Dumpster Diving

Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters. The LAN Times listed the following items as potential security leaks in our trash: �company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.�

These sources can provide a rich vein of information for the hacker. Phone books can give the hackers names and numbers of people to target and impersonate. Organizational charts contain information about people who are in positions of authority within the organization. Memos provide small tidbits of useful information for creating authenticity. Policy manuals show hackers how secure (or insecure) the company really is. Calendars are great � they may tell attackers which employees are out of town at a particular time. System manuals, sensitive data, and other sources of technical information may give hackers the exact keys they need to unlock the network. Finally, outdated hardware, particularly hard drives, can be restored to provide all sorts of useful information. (We�ll discuss how to dispose of all of this in the second installment in this series; suffice it to say, the shredder is a good place to start.)

On-Line Social Engineering

The Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address � that way, she might even get that persons corporate account password as well) and password. These forms can be sent by e-mail or through US Mail. US Mail provides a better appearance that the sweepstakes might be a legitimate enterprise.

Another way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a users password. This type of social engineering attack doesnt generally work, because users are generally more aware of hackers when online, but it is something of which to take note. Furthermore, pop-up windows can be installed by hackers to look like part of the network and request that the user reenter his username and password to fix some sort of problem. At this point in time, most users should know not to send passwords in clear text (if at all), but it never hurts to have an occasional reminder of this simple security measure from the System Administrator. Even better, sys admins might want to warn their users against disclosing their passwords in any fashion other than a face-to-face conversation with a staff member who is known to be authorized and trusted.

E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. A good example of this was an AOL hack, documented by VIGILANT: In that case, the hacker called AOLs tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.

These are 2 other excellent ways of social engineering, getting into someones head, knowing what they really want, and tricking them into doing something they shouldn't because of there own selfishness and curiosity.

BY:xtwitchx

Can someone help me gain a password for either Facebook or an AOL address please I mean no harm to anyone I just need family info they have
Please email me on tawnythefox@live.com

Looking for a Professional Hacker... E-mail or let me know over here.

Thanks for the repost Bishop, what a top read. Even though that social engineering attack may have been a while ago (not sure, this is the first I've heard about that one) It could still be very valid.

Gaining rapport and trust over an hour long conversation was brilliant! I wonder if that's one of the techniques Mitnick used to employ..

Following on from the sweepstakes phishing scam, using greed is a very powerful motivator as well. Sometimes even though it sounds too good to be true, a certain percentage of people will always take the bait.

Combined with a spoofed email address or even a domain with a typo that may be looked over by some people, this could be very effective.

tawnyfox/achtung24:

This isn't a hackers for hire forum, the forum is designed for people to discover the art of hacking, and discuss the techniques surrounding it.

Publically requesting people to hack things for you is one fast boat to jail.