Unknown
Social Engineering - simple (Act 1)
Some questions answered here.
- How simple social engineering can result in loss.
About Social Engineering[1]
- Awareness to Social Engineering should be considered good practice.
- Entrails on howtos to perform the acts should be avoided.
Stage 1: wholesome firefox user files
Scenario
- Bob has already backdoor root(sometimes user) access, eg ssh, to Alice' computer.
- Bob is unable to get password to Alice' websites as Alice only logs in via browser using non-written/non-saved passwords.
Scene 1: Social engineering
- Hey Alice, I have transferred some money to your account, can you please login and check and reply back on chat.
- Bob immediately backdoor logs in Alice' computer and waits for Alice to log into account.
- Hey Bob, I logged in and checked, its seems to be all ok, thank you.
- Bob immediately zips ~/.mozilla folder and downloads it, before Alice logs out.
- Bob also captures urls for website after Alice logged in.
- Hey Alice, good to know.
Scene 2: Social engineering done, now playback
- Bob unpacks downloaded zip file and visits last captured logged in url using alice' firefox profile.
- Bob is now logged into the site. :-)
Cut: Caveats/Announcement
- Above has only been simulated+tested with few web-hosting sites.
- Sometimes just backdoor user login access is sufficient.
- Some sites have extra layer of security to fight these approaches, eg. temporary IP based logins.
Packup!
Author
V.Krishn
Resources