An interesting story at PC World talks about the methods used to get inside information on individuals and companies:
“He was the guy who was never going to fall for this,” said Hadnagy. “He was thinking someone would probably call and ask for his password and he was ready for an approach like that.”
After some information gathering, Hadnagy found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names and titles, and much more. But the real prize of knowledge came when Hadnagy managed to learn the CEO had a family member that had battled cancer, and lived. As a result, he was interested and involved in cancer fundraising and research. Through Facebook, he was also able to get other personal details about the CEO, such as his favorite restaurant and sports team.
Armed with the information, he was ready to strike. He called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were offering a prize drawing in exchange for donations — and the prizes included tickets to a game played by his favorite sports team, as well as gift certificates to several restaurants, including his favorite spot.
The CEO bit, and agreed to let Hadnagy send him a PDF with more information on the fund drive. He even managed to get the CEO to tell him which version of Adobe reader he was running because, he told the CEO “I want to make sure I’m sending you a PDF you can read.” Soon after he sent the PDF, the CEO opened it, installing a shell that allowed Hadnagy to access his machine.
When Hadnagy and his partner reported back to the company about their success with breaching the CEO’s computer, the CEO was understandably angry, said Hadnagy.
“He felt it was unfair we used something like that, but this is how the world works,” said Hadnagy. “A malicious hacker would not think twice about using that information against him.”
Takeaway 1: No information, regardless of its personal or emotional nature, is off limits for a social engineer seeking to do harm
Takeaway 2: It is often the person who thinks he is most secure who poses the biggest vulnerability. One security consultant recently told CSO that executives are the easiest social engineering targets.
