Social Engineering

How to use social engineering to get the information you need.

What is Social Engineering

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

redpill Hacker uses social engineering templates to convince a target to run a payload that will secretly install a spy program. Social engineering can even be used to convince the target to disable his anti-virus or perform other tasks that he would normally never do.

Example of Social Engineering

Let's say your client wants you to get information about quotes and tenders from his competition at a specific company that they want to do work for. All he gives you is the company name.

Step 1: Gather Information

By doing a quick search you get the company website with basic contact information. You contact the receptionist and very easily get the name and email of the Financial Manager. You take the financial manager’s name and do a quick search in Facebook. Unfortunately the financial manager is security conscious and most of the info on his facebook page is only visible to his friends. You can however see his 'Likes'. You can see he likes ' Star Wars Rocket Club'. You now know he is into amateur rocket building. You do a bit of researh and find out as much as you can about rocked building. You quickly make a list of the jargon (words that they use), latest developments and any news about rockets.

Step 2: Gain Trust

It is people’s nature to want to trust. You create a new alias with an email account and facebook page. The facebook page is new, but you quickly go to all the rocket groups on facebook and add as many friends as you can, also from the same group he liked. You spend a week adding photos about rockets, commenting on rocket posts and more. You can also add info from your fake wife (you can use one of your other fake facebook profiles for a wife that is already a bit older with a lot of friends, photos and more). When you are ready, you send the financial manager a friend request. He immediately see that you are also friends with a couple of his friends from the rocket facebook group (trust is growing). He then goes to your facebook page and see you are also into rockets, just like he is (trust growing some more). He accepts your request. You spend the next 3 days chatting to him (not too much, don't want to annoy him or make him suspicious). You use all the rocket jargon you have learned – your trust level with him is now very high.

Step 3: The Con

You ask him if he heard about the new X4 Rocket Building App. It is an application with all the different instructions for different rockets and a lot of cool calculators and tools to help you. You him that it is still in BETA production and they haven't launched the website yet. You also tell him its going to be expensive but you can give him the free beta release that works great. He begs you to send him the attachment. Not only is he expecting the email attachment, he wants to run it! In redpill Hacker you can now quickly create a X4 Rocket Building App Payload.

Hacking using social engineering

The target will very willingly open the ZIP file and try to install the app. When he gets an error message, you just say: “like I said, it is sill in BETA and not out yet for all operating systems. Guess you will just have to wait for the official release”.

Step 4: Success

The financial manager thinks it didn't work (the installation), but the spy module was installed and you start to receive data. It is important to gradually reduce the contact with the target and not suddenly stop after the successful installation. Otherwise he might become suspicious and realize it was a con. You now receive screenshots of all the other tenders submitted to the company and you can report back to your client.

How Social Engineering Templates Work

Social Engineering Templates in redpill Hacker

In redpill Hacker social engineering templates are used for the following:

  • Creating payloads that fits in with the con. The install program (payload) will have a specific name, wording and action. Emails that is linked to the template will also use wording that will work with the program to convince the target to run it.
  • Emailing a list of targets and automatically personalizing each email.
  • Multi-phase attacks where templates are first used to establish initial contact and gain confidence before sending the payload.
  • Used in combination with password phishing websites and payload websites to attract your target group and convince them to use the site.

To edit or create templates, in redpill Hacker click on 'Resources and Tools' and then 'Social Engineering Templates'. There are various places in redpill Hacker where you can select and use a template. After you selected a template, you will still be able to make some changes for the specific 'attack'.

It is a good idea not to use the standard templates 'as is' but to modify them to better suite your needs. Making small changes to the templates will also reduce the risk of detection by Anti-Virus.