- 21 Eki 2015
- 477
- 1
How To Execute The Social Engineering Attack Effectively
There's a lot happening In the complex mind of the social engineer, who's constantly facing challenges to get what he's after, such as SEing an ISP to get his victim's login credentials, or hitting a major online retailer for a 3,000$ laptop by using the good old DNA method. At times, Instances of this nature may appear somewhat challenging at first, but they're easily circumvented by being confident, adamant, persevering with the task at hand and taking control of the entire SE.
All these attributes play a significant role In the outcome, namely (and obviously) to achieve a successful result with the SE'ers objective, like receiving a refund from Logitech for the Bluetooth Wireless Headset using the serial number method. However, this Is of no value If the social engineer does not have the skill set to "execute his attack effectively with each and every SE performed".
In terms of SEing a company on the net, he can do everything correctly "during the early stages of the SE", such as spending countless hours sifting through their terms & conditions to Identify loopholes and vulnerabilities, being very selective with the method suited to the Item In question, and also preparing It with a great degree of accuracy. Thus far, he has all the Ingredients to cook a perfect meal- that Is, "to social engineer his target without fail". But guess what? The meal cannot cook without a flame! "Neither can an SE succeed without an effective attack vector". So how do you get the job done In the end? Let's checkout the process right now.
Choose A Gateway You're Most Comfortable With:
One of the good things about social engineering online retailers, Is the array of options you have at your disposal. For example, If you're after a set of AirPods, you can choose from Argos, Amazon, Best Buy, Walmart, Apple (obviously) and the list goes on. The same applies "when deciding on how to contact the company". Long gone are the days of solely using fax machines.
Nowadays, the three most common forms of contact are live chat, shooting off an email and of course, getting on the phone and generating a call. Although they all serve the same purpose to get In touch, "they're not equally suited to every social engineer", hence you must choose one that you're comfortable with, otherwise the execution of your attack WILL fail and evidently, so too will the SE.
There are no hard and fast rules with how you decide to communicate with a company's representative, but rather "based on how confident and comfortable you are with the gateway that you select". For Instance, If you are somewhat Indecisive or perhaps a little nervous with Instant replies to requests, then "do not opt to speak with someone over the phone". Instead, write everything down In an email message- you'll have all the time In the world to not only d0cument your reply, but to also proofread It, thus making sure It's accurate and effective prior to responding.
On the other hand, you could be the type of social engineer who has difficulty In translating your thoughts Into text format, but great during real-time verbal communications, therefore both live chat and email transmission are not suited. As such, "conversation on the phone Is your strength to execute your attack successfully". There are no fixed or definite rules with what you choose to get In contact with a representative, but "It must be one that you can relate to In every facet". Do remember that "this Is the execution of your attack" and sometimes you only get one shot at It, so make It count by selecting the one that you excel at.
Now the question Is, how can you be sure that your selection will work "against the given company?" Well, you can't 100% of the way, but you can certainly obtain a very good Idea by hitting a "practice run", which brings me to my next point.
Perform A Practice Run:
On the grounds that you haven't SEd a particular company and don't know precisely what questions will be raised, how they expect to be answered and the type of procedures used during the claims process, simply perform a "practice run". So what exactly Is a "practice run?". Well, I'm glad you've asked! Rather than SEing the real Item, you formulate a bogus SE solely used for testing purposes, with the Intention of establishing how the company operates and processes claims.
One way to do It, Is to "order a very cheap Item from the company that you're planning to SE", and be sure that Its value Is only a few dollars or so. This way, If the SE doesn't go according to plan, you have nothing to lose except a measly (for example) 3$ on the Item you've spent. Next, use the gateway of communication (as already mentioned above), "that's your strength and not your weakness". Take note of every possible detail during your conversation, no matter how Irrelevant It may seem at the time and most Importantly, the steps taken leading up to finalizing your claim.
All this, will give you a very accurate and deep understanding of the protocols used by representatives and as such, "you should not have any Issues whatsoever In executing your attack without fail!". I recommend hitting a couple of practice runs- just to be certain that your execution will In fact succeed when the time comes to SE the company for real.
In Conclusion:
If you've applied everything you've read In this article to your SE, then It will leave nothing to chance, hence a successful outcome Is a certainty. I'd like to reiterate "the two key elements of an effective execution" as follows.
* The gateway of communication that you're proficient at, thereby your level of confidence will ensure the SE's success.
* The practice run that gives you a very good Insight of how the company operates with every claim, thus also ensures success.
Do apply everything you've read with any company that you haven't previously dealt with, nor have any Idea of how they manage claims. Of course, If you've SEd the same company (such as Amazon) so many times, you can skip the practice run, but obviously use It with those you've yet to social engineer.
Excerpted
