« Back To Resources Page
The following is an example of a "day in the life" of a malicious
social engineering hacker. This journal is intended to demonstrate how
much access a hacker can obtain simply by using social engineering
methods over a few days. The threat depicted here is real.
Thursday July 5, 2007
Yesterday was Independence Day, and [redacted] was closed, so I spent the day trolling through their phone system. Apparently there is some meeting in [redacted] this week and all of the area managers are there. I’m going to try to use that to get some stuff today. I got some cell phone numbers and a handful of email addresses from the voicemail greetings, along with about 60 first/last names for my e-mail phishing list. It seems that most of the emails are first.last@[redacted].com, but a few are different. I also found a few empty voicemail boxes…hopefully I will be able to hijack one of them.
Saturday July 7, 2007
Well, I had a big day yesterday. I called someone in HR and got her to email “my manager” the current revision of the employee directory—to her personal address. It’s got names, email addresses, home phone, and last 4 of social! I couldn’t believe it. MAJOR TROPHY!! So now I don’t have to guess any email addresses, and I can make sure that I don’t send any to anybody in IT, or any managers, etc. I also got the phone number of the hotel where all of the managers are staying.
Tuesday July 10, 2007
I didn’t do much over the weekend, but Monday was another big day. I called their IT dept and got the URL for their web-mail. They just gave it to me when I told them that my VPN connection wasn’t working at the hotel (manager’s meeting). I chatted with him some about configurations and stuff, just trying to establish a rapport with him. This guy’s name is [redacted] and I think he’s a supervisor in the IT department. He’s a big [redacted] fan, so we talked football for a few minutes before I had to get back into “the meeting”.
I sent a batch of phishing emails later on and got several people to go the spoofed site. I got a couple of log-ins which worked on their web-mail log-in also. In their public folders they’ve got a list of several upcoming conference calls to talk about their marketing plans for next quarter and something called [redacted], which is a new product that they are getting ready to launch. It is supposed to compete with [redacted] and it looks pretty cool.
Yesterday was Independence Day, and [redacted] was closed, so I spent the day trolling through their phone system. Apparently there is some meeting in [redacted] this week and all of the area managers are there. I’m going to try to use that to get some stuff today. I got some cell phone numbers and a handful of email addresses from the voicemail greetings, along with about 60 first/last names for my e-mail phishing list. It seems that most of the emails are first.last@[redacted].com, but a few are different. I also found a few empty voicemail boxes…hopefully I will be able to hijack one of them.
Saturday July 7, 2007
Well, I had a big day yesterday. I called someone in HR and got her to email “my manager” the current revision of the employee directory—to her personal address. It’s got names, email addresses, home phone, and last 4 of social! I couldn’t believe it. MAJOR TROPHY!! So now I don’t have to guess any email addresses, and I can make sure that I don’t send any to anybody in IT, or any managers, etc. I also got the phone number of the hotel where all of the managers are staying.
Tuesday July 10, 2007
I didn’t do much over the weekend, but Monday was another big day. I called their IT dept and got the URL for their web-mail. They just gave it to me when I told them that my VPN connection wasn’t working at the hotel (manager’s meeting). I chatted with him some about configurations and stuff, just trying to establish a rapport with him. This guy’s name is [redacted] and I think he’s a supervisor in the IT department. He’s a big [redacted] fan, so we talked football for a few minutes before I had to get back into “the meeting”.
I sent a batch of phishing emails later on and got several people to go the spoofed site. I got a couple of log-ins which worked on their web-mail log-in also. In their public folders they’ve got a list of several upcoming conference calls to talk about their marketing plans for next quarter and something called [redacted], which is a new product that they are getting ready to launch. It is supposed to compete with [redacted] and it looks pretty cool.