Whilst social engineering is pretty unethical and it's not the business RapSec is in; I was attending a seminar about social engineering and attempted to see how much open source information I could attain about the speaker in less than 15 minutes whilst standing at a back of a crowded room.
Here is my methodology:
- Listen. Clues are available from the subjects demeanour (middle class? got kids? clothing style, name, job, title, engagement ring, wedding ring, phone type etc)
- Plan. If this is being performed in a short time then there are only certain facets of information that will be relevant - there is no point doing a normal graph of attack because there isn't the time and drawing out a plan will incite suspicion.
- Gather. One must never believe everything you read on the internet. When I do this, I assign probabilities to each bit of data and then only follow high probability routes or indeed try to double check information from another source. I multiply probabilities when working with data depending on other data.
example
For the case mentioned above, I was just testing to see how much data I could find from my phone and in the end got close to the financial KYC minimum in 15 mins.
- checked the name of the speaker. speaker was female and many females use maiden names in a professional context. I missed the first part of the talk so had to google "speaker first name" and company name to double check surname. came up with one hit. probability 100% (there was a photo and a movie)
- the speaker was introduced to being a lot of things (in a humorous "maybe I have been suckered" way) but one crucial word "director" was mentioned. If one is a director of a UK Ltd company then there will be an AP01 or a CH01 form at companies house. Have WebCheck bookmarked into phone with spare credit and do a lookup. This 9 times out of 10 provides home address and also age. In my case I got a 100% probability but typically this is not so certain if you have had no direct contact with the target. For me this got a crucial middle name.
- double check the address: directors often don't update their address (this target had). I tend to use 192.com which is quite good for getting previous addresses and date or birth. Obviously previous address (especially shared flats) is very useful as legs of the investigation but in a real time situation they have to be forgotten about. I got a hit on the targets name and middle name with a recent address. Same as the one in companies house. 100% probability.
- I was at the back of the room and so I saw a rather large engagement ring. There was another name at the main address so googled that to find a rather nice story about engagement on a university alumni website and so with reasonable precision I could say they were married - and here is where I made a wee mistake - I presumed that the target was operating under a maiden name (as many professionals do) and in fact, there wasn't a wedding ring hiding there, just engaged.
- time ran out, but I would have gone back to 192. and looked for the wedding registration to treble check for better probability of outcome.
- Made for an amusing question at the end of the seminar, job done.
Websites that are useful for UK searches:
- facebook advanced search and the facebook search sites
- friends reunited (not so good as it used to be)
- 192 - voters roll, telephone directory, companies house data
- companies house webcheck
- Skype Diretory
- Google - but be smart. Common names bring up to many false positives. So include favourite sports, industry, company names and so on. use Google crafted urls (see previous blog article)
- Google maps and streetview can provide contextual information but aren't that useful.