It’s been a while, I know. To (all) my avid reader(s), I apologize. But I have a fun topic for today; social engineering!
Social Engineering is without a doubt a term that you have heard. If not, perhaps you’ve heard some of the synonyms like con artist, hustler, swindler, flimflammer, charlatan, or of course the well known mountebank. I take pride in being an engineer of the social variety. I am baffled at the ability some people have to baffle people. Some of my favorite stories include a fake security guard taking money from people because the “tube is broken” at the bank, or a delivery of maliciously modified keyboards sent to the IT department feigning to be from the CEO, or of course the unsubscribe button on annoying emails linking to spam!
Now, everyone has heard of it before. A lot of people have probably seen some pretty poor excuses for social engineering hit their inbox. Has anyone seen a good scam? Does anyone know how a lot of the electronically dispersed scams are executed? I’m guessing that there are a lot of mixed answers on that one. I’m also guessing that some people think it’s actually difficult.
Let’s play a game. Head over to facebook.fracturesecurity.com and check it out. You can even go ahead and log in if you’d like.
Looking at that site you’d guess it’s Facebook’s login page. However, it’s not. Well it is actually. But mine. There’s a pretty sweet tool called setoolkit (we’ll get into it in a later post) that lets you clone web pages. I’m running the exact code that Facebook is and after you log in on my page you’ll even legitimately log into Facebook (other than the occasional error). Alas, your username and password will now belong to me!
I’m currently hoping that a thought has gone through your head. “Why would I try to log into Facebook from a webpage other than Facebook?” If that was your thought, good for you. In the next part of this series I’ll get into that. Teaser: you won’t always have a beacon of truth in your URL bar.
P.S. If you use Chrome you’ll get a handy warning about a phishing attack. Don’t worry, we’ll get around that too!