The title is a bit misleading. It's not an attack, more like well done social engineering.

But the context is very helpful - especially with the amount of detail you provide, along with the email exchange, one can see the target was totally abused.

The lanyard, laptop, false recruiting - you really overdid it, but I mean that in a positive way. I like it, it's so great - you could almost make a movie out of it ;-)

That's creative thinking. Congrats on your victory.

Y'know what, I disagree. It's not misleading. Social Engineering _is_ an attack, as far as I am concerned, and honestly when he mentions that it's Social Engineering in the third sentence of the article itself, I don't find it misleading at all.

To the guy who did it: Bloody well done. I agree with guyhelm, it's overkill, and we all know that's the best kind of kill ;)

Social engineering is actually quite scary, especially when put together with targeted attacks against the individual. It's a one-two punch that is very hard to defend against.

I wish the Uni's here in Brisbane would do stuff like that! Well done again, and I'm quite jealous!

Rule 37. There is no "overkill".

thanks!

You would have been better off forcing them to register on your site to submit the resume, then check if they reused a password. Also you exploited trust in a way that could easily lead back to you.

That's very true, but it was just a class project, and wouldn't have been the end of the world.

The best attacks are always the ones where the victim is truly surprised at how far you were willing to go to pull it off. So are the best magic tricks.

There's a great quote by Teller on that:

"You will be fooled by a trick if it involves more time, money and practice than you (or any other sane onlooker) would be willing to invest. My partner, Penn, and I once produced 500 live cockroaches from a top hat on the desk of talk-show host David Letterman. To prepare this took weeks. We hired an entomologist who provided slow-moving, camera-friendly cockroaches (the kind from under your stove don’t hang around for close-ups) and taught us to pick the bugs up without screaming like preadolescent girls. Then we built a secret compartment out of foam-core (one of the few materials cockroaches can’t cling to) and worked out a devious routine for sneaking the compartment into the hat. More trouble than the trick was worth? To you, probably. But not to magicians."

From: http://www.smithsonianmag.com/arts-culture/Teller-Reveals-Hi...

I felt pretty bad for the target. Even though he was fairly warned, and knew to expect social engineering attacks, you could see he was quite excited about the potential opportunity at X co; else he wouldn't have put so much energy into that looong email exchange. Poor, guy. But good lesson, I suppose.

I just posted the targets response when he found out. He was very gracious.

What a fantastic course, and a great show of character from Mr. Target. Hat tips all round.

Google cache: http://webcache.googleusercontent.com/search?hl=en&q=cac... (Page is taking some time to load.)

I thought "Please find attached herewith my resume for your kind perusal" was a joke but apparently that's how this person really responded. Recruiters: how does this forced, over-formal tone affect your impression of a candidate?

Not at all. When we have an opening I get dozens of those a day. I honestly skim them to see if there is any relevant information (there usually isn't)... and then go straight to the resume. So the language just doesn't register with me, at least not consciously.

Well done versions include a couple of nuggets of information telling me why I should open that resume, but that's surprisingly rare.

I am guessing that the student in question was from India. That's how many Indians write official/business letters; likely a relic of the colonial times.

The other student was an international student, his English overall was quite formal. Really lovely guy though :)

I suspect the other student was more susceptible to this sort of thing since he was a non native speaker. I'd be curious to see if it would've worked on an American.

Speaking as an Indian who's had the opportunity to try this sort of thing on various Americans (and a lone Australian), it would've worked. The success of the attack probably has more to do with the susceptibility of each individual victim than their specific native language, though (and this is a sweeping generalization) many Indians do tend to have greater deference to authority (real or imagined) than their American counterparts.

> With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought.

Does he mean 'feasible to gain access to login information for online accounts'? I have read the page, and i'm not seeing it. Yes, according to the page they had access to some degree of personal information beyond the more publicly accessible. But that isn't the same as having access to their online accounts, or being near to getting it.

I meant that with that level of trust it wouldn't be too hard to adapt the attack to shift to gaining that sort of information. ie; We are adding you to our employee database but we need your SSN last 4.

My impression was that he meant that at that point it was potentially viable to scam some financial information out of the target.

"indormation protecting online accounts" makes me think of password reset questions.

Very enjoyable read. Congratulations on your success, I can only imagine how stunned they were!

Interesting. If the author is still around, I have a question - would the whois data have given you away, or was this faked/spoofed in some way?

You can quite cheaply (for around $3 depending on the registrar) opt into Whois privacy protection.

For a prestigious company to use a Whois hiding shell company service would be suspicious, though.

But if they are a security-oriented company, maybe not so much. Hiding potential attack vectors (contact info of technical contact) can prevent or delay spear phishing attempts. Now, if Xrecruiting.com and X.com don't match, then that would be a red flag.

My point (in agreement with TazeTSchnitzel) was essentially this - if X was a large enough company, I would expect them not to hide their registration details, especially, I would argue, in the case of a security company, so that potential clients and employees can be certain of the veracity the communications they receive. If I were to receive a communication from an email adress not associated with the main domain of the company, I would be instantly suspicious if the whois data was obscured or concealed.

Indeed, as would I. But what makes a successful social engineering attack (or scam, in general) is giving people what they want before they have an opportunity to ask questions. While this exact attack wouldn't work on me now, it might have when I was looking to graduate from university. My desire for an industry job (and a prestigious one at that) might have clouded my typical judgment. So, hiding whois information can be immediately justified by "well, they are a security company", with any doubts expelled. Grifters and illusionists work in much the same way; the plot is full of holes, but over and over people see what they want to see.

It would've given me away. I wasn't super concerned that it would be looked up though. If this was a real attack and not just a demo for class, it would've been a better idea to fake the whois info.

I was hoping that by getting them to sign up with the recruiter you would have used that to intercept communication.

Is Xrecruting.com a typo in the blog post, or in the domain actually registered?

it's a redacted version of the full link.

But did you purposely misspell "recruiting" or was that just a typo.

typo in the redacted version.

Found this a rather amusing read. Best of luck on your exam!

Well played...

Missing to redact X.com's phone number allows "social engineering" of the company name, though.

It's an interesting time now. It used to frustrate me how I couldn't find an address with just the phone number - despite having a white pages that contained the info. I know this was buy design, for privacy. Now if you search for a number, your bound to get a hit for it, and can work out who it belongs to. I'm sure this will fail me one day, but it hasn't yet.

Germany's online telephone book does reverse look-up. (People can opt out, but you know how it is..) Is that really so uncommon?

Checking some more countries.. the UK doesn't seem to have it, France does. Oh, there's a page for the US: http://www.whitepages.com/reverse_phone

Today reverse look-up is by design, it seems. The limitation before was probably printing paper and not just a design decision, I'd guess. I'm not sure whether I like the new situation, but then none of my friends actually has a landline.

could you link me to where the original is?