End The SE On Good Terms



Always Finish The SE On Friendly Terms.

As with each and every SE you perform, be It manipulating your target to hand over the PIN code to access their system, or gaining unauthorized entry to a restricted building by SEing one of their employees to hold the door open for you, It's paramount to "not raise suspicion" during the attack. Not only does your social engineering method and execution have to be pretty much spot-on, but Its "conclusion" Is of equal Importance- namely to "end the SE on good terms".

Once the method has been carefully formulated and applied accordingly, for a successful outcome, every SE has three very Important elements- Its "execution", the "effectiveness of the attack", and "how It concludes". Each one works hand In hand, that Is, you cannot dismiss either of the three and expect the result you're after. Very few social engineers, pay attention to how they should "end the SE", and then question why It ultimately failed! It's the "conclusion" that I'm bringing to your attention, In a very simple, yet effective manner.


The Importance Of Ending On A Good Note:

Let's assume you're SEing your victim over the phone, by pretending that you work In the IT department  In the next building, with the objective of grabbing the Network password from an employee. You may have the perfect attack vector (execution) that leaves nothing to chance, and the same with how you're handling the SE at the time, but If you "laugh and end the call abruptly" just because you got the Information you're after, It will give reason to question the authenticity of the call.

The victim may well and truly look Into the matter further, and realize that he/she has been SEd. As a result, the password can be changed by the victim there and then, thus ruin your entire SE. Clearly, you can see why you should end your SE on a good note. Here's a very good example, of how an SE ends on good terms without any suspicion whatsoever.

The SE In Action:

It's late on a Friday, and the social engineer Intends to Infect his victim's computer with a virus, by getting him to click on an Innocent-looking link. The SE'er has decided, that he'll play the role of an employee located In the building's head office of the accounts department. He's done his research, and Is aware of who to call, what to say and also spoof his caller ID.

Here's how the SE Is performed. The SE'er calls his victim and we'll move forward from there.

Social Engineer: "May I speak with Brad Spencer please?".
Victim: "Yes, speaking".

Social Engineer: "This Is Keith from the accounts department. Did you receive a new policy late last week outlining the changes of how claims are being processed?".

Victim: "No I did not".

Social Engineer: "Well, that's strange. We actually need to get this processed before the weekend, and we can do It online. Are you In front of your computer?".

Victim: "Yes I certainly am".

Social Engineer: "That's great. Can you please navigate to our policy website (gives him a fake site!), and when you get there, a popup will be displayed prompting to accept the policy".

Victim: "I'm there now, do I just click OK?".

Social Engineer: "Yes please".

Victim: "I've done that, what next?".

Social Engineer: "That's It. The policy has just been automatically generated and accepted". (realistically, the victim has clicked on a malicious link and his PC Is Infected!).

Victim: "Oh that's fantastic, thanks".

Social Engineer: "You're very welcome. You are actually the 16th person I've contacted today about this policy, and I still have another 8 phone calls to make. I appreciate your cooperation, have a wonderful weekend and we'll chat again very soon".

Victim: "Okay then, bye".

In Conclusion:

I'm sure you've enjoyed reading how the SE took place, and In particular the way It resulted In a successful outcome. The social engineer was polite throughout the entire SE, and a very Important element that played a major role to avoid suspicion, was the fact that he ended It on very good terms

Moreover, the social engineer said that his victim was the 16th person he'd contacted, and he had further calls to make thereafter. This also helped to solidify the SE- leaving very little to no room to question the authenticity of the call.





Comments


Popular Social Engineering Posts