Social Engineering-Phishing, Fake Messages, and More…

Hi everyone, in this post I want to talk about some social engineering techniques. There are several ways for social engineering, we will cover these techniques. Additionally, we will talk about colors and psychology. These posts must use only educational and professional purposes, please don’t harm anything.

  • Social Engineering -> The art of deception 🙂
  • Phishing -> Social Engineering with mails, messages, etc.
  • Vishing -> Social Engineering with phone or video calls.
  • Baiting -> Trying to hack with USB, Fake Hotspots, etc.
  • Pretexting -> Pretexting is to find excuses or cheat to get someone’s attention. Once the story hooks the person, the fraudster tries to trick the would-be victim into providing something of value.
  • Dumpster Diving -> Searching for something from the trash. Even if no one likes it, the information that can be obtained can be incredible.
  • Shoulder Surfing -> Why you watch my keyboard? Shoulder surfing is hacking the victim via watching with screens, mirror, etc..
  • Eavesdropping -> Ears. Can you believe it? He’s password should be XXXX, I heard that.

Humans like to believe something, they do not want to leave good deed unpaid, they are sensitive, some are so kind they hate to hurt someone. Humans can change but one thing not. There is one weakest link in the chain of security. Humans.

You can deceive a human easily if you try to understand what they want. In this time, you must know OSINT and must learn lots of information like family, pet names, child names, social id numbers, etc about the victim for deception. More information more successful campaign.

Phishing and Colors

You can hear that “Phishing” most of the time. But do you know colors? I like to search for social engineering and colors. Let’s take a look at colors and how can affect the human briefly.

Color theory and psychology, more information -> https://graf1x.com/color-psychology-emotion-meaning-poster/

  • Red: Passion, Love, Anger
  • Orange: Energy, Happiness, Vitality, Creativity
  • Yellow: Happiness, Hope, Deceit, Positivity
  • Green: Safety, Harmony, Balance
  • Blue: Calm, Responsible, Trust, Secure
  • Purple: Creativity, Royalty, Love, Immature
  • Black: Mystery, Elegance, Power, Authority
  • Gray: Moody, Conservative, Formality
  • White: Purity, Cleanliness, Virtue
  • Brown: Nature, Wholesomeness, Comfort, Honesty

How to use that? Imagine, you know the victim company’s industry, employee profile, the awareness level of employees (guessing), etc. You must select a convincing scenario. For example, our company is a bank. If you want to create a new website about it, you can select black and blue colors to affect. You should search and try different varieties but generally, I like to use blue and varieties for campaigns.

Example Scenario (for Internal Usage):

Hi everyone,
We know everyone is having a hard time.
We are delighted to work with you.
That's why we want to play a little game of chance with you.
It's your turn. Let's Try!..
<Link> examplecorp.com/gameofchance

Best Regards, <Company Manager>

Scenarios, templates, etc. up to you. Additionally, you must know frontend and backend programming :). Try to fake log in page for this game. Our key must be “Simple is the Best!”. You can find examples and change it and improve it according to the scenario.

Example log in pages:

  • https://www.mockplus.com/blog/post/login-page-examples
  • https://freshdesignweb.com/css-login-form-templates/

Fake/Spoofed Messages

We can spoof mails and messages. What is that mean? That’s mean -> Anyone can text me from anywhere. At least it is thought so. How?

For example, you may want to take a look.

https://www.spoofmytextmessage.com/

Buy message codes, fill, and done!… Simple but very terrible.

You can buy with bitcoin 🙂

Or you can find fake social media texting apps. For example (https://www.fakewhats.com/):

This is free, yes. And you can download this fake image.

The real problem is that it’s hard to understand fake or real when well configured.

And you find lots of terrible things via some simple search but I don’t do that now.

Vishing

Attackers can use vishing and phishing, together. The success rate is around 70 to 80%. How can attackers do that anonymously (not completely)?

Virtual Phones, Fake/Travel Sim Cards, etc. Attackers can find them. Let’s find too.

Example Services:

  • https://www.spoofmytextmessage.com/virtual-number
  • https://www.spoofbox.com/en/virtual-phone
  • https://www.spoofmyphone.com/

Select and start to use. For fake calls, vishing, etc. (SpoofBox)

Another one is SpoofMyPhone.

You can buy credits with bitcoin. Anonymous calls, adding sound effects, voice and text to speech, recording calls, etc. You can find more information with visit the spoofmyphone’s website.

Baiting

If you want to use baiting, you can buy some additional tools for that like USB malwares, Fake Access Points. When USB Malware section, you can search Teensy USB Development Board.

When you drop it, definitely a curious will want to attach this usb. Then you can got a shell or upload a malware to victim pc, etc. It’s all up to your imagination.

More information about Teensy -> https://www.pjrc.com/teensy/

For keylogger -> https://github.com/OpenSecurityResearch/usb-keylog-crack

For TCP Basic Shell -> https://github.com/KernelEquinox/Teensyterpreter

PDF Documentation (DEFCON): https://www.defcon.org/images/defcon-18/dc-18-presentations/Crenshaw/DEFCON-18-Crenshaw-PHID-USB-Device.pdf

ESP 8266 and ESP32 Wireless Dev cards, I like them so much. Easy to use and well documented. You can find lots of knowledge about these. You can use these cards for Fake AP or Fake Station into the network or other wireless attacks.

Station Usage

Acces Point Usage

These boards especially fine for captive portals (I think), create a web server with that, and capture the credentials. Actually, this is too easy with a few searches on google. I want to give some sources for you.

Also, In ESP32 Board, there are several sensors like touch sensor, magnetic sensor, etc. In Red Team Operations, you can use this for caption the door openings via touch sensor or what you want.

Conclusion

I know, there are too many things but I just wanna give some tip for both humans and security professionals. Keep your eyes peeled and be careful. Please don’t harm anyone with any technique and stay legal.

You are the Hero of Cyber World and you will write your own story. Hoping you to write this story as a truly hero, not as a criminal.

Thanks for your time. I hope this post helped to you.

Best Regards, Berk KIRAS | PwC – Cyber Security Specialist