Hacking and social engineering with a 70% success rate
Imagine it’s a lovely Saturday morning and your whole customer database just leaked. Huge (and not just GDPR) nightmare, right? And imagine that it was thanks to just one simple e-mail and 2 clicks from one of your team members. Over the last couple of years, I was able to gain access to people’s accounts on Facebook, LastPass, Google, Slack and many more. And even to this day, it’s still scary for me to see how easy that is.
Over the last couple of years, I’ve been testing my colleagues to see how they are doing when they are faced with real phishing attacks, different kinds of social engineering, malicious USB sticks dropped on the street and many other attacks that you can possibly imagine. It’s something completely different when you watch a nice illustrated video about phishing and different dangers and when it happens directly to you. I’m trying to build awareness about threats of today’s world and I’d like to share a couple of stories with you to also help you.
To be honest I was always interested in hacking and social engineering I just didn’t want to end up in jail. Breaking a system that someone designed or exploiting human vulnerabilities is something that fascinates me. That’s why I started experimenting with my colleagues — I wanted to see how are we doing in terms of security. I’m always trying to act as an outsider and don’t use any personal knowledge about my colleagues to my advantage.
We (geeks) sometimes get carried away in the most secure technology solutions (encrypting everything with the top algorithms) that we can think of. And it’s easy to forget that the easiest way how to hack a company is by exploiting human vulnerabilities.
Let’s get to some dirty stories. Just a disclaimer, this is not a manual for hacking anyone, I consider myself to be an ethical hacker and I want to spread the message and help other people to be more secure.
Story #1: How to get access to someone’s Facebook account?
That was actually a starting point for me because I wondered how hard would it be to get it. So I created a fake e-mail using a surname of one of my colleagues and name of the company (something like…