Tuesday, April 19, 2016
Final Social Engineering Task (Failed - Sadly)
Ok so my Final Social Engineering Task involved going to this computer store I often go to and getting a new customer phone number, because that's what they actually give the first time they are at the register, and call them in order to gain access to their newly bought computer.
The store in question was Microcenter, located in Cambridge.
I went there on a Saturday afternoon, the busiest day of the week. There was plenty of people, many for buying parts and a few for buying a new computer. I stayed in the store roughly 2 and a half hours before I saw a couple of people that finally decided to buy their computer.
Note that, I didn't go for customers who actually bought parted pieces to assemble one, as they are probably slightly tech-savvy and would recognize my scam right away if I called them.
The awkwardness began as I waited in line 2 different times to get the number of said customers. The first customer was a man in his 40s with his little kid, he bought him a preassembled gaming computer, and went through all the software aspect at the register. He literally stayed there for a legit half hour before he gave his phone number and was sure on what he was getting or not. I overheard he got a free copy of Norton for 1 year. So that was a really good thing for me, along his Windows 10 copy.
The second person (1 hour later) was a woman who bought a laptop. She said she needed it for work and web surfing. She also got an antivirus license a part from the 1 year offered by MC.
At the end of the purchase they both gave their numbers and email. Awesome. Now it was time to head back home and start my social engineering.
When I got home I waited roughly 2/3 hours to let them go back home and start messing around with their new computers.
The first victim I called was the man, my plan was basically to tell them that the antivirus key we provided was wrong and that I could have access their computer to install it directly, in order for them to save time from coming back to the store.
I guess that all this played against me for my accent or something because it didn't go well.
The guy answered the phone, I told him I was from Microcenter and confirmed his order total (which I had), his email (which I had) and first and last name. He hadn't installed the antivirus yet, so I talked him into doing it asap and that I would have done it for him in the first place by using teamviewer.
The conversation went good up until I asked him to install teamviewer. At that point he hesitated and asked me if I could call him back in 30 minutes. I said it was ok.
After the 30 minute wait, I called him back and.... well he called MC to verify it was actually them calling and busted me. R.I.P.
Discouraged by the event, I called the second person, the woman. Now I feel like she could know something already since she bought her own antivirus copy, but maybe not, who knows.
When I called her, the inevitable happened.
I started with the whole MC thing, and the antivirus etc etc. Turns out she was back to MC because she needed a mouse. Busted again.
The good thing is that this whole time I used a Google Voice number obtained from a stolen gmail account (Yes, there are plenty online on pastebin)and an android simulator with a copy of the software on it through VPN and TOR (surprisingly the calls weren't laggy at all) so as far as being traceable, well, good luck with that.
As I said again, I think my accent played a bad role in all of this probably, and if I waited longer I might have gotten a couple more numbers, but after 3 and a half hours of waiting I got a little impatience.
If played better this plan can go trough much easier. Besides that, if you actually stay on the microcenter line, you can easily obtain someone's phone, address, email and everything with no privacy involved at all, you can hear all that.
With that said, I'm pretty sad for my failed attempt, I wish my final project was a successful hack.
Another thing I thought, was forging a microcenter envelope with a "free" usb key and send it to their homes, and hopefully wait them to plug it in and use it, so that I could remotely access their system, then call them and let them know, but time wise I didn't have any to perform such task.
From all the social engineering task, this is the one that actually made me feel most uncomfortable, because I had to lie to a bunch of strangers, where I am not a person that likes to lie at all, and from the ethics point of view, having all this data about random people felt a little creepy too..
Subscribe to:
Post Comments (Atom)
Lots of work! 8 points even though it failed
ReplyDelete