
How I attacked a fellow student - jmonegro
http://shaanan.cohney.info/blog/2013/04/the-attack/
======
guylhem
The title is a bit misleading. It's not an attack, more like well done social
engineering.

But the context is very helpful - especially with the amount of detail you
provide, along with the email exchange, one can see the target was totally
abused.

The lanyard, laptop, false recruiting - you really overdid it, but I mean that
in a positive way. I like it, it's so great - you could almost make a movie
out of it ;-)

That's creative thinking. Congrats on your victory.

~~~
girvo
Y'know what, I disagree. It's not misleading. Social Engineering _is_ an
attack, as far as I am concerned, and honestly when he mentions that it's
Social Engineering in the third sentence of the article itself, I don't find
it misleading at all.

To the guy who did it: Bloody well done. I agree with guyhelm, it's overkill,
and we all know that's the best kind of kill ;)

Social engineering is actually quite scary, especially when put together with
targeted attacks against the individual. It's a one-two punch that is very
hard to defend against.

I wish the Uni's here in Brisbane would do stuff like that! Well done again,
and I'm quite jealous!

~~~
lotsofcows
Rule 37. There is no "overkill".

------
ivybridge
You would have been better off forcing them to register on your site to submit
the resume, then check if they reused a password. Also you exploited trust in
a way that could easily lead back to you.

~~~
shaananc
That's very true, but it was just a class project, and wouldn't have been the
end of the world.

------
noonespecial
The best attacks are always the ones where the victim is truly surprised at
how far you were willing to go to pull it off. So are the best magic tricks.

~~~
new299
There's a great quote by Teller on that:

"You will be fooled by a trick if it involves more time, money and practice
than you (or any other sane onlooker) would be willing to invest. My partner,
Penn, and I once produced 500 live cockroaches from a top hat on the desk of
talk-show host David Letterman. To prepare this took weeks. We hired an
entomologist who provided slow-moving, camera-friendly cockroaches (the kind
from under your stove don’t hang around for close-ups) and taught us to pick
the bugs up without screaming like preadolescent girls. Then we built a secret
compartment out of foam-core (one of the few materials cockroaches can’t cling
to) and worked out a devious routine for sneaking the compartment into the
hat. More trouble than the trick was worth? To you, probably. But not to
magicians."

From: [http://www.smithsonianmag.com/arts-culture/Teller-Reveals-
Hi...](http://www.smithsonianmag.com/arts-culture/Teller-Reveals-His-
Secrets.html)

------
bluehex
I felt pretty bad for the target. Even though he was fairly warned, and knew
to expect social engineering attacks, you could see he was quite excited about
the potential opportunity at X co; else he wouldn't have put so much energy
into that looong email exchange. Poor, guy. But good lesson, I suppose.

~~~
shaananc
I just posted the targets response when he found out. He was very gracious.

~~~
minikomi
What a fantastic course, and a great show of character from Mr. Target. Hat
tips all round.

------
cdwhite
Google cache:
[http://webcache.googleusercontent.com/search?hl=en&q=cac...](http://webcache.googleusercontent.com/search?hl=en&q=cache%3Ahttp%3A%2F%2Fshaanan.cohney.info%2Fblog%2F2013%2F04%2Fthe-
attack%2F) (Page is taking some time to load.)

------
shmageggy
I thought "Please find attached herewith my resume for your kind perusal" was
a joke but apparently that's how this person really responded. Recruiters: how
does this forced, over-formal tone affect your impression of a candidate?

~~~
shaananc
The other student was an international student, his English overall was quite
formal. Really lovely guy though :)

~~~
ballstothewalls
I suspect the other student was more susceptible to this sort of thing since
he was a non native speaker. I'd be curious to see if it would've worked on an
American.

~~~
sohamsankaran
Speaking as an Indian who's had the opportunity to try this sort of thing on
various Americans (and a lone Australian), it would've worked. The success of
the attack probably has more to do with the susceptibility of each individual
victim than their specific native language, though (and this is a sweeping
generalization) many Indians do tend to have greater deference to authority
(real or imagined) than their American counterparts.

------
jabbernotty
> With this level of trust it would be feasible to gain access to information
> protecting online accounts, a very scary thought.

Does he mean 'feasible to gain access to login information for online
accounts'? I have read the page, and i'm not seeing it. Yes, according to the
page they had access to some degree of personal information beyond the more
publicly accessible. But that isn't the same as having access to their online
accounts, or being near to getting it.

~~~
shaananc
I meant that with that level of trust it wouldn't be too hard to adapt the
attack to shift to gaining that sort of information. ie; We are adding you to
our employee database but we need your SSN last 4.

------
louthy
Very enjoyable read. Congratulations on your success, I can only imagine how
stunned they were!

------
sohamsankaran
Interesting. If the author is still around, I have a question - would the
whois data have given you away, or was this faked/spoofed in some way?

~~~
jmonegro
You can quite cheaply (for around $3 depending on the registrar) opt into
Whois privacy protection.

~~~
TazeTSchnitzel
For a prestigious company to use a Whois hiding shell company service would be
suspicious, though.

~~~
drharris
But if they are a security-oriented company, maybe not so much. Hiding
potential attack vectors (contact info of technical contact) can prevent or
delay spear phishing attempts. Now, if Xrecruiting.com and X.com don't match,
then that would be a red flag.

~~~
sohamsankaran
My point (in agreement with TazeTSchnitzel) was essentially this - if X was a
large enough company, I would expect them not to hide their registration
details, especially, I would argue, in the case of a security company, so that
potential clients and employees can be certain of the veracity the
communications they receive. If I were to receive a communication from an
email adress not associated with the main domain of the company, I would be
instantly suspicious if the whois data was obscured or concealed.

~~~
drharris
Indeed, as would I. But what makes a successful social engineering attack (or
scam, in general) is giving people what they want before they have an
opportunity to ask questions. While this exact attack wouldn't work on me now,
it might have when I was looking to graduate from university. My desire for an
industry job (and a prestigious one at that) might have clouded my typical
judgment. So, hiding whois information can be immediately justified by "well,
they are a security company", with any doubts expelled. Grifters and
illusionists work in much the same way; the plot is full of holes, but over
and over people see what they want to see.

------
jsumrall
I was hoping that by getting them to sign up with the recruiter you would have
used that to intercept communication.

------
tempestn
Is Xrecruting.com a typo in the blog post, or in the domain actually
registered?

~~~
shaananc
it's a redacted version of the full link.

~~~
thestranger
But did you purposely misspell "recruiting" or was that just a typo.

~~~
shaananc
typo in the redacted version.

------
cbhl
Found this a rather amusing read. Best of luck on your exam!

------
justx1
Well played...

Missing to redact X.com's phone number allows "social engineering" of the
company name, though.

~~~
lostlogin
It's an interesting time now. It used to frustrate me how I couldn't find an
address with just the phone number - despite having a white pages that
contained the info. I know this was buy design, for privacy. Now if you search
for a number, your bound to get a hit for it, and can work out who it belongs
to. I'm sure this will fail me one day, but it hasn't yet.

~~~
kaybe
Germany's online telephone book does reverse look-up. (People can opt out, but
you know how it is..) Is that really so uncommon?

Checking some more countries.. the UK doesn't seem to have it, France does.
Oh, there's a page for the US: <http://www.whitepages.com/reverse_phone>

Today reverse look-up is by design, it seems. The limitation before was
probably printing paper and not just a design decision, I'd guess. I'm not
sure whether I like the new situation, but then none of my friends actually
has a landline.

------
pit
Wait a minute. Isn't this guy an asshole?

------
iancarroll
Duplicate.

~~~
shaananc
could you link me to where the original is?

