[Tip] A Basic Social Engineering Guide (For Noobs)

[DrLecter]

Social Engineering (SEing) can help you to:

1. Convince people to GIVE their passwords to you.

2. Make people you meet across the internet TRUST you.

And this short guide will teach you:

1. Learn all about recovery questions

2. Learn how to prevent being 'Socially Engineered'



How to convince people to GIVE their passwords to you.
And how to make people you meet across the internet TRUST you.



Step ONE:

Finding Victims.

Well of course the first step is to find a vulnerable victim. By "vulnerable" I mean "stupid" in a sense.

What you should look for in a victim is the following:

1. Has no idea of your intentions what-so-ever.

2. Is a remote target (face-to-face SEing is something completely different)

3. Has just a basic understanding of computers, and a bit of trust for you.

If your victim qualifies for ALL of these 3 steps then you are ready to move on to the next phase or your Social Engineering process.



Step TWO:

Trust.

When you want to scam someone, you are definitely going to need them to trust you, somewhat.

I will refer to trust on a point scale:

Please note the following:


Chatting with them on a daily basis for 3 weeks at minimum- 9

Giving them something worth value to them- 10

Making fun of someone together- 4

Being a member along side them on a forum website- 8

Sharing common interests- 8

Helping them with problems- 9

These are just simple things you can do to get someone to trust you enough, in the field we are working in, for something DRASTIC to happen.

As you can see the more difficult the task the greater number of 'trust points' you receive.

Now these #'s aren't just some made up bullshit. I ACTUALLY learned this over-time by Socially Engineering people. This is a weird concept but is very useful in seeing if you are gaining any trust at all.

After you earn up some good 'trust points' [ABOUT 20 - for a good scam -] you can move on to Step THREE!


Step THREE:

How to receive what you want.
(In this case, however, I will talk about receiving a password.)


Now there are a few different ways you can take at this point in our "process". You can take different methods on gaining their password, look futher into way 1 to see.. Read them each to find out what your getting into.


Way 1:

Easy-Hard (depends on the type of recovery question/s)

In 'Way 1' you will try and talk your way into making your "friend" give you the answers to some or all of his/her recovery question answers.

The first thing to do is find the email address associated with what you want.

I.E. An AIM screenname. Obviously you would need to find the Email for: ******@aol.com/aim.com.
I.E. A Yahoo ID. Would be ******@yahoo.com
MSN is a bit tricky, if you have any trouble finding the email address, whatsoever, simply....uh...I dunno...ASK?
Make up a stupid reason.


Now there are several ways to do this.

1. Forums.
Many forums have profile pages for the users that list several important tidbits. Like, cities, states, postal codes, birthdays, and other misc. stuff.

2. Asking.
If he/she is not a member of a forum, you can always ask. Be creative, like, "Hey, did you see 'blah blah blah' I can email it too you, whats your email address?" See, easy.

3. Asking other people.
Yeah maybe you can ask a friend of his for it.


Okay! Now that you have the email address of your victim, we can move on to the next step!

The second thing to do is go to the ISP's site. And click 'Forgot Password?' or something similar

ISP=The part of the email address after the '@' like, 'Aol.com' or 'Yahoo.com'.


Now that we clicked the link, it should say "Enter your email address and click submit..." enter the email address and continue.

Now you should see a screen asking for either 'location information' or 'recovery questions' or a combo of the two. It really depends on the site.


Your going to see stuff like:

*Enter Country:

*Enter State/Province:

*Enter City:

*Enter Postal Code:

*Enter Birthdate:


And now..

Enter (RECOVERY QUESTION GOES HERE):

Enter (RECOVERY QUESTION GOES HERE):

(There may be one, two, or even three)



Yeah, yeah, these all may seem hard, but really, they aren't. And since WoW only asks one recovery question, it is super easy. To get his account name however, you'll have to gain his trust somewhat, many usernames are the same as their emails, or even their character names.

First were gonna take all you know, and fill in the blanks. Be precise, don't guess!

Now if you know none of these, they are pretty easy to get.

Ok, start with the location information. This is really simple to get if he/she is an active forum member.

Try looking in that users profile, you're bound to find some info. Once you get some, fill it in.

Read these if you need help getting location information:


For Cities: Check their profile, or make a thread called "Where do you live??" and ask the shit you need discreetly, and hope your friend responds.

For States/Provinces: Do the same thing for 'Cities'.

For Countries: Do the same thing for 'Cities'.

OR JUST FLAT OUT ASK, but it does seem a little peculier....just come up with a decent reason..

For Postal Codes:
This is easy, just Google the city name.

For Birthdates:
Make a thread in the forum they are active in, with a title "Birthdates" type in a bunch of bullshit saying your birthdate is in 3 days, and you wanted to know everyones birthdates so you could wish them a happy birthday and what-not. PLEASE NOTE: If you made a thread for the location info, do not risk making this right after, wait a week or so, or until the thread has died down.


Yeah! Now that you've got all of the location information we can move on to those pesky Recovery Questions for their emails and what-not.

Some tips:

*Enter Country:
Ask for this, and then say "Oh really"
*Enter State/Province:
wait a few seconds, open up google, then say, "I went there recently, where exactly?"
*Enter City:
have another slight pause,"Oh, no i went to" (use google to find a real city)

Myspace is a gold mine for this stuff!
By gaining access to their email (as long as it's registered on their WoW account) we can see their account name and recovery passwords - WoW automatically sends out your account name whenever they change the password or recover it. Example:
Subject: World of Warcraft Account "NAME HERE" - Account Change Notice.

Gaining their password from a recovery is easy shit now you have their acct name.

But this is for the dumbest of the dumb though, more advanced social engineering is needed to move onto the next level.

My recovery question is "High school?" or "Mother maiden name" to gain say, something like a maiden name, if their parents are divorced they would usually have a name such as John Citizen-Bloggs. Note the hyphen, this separates the 2 last names, Citizen could be his dads or mums last name, and Bloggs likewise.
If not, strike up a conversation. Myspace will have their parents on them if their parents are techy, and if their family members added the victims myspace you can see them - men keep their last name when marrying - women don't. So say the victims mum is Jessica Noles, the victims uncles name would be John Johnston from his mothers side, and from his fathers side (uncles) it would be John Noles.
Now you have some good info. Myspace is huge, and so is facebook, you can easily mine this data and use it to your advantage.