Rachel Tobac's Social Engineering Best Practices

up:: [[Social Engineering Techniques|social engineering]] ### Major Lessons Learned from Rachel Tobac on Social Engineering ## General Principles 1. **Thorough Reconnaissance is Crucial:** - Spend ample time (up to a month) gathering detailed information about the target. - Understand the company structure, key personnel, and internal processes. 2. **Crafting Convincing Stories:** - Develop believable scenarios and backstories to gain sympathy and cooperation. - Use emotional appeals and urgency to prompt immediate action from targets. 3. **Exploiting Human Psychology:** - Leverage trust, authority, and fear to manipulate targets. - Build rapport through personalized interactions. ## Specific Techniques ##### New Employee Ruse 4. **Posing as a New Employee:** - Posing as a new employee allows for asking numerous questions without raising suspicion. - This tactic is effective for gathering sensitive information within a corporate environment. ##### Chat-Based Approach 5. **Initial Contact via Chat:** - Use chat services to pose as a customer needing urgent assistance. - Aim to change the registered email or phone number to gain administrative access. ##### Phone Call-Based Attack 6. **Phone Call-Based Attack Benefits:** - Less of a digital paper trail. - Ability to build rapport through voice, making it easier to sound trustworthy and persuasive. 7. **Using [[Caller ID Spoofing]]:** - Caller ID spoofing can be easily and cheaply done using apps. - Effective for impersonating customers during [[Social Engineering Techniques|social engineering]] attacks. 8. **Creating Emotional Appeals:** - Use scripts that elicit empathy and urgency, e.g., posing as a stressed traveler needing access to funds. 9. **Limitations of Phone Spoofing:** - Cannot receive text messages. - If the bank calls back, it won’t reach the attacker’s phone. - Spoofing only mimics the caller ID without giving actual access to the number. ##### Overcoming Verification Challenges 10. **Providing Fake Documentation:** - Use photoshopped documents for additional verification when required. - Recognize that institutions often do not thoroughly verify details beyond matching names and addresses. ##### Investigating Insider Threats and Leaks 11. **Posing as a Journalist:** - Create a fake journalist identity to gather information about sensitive company activities. - Use direct messaging, emailing, and texting to contact potential insiders. 12. **Exploiting LinkedIn:** - Use LinkedIn to identify key personnel with relevant skills and roles. - Target individuals likely to have access to sensitive information. 13. **Exploiting the Hiring Process:** - Apply for jobs to exploit the hiring process for gathering information about company activities and technologies. - Create convincing fake profiles with resumes, LinkedIn, and other social media accounts. - Ask targeted questions during interviews to extract sensitive information. ##### Using AI to Trick Individuals 14. **Voice Cloning and Spoofing:** - Use voice cloning tools to mimic a target’s coworker’s voice. - Create plausible scenarios requiring the target’s cooperation. 15. **Creating Plausible Scenarios:** - Develop scripts that are direct and to the point to minimize follow-up questions. - Position the target to be available when making the spoofed call. #### Defensive Measures 16. **Identify Edge Cases:** - Understand scenarios that could be exploited. - Prepare responses for unusual or suspicious requests. 17. **Implement Callbacks:** - Verify the caller’s identity through a callback system to thwart spoofing. 18. **Email Verification and One-Time Passwords:** - Ensure secure communication and identity verification. 19. **Use Two-Factor Authentication (2FA):** - Replace knowledge-based authentication with more secure methods. 20. **Service Codes, PINs, and Verbal Passcodes:** - Add layers of security for account access. 21. **Involve Management:** - Loop in higher-level personnel for internal support tickets and sensitive requests. 22. **Educate Employees:** - Train employees to recognize [[Social Engineering Techniques|social engineering]] tactics. - Promote a culture of skepticism and verification for unexpected requests. 23. **Regularly Update Security Protocols:** - Stay informed about the latest [[Social Engineering Techniques|social engineering]] techniques. - Continuously improve and adapt security measures to address new threats. [Original Podcast](https://open.spotify.com/episode/6nPX7nFtocIK4Yqz28jQQ8?si=vzYOiAB9RQCUUNo_34XXrQ)