Human touch

In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.

This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!

Warning: This work is tedious, and requires attention to detail and long-term persistency.

BONUS: Build a complete victims profile, not only e-mails and names!

1. Make people add themselves to your group

Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.

 

Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.

2. Start investigating your group members

This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!

 

Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!

Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.

3. Invite and collect

If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!

Now you have full access to all the stuff this person shares with friends.

4. Harvest info

With full access, start to add to your database the following data:

• interests
• books read / enjoyed
• favourite quotes
• marriage status, birthday, age
• friends, and particularly those who communicate using Wall and similar applications

If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.

5. Use the info

You still in there, are you?

Why would you want this kind of information about someone you do not know?

These are some of the reasons we know others use when they do this kind of exercise:

• Looking for “easy” offers for sex or violence. Just read the newspapers.
• Finding out when you leave your home (vacation, work hours), and pay you a visit when you are not there. This is not a house calling, but a house clearing.
• Selling the information (spammers, criminals)
• ID-theft – the more I know, the easier it is to learn more about you
• Intelligence – companies, criminals and countries collect information that might be useful in the future
• Research (my excuse) – see how much you can learn without warning the victim

One example, found on the Register today, is lax control in banks and financial institutions:

“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”

See where I am getting? The more I know, the more I get. Now I got your money too!

Warning: Keep in mind that in some countries, what you are doing may be considered illegal.

Note: You do know what YOU share on your profile, right?

This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!

In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.

So let’s get on with it!

 

1. Set up an email box on Yahoo, Google or similar tool

This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.

Get back here and move to step two when you are done!

Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!

You do not want to use your own name, though, but you knew that, right?

 

2. Get a Facebook (or pick any other social networking site) account

Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.

TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.

Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!

 

3. Set up a group on Facebook

And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!

Give it a winning title - Free gift! Or: Free trip to Dubai!

Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!

So, now you got a group on Facebook. Time to use it!

 

4. Add a prize!

When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:

Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.

And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.

Period.

 

5. Ask for something simple/cheap compared to the prize

By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.

 

So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:

And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!

 

6. Collect and use

Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.

And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.

So start selling it to the highest bidder!

And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!

The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?

Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!

This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access.

The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side...

All right, I needed a laugh, and found my way to the Failblog. This place has potential for fun - particularly if you filter out the kids' comments.

I particularly like this one:

more funny fail pictures at FAIL Blog

And - unlike the other comments - this one was nice:

To facilitate training processes are something I truly enjoy. Particularly when I can enter a class where the energylevel is low, and the participants expects to be handed tasks to work with.

When you enter the room, you feel their lack of motivation. And no motivation usually means a tough day for both participants and the trainer. And if you want people to learn new skills, and hopefully to change their attitude towards the subject, you need them to be motivated.

This is particularly true when training security and user awareness. People act if the topic is as interesting as a piece of dead wood. I believe you me – I do not want to be that piece of wood!

Thus, one of my main focuses during a training is to build; and keep; the energy level high.

This can be done by using groupexercises, open discussions and by sharing of your own crazyness (and boy, can I be crazy!)

I build an environment where it is safe to ask questions and to wonder. A group where they support and help each other – even when I am no longer there. Because only when the motivation and fun is present, can we focus on knowledge transferal. Where the participants get their learning experience. Where the actual message is conveyed, understood and put into use.

 

So now you know my secret to giving successful trainings!

My regular readers are familiar with my interest in socializing - or networking. Thus, I attend many meetings and conferences, and usually I find it hard NOT to hone my social engineering skills. And, I am a social guy, with many years of sales experience, and a natural interest in others; so talking, asking directional (to me) questions, and fishing for answers comes kinda easy to me.

In addition, people tend to confide in me.

Now, this may of course turn into a disaster for the poor folks I am talking to. Do they really know me? How can they be sure that what they tell me (and boy, do they tell me some secrets...) will stay with me?

We all know the "Your password for a chocolate bar" tests (or Google it). These are popular in their different forms, and they show how easy it is to get access to information that should be protected.

So what if my purposes where to actually collect and gather information on you; and then pass it on to your competitor? Believe you me - it would be like taking a candy from a child.

I would first research the company. The solutions; competitors; the market; margins; products; and customers. I would know as much as possible - previous successes and failures, their results, their image and of course their owners. I would also visit their locations, and make sure to enter legally.

Next step would be to identify potential targets - obvious ones, and less obvious ones. When I know who I need, I will start looking for ways to reach them. And here come conferences, meetings, user groups, NGO’s and NPO’s and similar forums.

Most people have a passion, something they do besides their job. By meeting them in these settings, they tend to have lowered their guards, and they are more easily manipulated.

At this point, I have done extensive research on the targets, and I would know where to find them and how to approach them. Now, this seems like a tedious work (and yes it is), but it is not that hard anymore. Googling people shows up the most interesting information - but this we already know. Combining Google with public records, social networking tools and an analytic mind, and you would be stunned of what could be found out about you.

"But it does not matter what they find out about me, there are no secrets out there!" I hear you cry. You may or may not be right. You never know who publishes stuff on the Internet, and how that might be related to you. But that is not the point. The point is that I can conduct a thorough research on you - my target - with very little resources, and within a very short time span.

And then comes the fun part - I will now start befriend you. I might decide to approach you through a friend or contact of yours. Or I may decide the best approach is at a conference where I know you will be. It does not matter - I will do it slowly, and build your trust over time.

I will use my chameleon skills to adopt and alter as necessary - never spending too much time with you. I will create a curiosity within you. I will create an interest that will develop into a desire to know more about me - so you will approach me. Why? Because when you come to me, you have your guards lowered. Oh yes.

And from here on, it is only a question of patience. Asking seemingly innocent questions; let you talk.

Have you noticed that when someone lets you share your life story, your passions; and they show genuine interest in YOU; instead of shamelessly promoting themselves; that you tend to trust them more? And with that trust, you start sharing more? And enjoy these people more?

What do you think this is doing to your guard?

Exactly.

What is really interesting is that the best social engineers - those who do this on purpose only to gather information from you; or get you to do things you did not know you wanted to; they will leave you with a feeling that you did something good, that you can feel good about yourself.

And you will never know what happened.

In other words – please feel good when I give you my attention. I will never exploit you – only the information you share!

 

 

A while back, I blogged about an unfortunate event where a 14-year old girl had to change her name and move to a different location because she had undressed in front of her boyfriend - using a webcam.

Since then, I have had a steady growth of visitors targeting that particular post. Some days, this post even shows up on my list of "Most visited" stories, as shown under:

Of course, me being in Norway, I am culturally obliged to be naive. And for a while, I can accept that. But after 6 months, and the same story keeps pulling visitors, even my limits are reached.

I mean - what kind of sick bastards are searching for the text in this image? (No I am not concerned about the "wep hacker" search...)

Now, I immediately picture some crazy predator like the ones over here.

But - giving it a little more thought, perhaps not all the hits are from wankers - but from young, frustrated guys looking for same-age girls?

If there are predators only, I'd love to do something with it. You know, some ball-crushing or similar exercise.

But - if even only one of the visitors are a young person looking for others in the same situation, or someone who plans to do something similar - then I hope that the post actually may do some good. Either by helping out someone in a difficult situation, or by avoiding such a mistake to repeat itself.

---

If you are still looking for 14-year old girls stripping - you might want to try this YouTube clip! Just be warned - you have to be 18 years or older!

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

Earlier this week, I received a new wall post on my Facebook profile. Now, I do not use Facebook a lot – I mainly maintain a small network to test and research this trend – so receiving a wall post was kinda fun.

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

 

Following the arrest of Roberto Preatoni last year, there has been numerous speculations about the WabiSabiLabi project (where exploits are sold to the highest bidder - a kind of QXL for hackers). 

As Roberto is a professional, he and his team has spent time considering the risks and benefits of keeping him as the public figure of the project. After careful considerations, they have decided that the benefits are greater than the risks, and Roberto stays.

This is a normal process for any company in crisis. I am not a fan of WabiSabiLabi - although I do hear the arguments - but I am a fan of people being professional. Thus, I welcome Roberto back into the public light!