make a good salary.
Information is the simplest and most common, non-binding, not suspicious. While in the correspondence I answer questions, make up a story of a lifetime, I promise to meet you in some future. And in parallel, register an account on a free hoster. I quickly make out a couple of static pages of “Lorem ipsum”, create comments there, allegedly left by someone and an authorization button leading to a form, one to one resembling a Facebook login form.
Yes, primitive, but this comrade was not related to IT, so I took this into account and just asked for a test to leave a comment on my “test project”.
“My task is to leave a comment through a social network,” I write to him.
In the heat of his feelings, he runs to the site, tries to log in and writes in reply that he cannot leave a comment, since after authorization the previous page reappears and there is no comment entry form.
“Oh, I found a mistake, I have to fix it,” Nastena answers.
Of course, further Nastya became less active, and then completely ceased to go online. The fact that he tried to contact her somehow, ask for a phone, etc., I read from his account already. Also lucky. He used one password everywhere, which easily allowed me to get into VC and Mail.ru mail.
For the second victim had to work to create a login to other social networks and email, because he used different passwords everywhere. But with joy, for the sake of a beautiful lady, he tried all the methods, in fact, kindly giving me input.
Everything is simple to madness and does not even seem to be some kind of allowance. But still this is not a guide, but a moral: you can't trust anyone, let alone strangers on the Internet, especially beautiful strangers. Well, double authorization, which is already almost everywhere, would save both.
The reasons for which "divert" email addresses or social network accounts are completely different. But when close people knew my reason, I received condemnations. To some extent, I always understood that the purpose of gaining access to the social networks of the victim in order to receive a certain correspondence is very immoral. On the other hand, I consoled myself with the thought that if the comrades were already hooked on such a hook, then that was what they needed.
These were the two victims who had the information I needed. Both are men. I could only find out this information from them, but I was barely familiar with one, and the second was my sworn enemy. Their frequent activity in social networks gave hope that they would discuss what I needed with someone in the correspondence.
It was so important to me that for a couple of days I only thought about how to get information. The thought of "hacking" came. But how? Especially in recent times, all have become more or less literate (set good passwords). In addition, today's applications have achieved a high level of protection. Therefore, technical hacking was dropped almost immediately in thought. I decided to use social engineering. In this case, the method should not be too complicated.
')
Various ideas and thoughts came to mind. I went through the different weaknesses of each of them. And suddenly it dawned on - these are women. He immediately wrote to a friend, asking if she wanted to take part in one extravagant affair. They pondered different scenarios, but eventually abandoned this idea, since everything was too complicated.
As a result, another idea came.
I registered a fake account. In the same social networks I found a very pretty girl in some Ukrainian small town. The main thing is that it does not intersect with fake. After that, he began to fill out a questionnaire on facebook, uploaded some photos. For truthfulness, I needed "friends." I prosherstil different people who are very active (they, as a rule, add friends indiscriminately), filled the base of 10 people, and then many themselves began to ask for friends. Since my fake girl turned out to be very pretty, I already had over 50 friends in the evening.
The next day I was in for a fiasco. Facebook suspected something and suggested some photos of my friends, where I asked to sign these photos with the question "Who is in the photo". Of course, I did not know a single person and could not restore my account. And everything went anew, but gradually.
Friends have already been added selectively. Often these were those whom I knew even by memory and could bypass this test. Joined the same groups in which those same victims participated. I found some articles that were thematically relevant for these groups and began to publish. All this took about five days. I had a lie, which, if opened once, could not be repeated, so I acted very carefully and without haste.
One day I waited and began to receive comments on publications in the group from the victim. I deliberately published the most interesting topics for a particular person. It was not difficult to learn his interests, it was enough to look at which publications he actively reflects on. At first there were just some formal replies, but I was waiting for an interactive and it happened, some kind of conversation started. From the usual comments under the publications, we gradually moved to personal correspondence. After that, he observed his “likes” in “his” photographs. After some time, they were offered a long-awaited friendship that flowed into an acquaintance.
- Girl Nastya. Very nice. I work in an IT company as a very ordinary employee and try to become a programmer. If I can cope with one task, then I will definitely be raised up the career ladder and make a good salary.
Information is the simplest and most common, non-binding, not suspicious. While in the correspondence I answer questions, make up a story of a lifetime, I promise to meet you in some future. And in parallel, register an account on a free hoster. I quickly make out a couple of static pages of “Lorem ipsum”, create comments there, allegedly left by someone and an authorization button leading to a form, one to one resembling a Facebook login form.
Yes, primitive, but this comrade was not related to IT, so I took this into account and just asked for a test to leave a comment on my “test project”.
“My task is to leave a comment through a social network,” I write to him.
In the heat of his feelings, he runs to the site, tries to log in and writes in reply that he cannot leave a comment, since after authorization the previous page reappears and there is no comment entry form.
“Oh, I found a mistake, I have to fix it,” Nastena answers.
Of course, further Nastya became less active, and then completely ceased to go online. The fact that he tried to contact her somehow, ask for a phone, etc., I read from his account already. Also lucky. He used one password everywhere, which easily allowed me to get into VC and Mail.ru mail.
For the second victim had to work to create a login to other social networks and email, because he used different passwords everywhere. But with joy, for the sake of a beautiful lady, he tried all the methods, in fact, kindly giving me input.
Afterword
Everything is simple to madness and does not even seem to be some kind of allowance. But still this is not a guide, but a moral: you can't trust anyone, let alone strangers on the Internet, especially beautiful strangers. Well, double authorization, which is already almost everywhere, would save both.
Source: https://habr.com/ru/post/236577/
All Articles