Mastering the Craft of Hacking the Human Psyche
TLDR: The story (which included) is purely an imagination and hasn’t occurred in reality. Enjoy the journey through the realms of fiction. Even the characters aren’t real. Don’t miss the ending!
Hey, Hackers! 👋
It’s me, 7h3h4ckv157, back again with another insightful blog post. This time, I’m delving into the fascinating world of social engineering (SE). Whether you’re a seasoned pro or just dipping your toes into the realm of hacking, understanding the ins and outs of social engineering is crucial for mastering the art of cybersecurity. So buckle up and get ready to explore the intricate tactics and strategies used by hackers to manipulate human psychology!
What is Social-Engineering?
Social engineering is a malicious activity involving human psychology to manipulate individuals into disclosing confidential information, performing unintended actions, or bypassing security procedures. It relies on exploiting human psychology rather than technical vulnerabilities. The manipulation used to deceive individuals or organizations into divulging confidential information, performing actions, or providing access to restricted systems or areas.
The success of social engineering attacks hinges on exploiting human error, trust, and the tendency to comply with perceived authority figures or urgent requests. Criminals often pose as trustworthy entities or individuals to gain the confidence of their targets, leading them to reveal information or perform actions that compromise their security or that of their organization. Regular training on recognizing and responding to social engineering attempts is crucial for individuals and organizations to mitigate the risk of falling victim to these deceptive tactics.
Social Engineering helps hackers?
It’s a powerful strategy for hackers because it exploits human trust, curiosity, and susceptibility to manipulation, allowing attackers to bypass technical defenses and achieve their malicious objectives. Even the most robust cybersecurity measures can be bypassed if a hacker can manipulate a human into granting access. Social engineering attacks often target the weakest link in security systems → That’s people.
There’re so many SE attacks like:
Phishing
Pretexting
Baiting
Impersonation
Tailgating
Spear Phishing
Vishing (Voice Phishing)
Smishing (SMS Phishing)
Water Holing
Quid Pro Quo
Pharming
Shoulder Surfing
Dumpster Diving
Honey Trap
Piggybacking
Elicitation
Diversion Theft
Physical Keylogging
Fake Wi-Fi Hotspots
Fake Updates or Alerts
Fake Friend Requests or Connections
Clickjacking
Malware-Ridden USB Drops
Charity Scams
Romance Scams
Tech Support Scams
Job Offer Scams
Lottery Scams
Quid Pro Quo Phishing
Mobile Payment App Phishing
Business Email Compromise (BEC)
Shoulder Surfing
Tailgating
Scareware
.
.
.
etc.
Is it possible in Real-World? — A short story
Natasha and I have been in love for more than 15 years. We were neighbours and also studied in the same school & same college. After Engineering, both of us went to 2 different localities. Even before engineering, I consistently engaged in many illegal activities, including phishing, carding, carjacking, ransom-drop, etc. But she doesn’t know anything, and I convinced her that I made all this money by doing Bug Bounty Hunting. Although she doesn’t know much technical about Bug Bounty Hunting, She assumed it’s something related to finding bugs on random websites. But E̶t̶h̶i̶c̶a̶l̶ hackers never think in this way (we know)!
03/07/2023: I started my job in Infosec somewhere in North India. Meanwhile, She moved to Koramangala, Banglore. Things were smooth; everything was fine until 12/12/2023.
12/12/2023: She commenced the 1st battle in our 15-year relationship. I connected with her during the break, but she was attempting to find some random reason for the fight. Without wasting time, I exploited the 0day in a famous flight booking App (discovered by our ChinJ4) — The best Chinese Hacker I’d ever seen. The issue still exists, which allows anyone to book the flight without paying a single $. I went to Banglore to visit my girl. After enjoying a vacation there, I returned to my workplace (7th January — 2024). I acknowledged all the changes that had occurred with her. While I can typically discern even the subtlest changes, the transformation was significant in this instance. Her entire character had turned.
14/04/2024: The ongoing conflict intensified, eventually making it seem we no longer required each other. Whenever I attempted to call her, I consistently encountered a busy signal (Talking to someone else). This cycle persisted for months, fueling my growing sense of suspicion. I regretted not installing a Keylogger or Trojan on her phone when I had the chance at her location. I’m aware this isn’t morally right, but I must admit, I’m not exactly a saint. I have a solid desire to hack into this world.
After all this, she mentioned to me once that she needed to change her apartment and wanted to live alone. Previously, she had been residing with her two friends, Rhea Sharma and Jeena Jewel, in Prestige Botanique, Koramangala, Bangalore. Then, she changed her location without informing me. Given her actions, I didn’t inquire about the reasons behind her behaviour or where she moved. Additionally, during all weekends, I could hear traffic noise whenever I made a call, indicating that she was always outdoors. In the meantime, I received a new private investigation project from a third party, which offered a substantial reward.
I was engrossed in that project, but once it was completed, I revisited my feelings for her and checked her updates. Predictably, her phone was busy (engaged in conversation with someone else) on the 6th of May, 2024. Later that day, she returned my call. She spoke at length, even shedding some tears, explaining that she was dealing with personal issues and her parents were unhappy with her change of location. I attempted to comfort her, and I resumed my work after our conversation.
At 4:09 PM on the same day, I tried calling her again but found her line was still busy. After a few minutes, she called me back, and I noticed a change in her tone; she was crying. Politely, I inquired about the person she spoke with earlier, and she disclosed that it was her mother. Without hesitation, I asked her to provide a screenshot of the call, but she refused. Having already extended all the chances I could as a boyfriend, I realized it was time to take matters into my own hands.
The Investigation
I investigated my network contacts and identified Arnold, a Security Engineer (vigilante by night) near Natasha’s workplace. I apprised him of the situation, he informed me that she’s at the Koramangala pub accompanied by another Man, I paid him for spying her moves. After that, my primary objective was to uncover a SQL Injection vulnerability within a proprietary application, I found it after a week of diligent work. Following the discovery, I submitted my findings via HackerOne, subsequently receiving compensation. With my financial goals met, I opted for an extended leave of absence from my job, during which I travelled to Bangalore.
I secured accommodations near Natasha’s former residence, where Jeena Jewel and Rhea Sharma resided. Over several days, I observed these two young women closely, gaining insight into their weekend and nighttime routines. I identified their preferred dining location and began frequenting the Empire Restaurant myself. Consistently visiting the establishment around the same time for two to three consecutive days, I had the opportunity to converse with Rhea Sharma. After observing her order a dish, I approached her politely following dinner, inquiring about the disk she had selected due to my proximity to her table. Encouraged by my recommendation of a few northern dishes, which had been suggested by my friend Yash Vardhan, I continued our interaction. The following day, upon returning to the restaurant simultaneously, I found them present again. From afar, I greeted them with, “So this seems to be our mutual favourite spot,” eliciting smiles and inquiries about my meal choice. I reciprocated by mentioning the dish Rhea had enjoyed the previous evening. Invited to join their table, we engaged in extensive conversation throughout our meal. I presented myself as “Sachin” and I’m doing business (False Info). The time was with me, because Natasha never shows my picture to these girls.
After getting to know Rhea, I texted her often, and we became closer. In our talks, I asked about her living situation in the 3BHK apartment. She told me that originally three people lived there, but now it’s just Natasha and her boyfriend. When her family asked, she said she still lived there. She also said she was helping with the rent. Even though she didn’t say it directly, I figured out her name. As we talked more, Asking her that her friends are dating & why she’s still single? I started showing interest in Rhea romantically, and we discussed what kind of relationships we prefer. Eventually, we both agreed to casually date. As we got closer, I casually asked to see pictures of her friends and family, and I found photos of the three people living together. Pretending not to know, I hinted that I recognized one of them. Rhea laughed and explained that Natasha met her boyfriend on the dating app Bumble, and my old college classmate, Arjun Prakash, set them up. Despite this surprise, I don’t hold any grudges against Arjun, knowing that some people are good at clown activities.
The next move: (Manipulate & Trigger Natasha)
From Rhea, I learned about the fabricated narrative she had relayed to her friends regarding our breakup, citing long distance as the cause. When communicating with Rhea, I utilized my new phone number. Meanwhile, I posted melancholic stories using my old number and original Instagram account. I disseminated information about our breakup to the public. Consequently, numerous mutual acquaintances and her cousins sought clarification regarding my actions.
After a few days, I received a call from Natasha. During our conversation, I prompted her to check WhatsApp, where I had sent a picture of the BMW (which I had rented) and falsely claimed ownership. Subsequently, I proposed a day out for mutual closure and a brief discussion before seperating our ways. After a short exchange, I persuaded her to meet in person. I suggested she take a sick leave, and we arranged to rendezvous at Lal Bagh Park. It seemed she had fooled her current boyfriend, which facilitated her agreement.
After dropping off Rhea and Jeena at their office, I proceeded directly to Lal Bagh. The meeting unfolded as planned, with Natasha arriving punctually. Upon meeting her, I sent a “I still love you” message to her phone as a final check to ensure the success of the planned manipulation.
Wow! Even with her phone locked, I could still read my texts on her screen before she unlocked it! She clearly didn’t hide the notifications when the phone was locked.
Tip: Don’t allow notification while screen is locked. You may already aware of it, but make sure the people you love & your family are also safe. Some default settings may shows everything (Turn it off)
Example (Android):
Always Hide everything/contents.
Using Online Tools: There are online tools and websites that can help identify the ISP associated with a given SIM card number. These tools may require you to input the SIM card’s number and it’ll provide information based on publicly available databases.
I searched her number online and confirmed the Internet Service Provider (ISP). The picture is just an example of the API request for this. We can automate this process to gather public information in bulk for multiple numbers. I already know she’s using Jio (from college). But I just verified. For Jio, getting all Calls & Message Logs are very easy. The statement section in the My Jio app gives users a clear view of how they’re using their Jio services and what they owe. Here’s what it covers:
Usage Summary: This part shows how much data, voice calls,
and SMS messages users have used in the current billing cycle.
Billing Details: Users can check their bill amount when it's due and any money they still owe.
It breaks down charges like subscription fees and taxes.
Payment History: Users can see a list of payments they've made before,
helping them track and ensure payments went through.
Plan Information: Users can see what their current Jio plan includes,
like how much data they can use and when it expires.
Data Usage Analysis:
Some app versions offer insights into how users use data,
like when they use it the most and which apps or services use the most.
Call and SMS Logs:
Users may also find logs of their voice calls and text messages,
showing details like who they talked to and when.
What we need…??
Call and SMS Logs:
Users may also find logs of their voice calls and text messages,
showing details like who they talked to and when.
The Exploitation Scenario:
Being close to her device allowed me to read text message content directly from the notification bar. This will grants me to control over numerous accounts, including Gmail, Instagram, and others, as I only require an OTP.
However, I must delve into her call history to effectively find who was there once I was trying to make all those calls. This necessitates logging into the MyJio app using her phone number.
I delved into deep flirtation, assuring her I would exit her life for good, making it sound like my final departure. After two to three hours of manipulation, she requested a drop-off at a nearby bus stop. Seizing the opportunity, I proposed lunch together, offering her a ride. Without hesitation, she agreed — proof that my manipulation tactics were more effective. As we strolled towards my car, I discreetly installed the MyJio app on my device. With calculated precision, I entered her number into the app, waiting for the opportune moment to click the button.
I observed her texting someone en route, seated in the back. Upon reaching the hotel, we proceeded inside for lunch. After our meal, as I prepared to pay via UPI, I asked her to activate the hotspot due to poor network connectivity on my end. Seizing the moment, I swiftly executed a series of actions:
1. Firstly, I requested the OTP for my JioApp.
2. At the same time, I took a tissue and noticed some lipstick had smudged beyond her lips. I looked into her eyes, leaned in as if to help, and gently wiped the tissue across her lips.
3. Nearby, as she retrieved her phone, I quickly noted the OTP and swiftly logged in. Fortune favoured me as a flurry of messages from various online platforms inundated her screen, yet she remained oblivious to the critical OTP. With the hotspot activated, I completed the payment seamlessly.
BooM…!! Logged In
Now I can steal all the data I needed from her:
1. Install the official My JIO app from Play Store
2. Open the app → Type JIO phone number → OTP for verification
3. Once logged in, Select the “Statement” option from the menu
4. Choose the desired date range
5. You can → view | | receive the details via email | | download them as a PDF
— — — — — — — — — — — — — ⬇⬇⬇ — — — — — — — — — — — — —
— — — — — — — — — — — — — ⬇⬇⬇ — — — — — — — — — — — — —
I contacted her friends and cousins, sharing the list I compiled from her call log history. I identified the individual who seemed to hold a significant role and the person who frequently communicated with her during my difficult times.
Having accomplished my objective, I terminated the casual relationship with Rhea Sharma. As of mid-June, I intend to refocus on my work and resume my pursuits in hacking. Time to Hack The Planet!