Archive

Archive for the ‘Social Engineering’ Category

Real world social engineering attempt

2009/09/21 1 comment

Coincidently with my current interest in social engineering practices I believe I recently encountered a real world attempt aimed in my direction. Late Saturday evening received a call claiming to be from the local police department in reference to a speeding ticket.

Something immediately seemed of as caller asked ‘who am I speaking?’ rather than ‘can I speak to X?’. The caller then proceeded to request a meeting at my house for an interview, asking both when we’d be available and ‘what is your address?’, despite the fact the caller had supposedly sent the ticket information in the post.

At this point the call was terminated at this end as confidence was fairly high that the caller wasn’t genuine and the caller recieved no information beyond the fact that a human was available to answer the phone. I’m also confident that I won’t see a ticket in the post this week (unless by strange coincidence).

Best guess is that this may have been recon for a potential burglary (What is your address? When will you be home?) orĀ  potential pre-text for an on site visit (‘policeman’ turns up for interview and needs to use ‘bathroom’). The incident has been reported to the authorities and, with the exception of being advised to lock all windows and doors when not home (obviously don’t know I’m already overly paranoid), the incident won’t be taken any further at this time.

Hopefully nothing further will come as a result of this incident but has left me spooked nonetheless. Information security seems to be all fun and games, until you encounter some of the theory in the real-world, away from prior-permission and contracts.

Andrew Waite

Advertisements
Categories: Social Engineering

Social-Engineer.org

2009/09/21 Comments off

Social-Engineering has always been an interest of mine, whilst I’m not too good deceiving people in person, the potential of [spear-]phishing and physical media drops is too appealing to ignore. Recently there has been a good step forward in the maturity of the field with the opening of social-engineer.org.

If you’re not willing to take my word for the quality of the site, and it’s potential for future resources check out the list contributors in the ‘Team’ section. Some members of the S-E.org team also discuss the project on episode 34 of Exotic Liability.

The resources section of the site already has some high quality video tutorials showing some basic social engineering vectors including the Social Engineer Toolkit (SET) which forms part of the S-E.org framework. SET promises to make the creation and implementation of social engineer attack vectors simpler and easier to control.

I’m expecting some useful resources to be generated and released by this project, definitely one to check back with periodically.

Andrew Waite

Categories: Social Engineering