
How hackers hack you using simple social engineering [video] - aaronchall
https://www.youtube.com/watch?v=lc7scxvKQOo&feature=youtu.be
======
nickpsecurity
She did great on that social engineering attack. The crying baby on YouTube
was a nice touch. The overall segment illustrates many aspects of
psychological manipulation that can be used to successfully con a support
person. A believable scenario, something people might sympathize with, a sense
of urgency, further but brief engagement with questions/answers, and gratitude
for their participation.

This stuff was always tricky to train people to defend against. I need to
update my links to good presentations on this subject for attack and
especially defensive training for employees. So, what do you people have to go
in that collection?

Note: OP video led to autoplay of No Tech Hacking by Johnny Long. I recall
someone recommending me read the book by same name. So, nice accidental
reminder.

[https://www.youtube.com/watch?v=N4kfsxF8Tio](https://www.youtube.com/watch?v=N4kfsxF8Tio)

Note 2: Bejtlich's comment on NTH on Amazon reminded me that we should
probably always list Mitnick's Art of Deception and Abignale's Art of the
Steal in these threads for useful examples they had. They each extracted much
mileage out of social engineering.

~~~
darkhorn
Ugh, so this is why banks ask you to type your cart number and call support
password before they connect you to a real person. And then he asks you your
some private informations, then fills them on the program, only after this he
can give you a support.

~~~
nickpsecurity
Usually. It's also why some institutions will lock you out entirely without a
visit for a photo ID check. Pre-designated people in some high-security
settings with optional tokens or biometrics.

Now, some measures you run into will exist because a non-security expert
formulated them to cover their ass after reading something online or in a
bookstore. Or by security people who also have to comply with a policy or
regulation of varying degrees of sanity. So, it's not always a real attack or
risk inspiring specific measures but often is for verification during support.

------
20tibbygt06
This is part of a longer video: Real Future: What Happens When You Dare Expert
Hackers To Hack You (Episode 8)

[https://www.youtube.com/watch?v=bjYhmX_OUQQ](https://www.youtube.com/watch?v=bjYhmX_OUQQ)

~~~
wallace_f
In that video Dan Tentler talks about how he hacked the journalist by
prompting fake system messages to input his password.

I've always wondered when using Ubuntu, how paranoid should one be regarding
the prompts to auto install updates? Anyways, if you've been owned to that
extent already, your adversary could always use a key logger, instead, so I
guess it's maybe not worth worrying about.

------
zizzles
Another aspect of social engineering that is seldom discussed: Women will have
a higher success rate at any sort of information-extraction, in fact, I would
say that it is a "social engineer" method in itself. The crying baby sound-
effect? Simply icing on the cake.

If a male with a naturally brooding voice contacted a service provider to
extract a password, his chances of success are lower because he is less
trustworthy by nature, which increases the odds of the operator on the other
end raising suspicion.

------
27182818284
I've seen a lot better ones than this at HOPE. I honestly don't think I would
have bought her story -- and I have history of working the phones for stuff.
It comes across as too contrived. She would have fooled me better by just
sounding bored.

------
NullCharacter
Other guy in the video was Chris Hadnagy who literally wrote the book on
social engineering.

Cool dude, too. Great class if you ever get the chance to take it at Black
Hat.

------
syphilis2
So this is what I need to do to get quick tech support help over the phone.
Social engineering as a tool for legitimate purposes.

------
louprado
While I am not an artist, I always had a distaste for the phrase "scam
artist". It didn't seem appropriate to elevate someone who commits fraud to
the level of "artist".

But my hope was the phrase would shift out of the professions entirely. And
certainly not into my own profession.

~~~
khedoros
"Engineered" and "artistic" seem apt descriptions of parts of the scam: the
skillful, creative, and well though out parts. Just like "criminal" and
"scammer" address the other side of the same activities.

~~~
louprado
Engineering is applied math and science. Hard science mind you.

~~~
khedoros
That's one sense of the word. There are others. I was thinking of "the action
of working artfully to bring something about".

