The Ultimate Social Engineering Hack

Posted by
 Although we have focused primarily on technical hacks here, social engineering can sometimes be especially effective. This one requires a bit of technical skill, but not too much. In addition, it’s limited by how specific a target you can choose—but it will work.

What Is Social Engineering?

Social engineering is the art of getting people to give you the information you are seeking, rather than breaking into a system to get it. Among the most sought after bits of information are the username and password. Many online systems—even financial websites—use your email address as a username. Then they ask you to provide a unique password.

Today’s Social Engineering Hack

I’ve already covered one social engineering hack in my spear phishing with SET guide, and there have been numerous other social engineering hack guides posted here on spyboy blog by contributors and past admins, most of which are still very useful today.

But today, we’re going to focus solely on getting those much sought after email addresses and passwords. Let’s concentrate on developing a website that targets a section of the population and have them create an account with their username (email address) and password.

Step 1. Choose Your Target Audience

The first step is to choose who or what industry you want to target. Let’s imagine you want to target doctors. Since so many doctors are golfers, maybe you could create a special website that catered to golfing doctors. Maybe a website that ranked the best doctor golfers?

Step 2. Use Their Email Address as Their Username

Now that you have the site up and running, you will need an authentication mechanism. We might simply ask the doctors to enter their email address as a username. Since so many sites today use the user’s email address as their username, few would be suspicious.

After they enter their username, they will have to select the password to be part of our wonderful website!

Step 3. Promote the Website

This is a hard and costly part. You need to promote the website so that busy doctors will find it and open an account. You can create a Google AdWords account and pay for words that send our victims to view our site. These keywords might be golf, golf vacations, best doctor golfers, etc.

Of course, this might take a while, but to be a good hacker, you must be patient and creative. Some effective hacks take years to be completed.

Step 4. Open Their Email with the Password

Eventually, some erstwhile doctors with more interest in hitting the links than caring for patients will find your site and log themselves in. When they do, you will have both their email address and their password for your site.

Step 5. Find Other Accounts

Now, there is no guarantee that your visitors/doctors will use the same password on your site as their email account, but nearly all of us re-use the same password despite all the precautions against it, even after such events as Heartbleed.

Let’s start with the email account. Let’s navigate to Gmail (if it’s a Gmail address) and try the email and password to get into his email account. It won’t work every time, but it only has to work a few times.

When we successfully enter his email account, we can search his emails for other accounts such as his bank, brokerage, etc. Remember, when he opened that account, the website sent an email confirming it with his username and password.

Social Engineering Complete!

This little exercise, I hope, demonstrates that social engineering can be an excellent way to gain access to accounts that would be otherwise unbreakable. With a little imagination, hard work and patience, anything is possible!

Posted by Shubham ;)

One comment

  1. Hi I am one of your best fan, and I love your channel. How can I setup my pen testing lab for a beginner hacker…



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.