Volume 02 Issue 09
In this issue
• Another Article
The tip this month is... Push The Limits.
The field of social engineering is full of people that are not offering anything new. Many times the same old ideas and concepts are simply re-packaged and pushed out with a new paint-job then positioned as if they new and groundbreaking. And while there is no denying that fundamentals are extremely important and absolutely necessary, it’s important to call them what they are so things stay in context.
At Social-Engineer.org, we feel it is important to break new ground and try new things, and we encourage you do to the same. What this means is not everything will be successful right away. The path to success, at times can be a better learning lesson that the success. Either way, what we learn from the path is like a college degree in social engineering.
We are challenging our readers to go out and try something new, don't worry about criticism. And then be vocal with the results. Let others know what was tried and how it went. (umm, like us so we can publish it!)
For example, not too long ago we were at a conference and brought along a digital recorder that we could hide easily. We then went out and interacted with various people that were clearly engaging in social engineering style activities. Our intention was to capture the interaction and then document it showing what tactics were being used, and how they used them.
We experienced a few problems off the bat. One was, the logistics of real-life got in the way. Yeah, we captured the interaction, but it came across as a really poor recording and was not really usable. We took this experience however and learned from it, and the next outing captured a wonderful example piece showing how easy it would be for people to fall for these real life social engineering attacks.
We then walked the streets at different times of the night trying to portray a different attitude or frame each time. One time we acted like very curious tourists, then we tried to act as people who we knew where we are going and when. Each time we tried to either make eye contact or not to make eye contact with different street workers, cleaning crews and the like.
Each interaction was recorded and then we analyzed the audio to try and track the methods that they used to either interact, try to get us to take an action or try to avoid an action we were attempting to get them to take.
Now we are sure you are chomping at the bit to know what we found, but that is for a different tip, a different month and a different conversation. The point in all this, is to tell you that this is truly the only way to progress the field. This is the only way to find new techniques that will be tomorrow’s fundamentals.
Although many of the social engineering techniques are not new
and the skills that make a great social engineer are timeless. New and
exciting ways of delivering and implementing these attacks are just waiting
to be discovered. Let’s discover them together.
Written by Chris Hadnagy & Jim O'Gorman
As you can tell you, both of our newsletter articles are from
contributors this month. Great work and thank you for your continued
submissions. Please keep them coming.
If you want to listen to our past podcasts hit up our Podcasts Page and download the past epidsodes.
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support
Learning Social Engineering While Scoring Cheap Tickets
Many times in the social engineering framework we talk about how “Free Pizza” is not really social engineering. Although, we still hold to that fact, there are some seriously cool things we can learn from people who have the skills to truly obtain free “stuff” and not just tricking people into giving away a free burger. The following article was submitted by a guest writer on the topic of obtaining free admission to a concert.
Paying full price for concert tickets is expensive and sneaking in the back door is illegal, so is there a way to get into the concert at a lower price, and not purchase tickets from a box office/website?
One method used is known as DC or Discount. It is a linear system to gain access to cheap concert tickets. Back in 2001, I was working for a large transportation company where I met a modest looking accountant by the name of Stan. This person had a reputation of being very frugal. In fact, he would brag about how instead of buying unsalted pretzels for $1.09, he would buy salted pretzels for .95 and then spend time knocking off the salt in order to have unsalted pretzels. He did all of this in the name of saving money.
Although Stan was known for being frugal, he loved to see
expensive concerts. His cube walls were adorned with the concert
ticket stubs of Celine Dion, Elton John, Bruce Springsteen and Barbra
Streisand. I remember seeing this and knew instantly something
He said we could get in and we are not going to pay face value for tickets. Twenty Minutes later we were on our way to the concert. In the ride over to the concert venue, he gave me a concert seating chart and a sign that said, “need cheap tickets.” Once we got there, he told me to approach everyone going into the concert venue and asked them for cheap tickets. About 1 hour and 30 dollars later, we had floor seats, listening to the music of John Cougar Mellencamp. I was excited to see that we did get into the concert for way less than I ever thought possible. We continued to go to concerts, and continued to get in for way less that the actual price. Eventually we created a name and a process for the steps needed to do this. We called it “Discount” or DC for short and the process was a lot simplier that one may think.
Before DC’ing a concert, it is a good idea to see what 'The Market' is like. The Market is basically how many tickets are listed on websites (like Ebay, Craigslist, and Ticket Express) and what are their prices. You can also call the box office of the venue to see if there are any tickets available.. Just because a concert is “Sold Out,” doesn’t mean it is. Sold Out is often a slick marketing term to create artificial scarcity and artificial demand. Sometimes calling the box office, they'll tell you that so many tickets were just released to the public for purchase.
If there are a lot of tickets listed on The Market, this means there will be a lot of extra tickets floating around the venue on the day of the show. If there aren't a lot of tickets listed, it might mean that demand is very high, so there may not be a lot of extra tickets. If there are any extra tickets, they may be hard to obtain at low-ball price. The only way to be certain is to go to the venue on the day of the show and start talking to people.
Time Is On Your Side. Let's say it’s the month of March and your favorite band, U2, is playing a concert in your city in December. Much anticipation builds up for the on-sale ticket date; people queue overnight at the box office for tickets. On the day tickets go on sale, they literally sellout in minutes, leaving many empty handed. The concert is officially sold out.
Or is it? That was March. As time moves forward, things happen in people's lives where they no longer need that ticket. The ticket for the boyfriend, who later cheated on his girlfriend, who bought the ticket and now it is freed up to be sold.
The ticket bought by the person who is behind on their bills and
is now forced to sell. The ticket bought by the traveling business
person, now realizes he/she will be out of town...These freed up tickets
either show up on websites, or The Market. Many who are not tech savvy
will come down to the concert venue to sell their tickets in person, and
explain why they are selling the ticket. So in reality, the concert
really isn't sold out.
On The Ground
On the Ground refers to going to the concert venue trying to get in. In my experience, having a team of people is better than going at it alone so that you can have multiple people cover the multiple entrances to the venue. It is also good to get to the venue before the concert starts. If the 1st band hits the stage at 7:30 pm, get there by 6:00 pm.
People on the team need to have a concert venue seating
chart to see where the tickets are when dealing with people who are
selling. It is also good idea to have a cell phone with a headset that
frees up your hands to inspect tickets and concert venue seating charts while
talking to potential sellers. The headset can also make it possible to
communicate instantly with others on your team. For example, if a
person isn't willing to sell their ticket to you, you can communicate a
description of that person to someone else on your team. Your team
member can intercept them, talk to them, and try to wear them down so that
they will sell. And another good idea is to bring a bottle of water,
because your voice is going to dry up while talking to all of those people.
Resistance Is Futile
When using DC, the object is to get into the concert under the face value of the concert ticket. In order to do this, you need to try and talk to everyone going into the concert venue. In this process, some people may become angry because you are trying to low-ball them on tickets, and may resist or object selling to you for your asking price. Others may accuse you of being a scalper, especially if you start doing this a lot.
You can reframe this situation in two ways.
The first frame you can use is that you don’t have a lot of
money, but you are a serious fan and really want to see the show. You
can use phrases like, “There is no harm in asking.” and “I’m sorry if I
offended you.” Simple one-liners can calm a heated person fast.
It is important to remember to always keep smiling or at least happy.
This will put the seller at ease too.
Sometimes the people who have extra tickets may not be willing
to part with them right away. Nobody likes to be low-balled; however,
time is against them, because they want to dump their ticket quickly and get
on with their life. In this case, communicate to them that you will be
outside the concert venue up until a certain point and whatever they do,
don't go into the concert venue with the extra ticket, without selling the
ticket to you. The scalpers call this 'eating the ticket' which mean
people are going into the concert venue with an unused ticket. Remind them it
would be better to go into the venue with x amount of dollars (what you are
willing to pay for their ticket), than a worthless ticket.
Some of these issues include dealing with local law enforcement, who may accuse you of trying to scalp tickets (especially if there are local laws against this) and it is enforced. You can always try to reframe the situation as you are a “fan” trying to get in because of lack of money. If this doesn't work, move to another area around the concert venue and continue doing what you are doing.
Another risk is coming into contact with the ticket scalpers
themselves. They will get upset because you are cutting into their
business. I've had some of them try to get physical with me. In
this case, stand your ground and the best tactic is to move to a location in
front of the scalpers. This way, you can intercept people wanting to sell
their tickets before the scalpers can get to them.
An Invasion of Privacy
This month we received a story from a person who was tired of receiving spam from a certain person. Although this focuses on how to gather real information on real people, we by no means support using this information to harm or harass anyone.
The email that I received was not the run-of-the-mill mallware/ spambot/ whatever style email. The email was coming from his email address, using his business’s name, and advertising his business. I would have never posted this had I any doubt that this may not have actually been sent, by him, in some fashion.
I happened to receive a piece of spam at the exact moment as I was going to start a post about privacy and anonymity on the Internet. I will consider this to be a sign from God that this dude needed to be set straight. Okay, maybe not. I’m not sure what the bible says about spam, but if I were God, it would be into the pits of hell for them. So, since I cannot cast people into eternal suffering in a fiery pit, I will have to settle for second best. Pwnage!
What's even better, none of what I’m about to do is illegal. It’s a serious, serious invasion of privacy, and you definitely don’t want it to happen to you, but all of it can be harvested through public record, social networks, forum posts, etc etc etc.
First, let's take a look at the email that I received.
Ok, so, his email address is [email protected].. He’s sending email through server299.com.. and his real IP address is 18.104.22.168. All we really need is his email address and his IP. Let's see what we can find.
Now we know that he’s connecting from Washington (wa.comcast.net). Let's see what Geo IP location says. I use this service, but there are many others. I’ve also written a few tools to do this as well, but we’re going to use what the average Joe has access to.
Just put the IP address in the box and hit “search”. Here’s what we find.
So, we’re narrowing it down.. we now know that it’s Spokane, Washington. Now we’re going to take a look at his email address. First, obviously, just google the email address. This will bring up information for virtually anything that the person has ever used their email on. Forums, social networks, etc.
In this case; however, nothing came up on Google. We must dig deeper. Enter, whois!
BIZ TWO, LLC
Biz two? Does that mean there is a Biz One and a Biz Three, perhaps? Also, he’s using a PO Box.. blah.
Jackpot! We now have a last name and a phone number. We also have an additional email address/domain.
Hmm.. a real address.. no PO box on this domain. Is that an office? A house? Is it his house? I can assume that ’snicho’ is short for ’steve nicholas’, and it’s the administrative contact, which means he owns the domain.. so the address has something to do with him.
Enter.. Google Maps.
Well, it’s definitely not an office building, so at this point I’m going to assume that it’s his house until I find out differently. We can further verify this by googling his name + city + state.
That address looks rather familiar… oh yeah, it’s the address that was associated with his domain. We can be virtually certain at this point that that is his real address and house. Lets see who else lives in the house with him – just google the phone number listed.
Ok, so, Nancy has the same last name as Steve, so I think we can safely say that this is his wife.
We’ll come back to her later. Let's see what else we can find about Steve.. I’m really starting to feel like family at this point.
Back when I googled his name + city + state, I noticed that below the address result, there was a LinkedIn page.
Ok, so there’s all sorts of useful information.. but I found another email address.. email@example.com Not often do I meet someone with as many email addresses as me.. lol.
So, back up to the top, we google for [email protected].
Some interesting stuff, but nothing really useful for my purposes. Checking out Facebook we will see if he’s a social butterfly. I log in and “search for friends” and enter his email address(es). His account is registered with the itex.net email address.
He doesn’t have his Facebook stuff set to private, so he’s kind of letting it all hang out. Thanks, Steve!
Yawn. The only thing interesting there, is that we’ve now definitely verified that that address is correct and that his wife’s name is definitely Nancy. Maybe her page is more interesting.
Note: Passwords.. by building a profile of someone, you begin to get a feel of who they really are. I’m willing to bet that at least one of Steve’s passwords has something to do with fishing, trout, or cutthroats (type of trout – according to his facebook page).
I teach 7th & 8th graders at Salk Middle School in Spokane WA. I married Steve 27 years ago and we have 2 daughters, Susanne and Rachael. Susanne married Dan Wadkins 2 years ago and they are expecting their first child in March. Dan is an attorney and Susanne is a special education teacher. Rachael is living in Las Vegas where she teaches special education to preschoolers and kindergarten. We have an awesome family!!!!
Here’s something to take a mental note of. Women are generally more open about their personal lives and love to share with others. In one paragraph, we learn that she teaches at Salk Middle School, they’ve been married for 27 years, they have 2 daughters, Susanne and Rachael, Susanne is married to Dan Wadkins (note – this probably means that Susanne is no longer Susanne Nicholas, she’s probably Susanne Wadkins). Rachael lives in Vegas.
How ever would we find out more information about Susanne and Rachael? Oh yeah, friends lists. If the parents have Facebook, the kids most certainly have Facebook.. and barring any family drama, they’ll all be on each others friends lists. And, of course, I’m right.. found Rachael, Dan, and Susanne.
Also, going through her wall posts gave up some information. They’re new grandparents.. their granddaughter Lola was born on March 15th.. this was Dan and Susanne’s daughter.
What does Intelius says about Nancy (note – I skipped Steve on Intelius because his entry is all screwed up.)
Now we have ages, too. It’s interesting that there’s a “Ralph Steve Nicholas” listed, who has the same age as the other two Steve’s listed. Could Steve’s real name be Ralph??
Just about every county in the country allows you to view property tax records on the internet. I googled “spokane washington property tax records”. What you’re looking for is the assessor’s home page then just punch in the address and you can find a wealth of information.
What this record tells us, is that Nancy actually owns the home.. Steve isn’t even listed. She’s also the sole person listed paying the property taxes. Interesting.. I wonder why?
Also, further down on the report, there’s two documents. A quit claim deed, and a statutory warranty deed. A warranty deed is issued in some states when a house is sold. It protects the buyer from having third parties come after them for unpaid debts and whatever. So, it appears as though they bought the house in 2001 for $110,000? Seems awfully low.
Now, lets look at the quit claim deed. First thing I notice, R Steve Nicholas is listed as “Husband of Grantee” I think Steve’s real name is Ralph. lol.
This is interesting.. quit claim deeds are used after a divorce to switch the owner of a property from one party to another at the county level. But they’re still married. The other times that I’ve seen quit claim deeds used is when people encounter serious financial trouble and need to file bankruptcy. They file independently and deed the house to their spouse.
I am not going to tell you what service I use to obtain this information because I don’t want it to get abused and taken away. Also, I don’t think everyone should have access to it. SO.
91-40727 Ralph Steven Nicholas and Nancy Lynn Nicholas
Ok, so they did a joint bankruptcy in ‘91 and it was discharged in ‘93. I also have a list of their creditors.. no wonder they filed bankruptcy. Ouch.
One other piece of information that this offers, is previous addresses and the last 4 digits of their social security numbers. Keep in mind, a lot of people use the last 4 digits of their social for pin numbers.. because most pin numbers are limited to 4 digits. Stupid.
UPDATE: I’ve decided to X out the social security numbers because this post is starting to receive a ton of traffic and I’m not sure I want everyone visiting it to have this information. My intention of this article is not to make it easy to steal this guys identity.. it’s to point out a vulnerability. If you really want to find his social security number, it’s available via the internet.
Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.
Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.
I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dog's name was, or where you went to school?
Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.
In closing.. you really need to pay close attention to what you’re posting on the internet. If I were a douche, I could ruin this guy's life using this information. There are a lot of douches out there that are doing this type of stuff right now. Given an email address, phone number, or whatever, they build profiles on people which can be used to exploit them and steal identities.
The other thing that I’ve actually fallen victim to, is the speed of Google’s spiders and the fact that they index Craigslist. Let's say you run a business.. Catholic Charities R Us and in this post, you include an email address, phone number, something. Lets say you also make a post, days, weeks, whatever, later looking for whores, or something. Both of those posts will come up when Googling for your phone number.
Also, consider what you’re sending in this email. What if this guy had sent me an email trying to extort me, threaten me, whatever? I could turn this over to the authorities and they’d have their work cut out for them.
Not to try to scare people too much, but think about single women in the dating scene. They make a post somewhere with their email address and someone comes across it and is able to determine the same amount of information about them as what I did above? What if that person was more interested in something other than identity theft?
I think you get the idea.. essentially.. guard your personal
information with your life. Never post your phone number on the internet
(unless you’re using a proxy number, which is what I do), and make sure no
personal information is associated with your email address before you go
firing off emails to strangers.
Written by Matt at [email protected]