Using Catfishing To SE



Using Catfishing To SE By Fabricating An Identity.

When you perform social engineering on your victim with the Intention to grab as many Identifiable and confidential details as possible, It's usually done through the most common gateways, such as over the phone, via email or directly during online chat. If you're starting from scratch, In order to maximize successful results, this requires quite a lot of research about your victim  which can be a somewhat difficult task when you have very little to no Information to begin with.

Wouldn't It be nice If your target's details were readily available, and you could use the Information to create a fictitious profile, thereby SE him thereafter? Well you can do this with ease, by using a method named "Catfishing". When formulated correctly, this Is a very effective form of social engineering, namely because of the simplicity of building a trusting relationship between you both. So what exactly Is "Catfishing?". Let's check It out now.

Catfishing Defined:

As per the method used by social engineers with the good old "Your PC has a virus", Catfishing operates In a similar fashion, with the only difference of having to befriend your victim In order to get what you're after. In simple terms and generally speaking, this type of SEing Involves creating a fake profile  on (for example) a social media platform such as Facebook that's so convincing with Images, friends, posts, likes, Interests etc, that your target will unsuspectedly reveal their personal details at your request.

I've personally created both a fake Facebook account and a fictitious profile on a dating website, and I can confidently say that social engineering my victim, was done with Incredible ease. However, It does Involve a little preparation on your part  and once you've done that, the SE can Immediately begin. For the purpose of this article, I'll discuss Catfishing via Facebook, particular for the fact of the array of Information at your disposal.

How To Prepare Your Fake Profile:

Obviously the first thing you need to do, Is "register a fake Facebook account" and fill In your profile details, but don't just enter anything that comes to mind. Checkout your victim's profile and take special note of where they work, the school they've attended, their hobbies and Interests, favorite foods, where they like to hang out and so forth. The objective Is to base your fake Facebook profile, that shares the same (or similar) commonalities as your victim. As such, he/she will be "very easy to befriend and after that, you'll have a lot to talk about- Inclusive of grabbing their confidential details".

It's very good practice to let your account mature, at which point you'll "make a few friends based on similarities to your victim's friends". Also, put a few Images that you believe are In the best Interests of your victim. For Instance, If he loves going camping, grab some Images off Google and post them on your Facebook Timeline.

It's beyond the scope of this article, to provide every method on how to befriend your victim, so this Is on the grounds that you've sent a friend request and he's accepted. "Just remember that It's of the utmost Importance to build a trusting relationship!". Once that's been established, you'll find that the process of obtaining personal & confidential Information, requires minimal effort.

The Type Of Information To Collect:

There are no hard and fast rules on the type of personal/confidential Information to collect, so I'll simply provide my recommendations based on general terms. As with the majority of users, most likely your victim already has their full name on their Facebook profile, so we'll forget about that. "The type of details to grab can Include their email address, phone number and date of birth".  I'll explain how to obtain all three, In the next few steps. The latter (date of birth) Is crucial- as this can significantly help to built their Identity from the ground up. When you've formulated your profile accordingly, you're ready to perform your SE via Catfishing, so let's have a look at that now.

Catfishing Attack In Action:

It's a pleasant Sunday afternoon and you've specifically selected this time and day, due to the fact that your victim Is not working nor asleep, thus has ample time to communicate with you via Facebook chat. Given you've befriend him, "the first port of call Is build trust and not dive straight Into the SE". Hit a few Likes and comments In an encouraging and complementing manner on a number of  his posts. No doubt he'll reply In a positive fashion, so the "trust" Is starting to progress. You're now ready to establish your chat by predominantly being In conversation about "his Interests", thus attracts attention and keeps the conversation flowing.  

* Obtaining His Date Of Birth.

You've noticed that your victim has posted a few of his favorite movies (If not, start this very topic), so you're now talking about actors and actresses In general. The level of communication Is going exceptionally well, hence you've said: "I can't believe that Tom Hanks, Courtney Love and Fred Savage all share the same birthday as me! What about you, any famous actors born on your very special day?". He replies: "As a matter of fact, the only one I can think of Is Angelina Jolie". Boom! After hitting a quick Google search on when Angelina Jolie was born, you now have your victim's date of birth. It's that simple. 

Grabbing His Email Address.

You're very calculated In the nature of how you respond to all messages during your chat session, by purposely typing at a very slow speed, yet at a rate to keep all communication actively flowing. You've kindly asked him for some advice on a relationship Issue with your partner, and he's happy to lend a helping hand, however It's taking forever on your end to respond. You then ask: "Can I please email you later tonight? I can take my time to write It properly rather than rushing back and forth here". He responds by saying: "Yeah, sure thing, send It to my email address which Is example@example.com" . Within a matter of a few minutes, you've grabbed his email address with minimal effort.

Getting His Cell Phone Number.

As per above, now that you have his email address on hand with (seemingly) the Intention to reply, this Is the perfect opportunity to SE him for his cell phone number. This method Is extremely simple and straight to the point, yet oblivious to your victim. 

Whilst talking via Facebook chat, you say to him: "I'm sorry about not emailing you, but I have Two Factor Authentication on my Gmail account, and for some reason It's not sending the code to my phone, so I can't login. Can I send It to your cell phone and you can text me the code?". He replies by saying: "Not a problem, you can send It to this number (xxx)-xxx-xxxx", and asks for your cell phone number to reply to. Of course, you've masked your real number, by using an anonymous service named Burner. After receiving the text message, you have his cell phone number!

In Conclusion:

Pretty Impressive methods, yes? I think so too. Evidently, they're simply examples of scenarios, and not specifically related to events as they happen. Your job Is to use my methods by formulating your very own, that're suited to the environment you're working with at the time, and also based on your victim's circumstances. 

I'd to like reiterate the fact that after your fake profile has been created, you "must build a trusting relationship"- this Is very Important, as It will lure your victim Into disclosing personal & confidential Information with ease. Facebook chat Is only an example of a communication gateway, thus you can choose whatever platform you're most comfortable with and of course, Is also used by your victim. 





Comments


Popular Social Engineering Posts