General security

Social Engineering - A Case Study

Warlock
July 3, 2015 by
Warlock

In this article, I am going to illustrate a real life social engineering hack that I did for my friend. He saw some property ads online; he filled out the query form for that ad, and after a day he got a fraudulent call from the person posting the ad. He talked to my friend very professionally, and convinced him to deposit Rs.25000 to his account. The next day, my friend called the person who placed the ad, who then did not respond to his call. He tried for few days but did not receive any response. After a few days, he told me that about it, and he shared the number from which he got call. He asked me to identify the criminal.

First, I started to locate his account on Facebook. The easiest way to find someone's account via username or mobile number is by using the "forgot password" function. I had the mobile number from which my friend received a call.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

I searched for the number and got the result. It was showing two options for resetting the password -- one is from email and other is via mobile number.

In this case, it was impossible to reset the password via mobile number and other one was Gmail account which could be hacked if I was able to find his Gmail ID. I had the hint that mail id started with 's' and ended with '8'.

After locating his profile, I started to browse his whole timeline. I found that he was providing some kind of call girl service on Facebook. In every post, he shared 'Call me @ 09874644111'

After browsing the whole timeline one another thing we noticed that he was also sharing a link of a website. It could be his website.

I opened that website and saw the same posts that we saw on Facebook. The website was hosted on free domain on webs.com.

I thoroughly browsed the whole website to find any information related to the user, and we found the persons username who is posting blogs in this website.

In the section posted by sanjay91xxxxxxx8, it was same as showing in Facebook's forgot password reset option. It means his Gmail ID will be sanjay91xxxxxxxx8@gmail.com. Now I was 100% sure that this is the correct Gmail ID and the ID contains a mobile number, which could be his personal mobile number. I tried to login in his account with giving his personal mobile number as password and Bang! I was logged-in in his account.

After the login, first I checked his Facebook login alerts settings and made sure that every notification is off.

Now I have his Gmail ID, Facebook account, and personal mobile number. The challenge was to find his residential address. I started to check his all inbox messages but no luck I didn't find anything related to his address. I know that he is using his mobile number as a password for Facebook. This is a very bad habit that 8 out of 10 people use the same password for his/her any account login. At this point you know what I mean....Yes his Gmail password was also his same mobile number.

While login I noticed a very interesting thing there about his Gmail's profile picture. It is a voter ID card.

After logged-in into his account I started to check his all mail and found that there are other people who have also deposited money in his account.

This person is also selling properties on olx.in.

I opened the ad also to check the location of the property that he is selling. It may be that he lives nearby. I found the district and city name, but not that exact address. It could also be a fake ad and address, so I started to look further for more details. I read all his email, but didn't find anything.

After that, I came back to his profile picture that I previously mentioned it was a voter ID card. The Indian voter ID card is issued by the Election Commission of India. Its main purpose is as proof of identity while casting votes. It also serves as general identity proof, address proof, and age proof for casting votes as well as for other purposes such as buying a mobile phone SIM or applying for a passport.

By saving the picture in now I was able to saw his original name and date of birth and other details but I didn't get his address because the address is on the back side of the voter Id card.

After that, I decided to call him up and do some social engineering via phone. Let me point out on what basis I will call him and how I will convince him to give me his actual residential address. As of now, I have the following details:

  • Name
  • Father's Name
  • Date of birth
  • Phone number
  • Voter ID number

I decided that I will call him on behalf for webs.com and told him that I am calling from webs.com the whole conversation is given below:

ATTACKER: Hello! am I speaking with Mr.Sanjay?

SANJAY: Yes, Who's this?

ATTACKER: Sir I am calling from webs.com where you hosted your free domain website.

SANJAY: So what's the issue?

ATTACKER: Sir, Actually we are giving you free .in domain for your website.

SANJAY: Why?

ATTACKER: Sir, you site has been chosen in for free domain because as per our company policy for every free hosting website whose website traffic is high, we provide them to free domain.

SANJAY: That's great so what I have to do for this.

ATTACKER: We will provide you the voucher for renewing your website domain. Before that I need to just confirm your personal details. (All details I already have I just told him that your name is Mr.Sanjay, your date of birth, your father's name is .....) And he replied just Yes, correct. After that I told him that sir please give your address we will courier your voucher.

SANJAY: Yes, please note it down.

ATTACKER: Evil laugh...GAME OVER....

Warlock
Warlock

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.