Home 0P3N Blog Practical Social Engineering Tactics
Ready to Start Your Career?
Create Free Account
MohammadYahya s profile image
By: MohammadYahya
October 13, 2016

Practical Social Engineering Tactics

By: MohammadYahya
October 13, 2016
MohammadYahya s profile image
By: MohammadYahya
October 13, 2016
social-engineeringAttackers know that hacking a WiFi key is just a temporary thing. Maybe they think, why not hack the entire connection instead? Well, here are some basic "tried and true" social engineering tactics that actually work, and you should be aware of. Don't get taken advantage of by these simple actions.1. The Cold Call: On hacking something, port scanning is done first to understand the target and system flow (services etc..). Short duration calls to your ISP can be made asking to change or reset your password.A simple conversation might go like this:"Hey, this is J**N here. How can I help you?""Hello, I just want to change my PPPoE password. I recently did a reset on my router, and I forgot the password. How can I change that?""Username please?""My username is ******""Is this your number? 7*******28??""Yes, this is mine.""and blah blah blah is your address??""Yes Yes...""You have to msg PASS followed by your username, and your reset password will be sent to your phone. You will soon find this format in your message box.""Fine, Thanks""Something else sir?""No""Have a good day."Conclusions:
  1. Only a username was requested. This can be easily acquired.
  2. If access to the phone connected to the account could be gained, an SMS to reset the password could easily be infiltrated.
  3. Just answering "yes" was insecure on the company's side.
  4. The phone was the vulnerability here.
 2. Getting more: Another call is placed to ISP support asking to change the phone number.Sample conversation:"I wanted to change my number." (Obviously, calling from a different number)The same conversation, on asking for username and it was provided.He said that I had to verify my identity and asked, "May I know your old number, please?I responded correctly.He asked for my address. I told him.He asked for my birth date. Again, correct information was provided to him."May I know your new number please?"An alternate number was provided.Once the confirmation message is sent to the new number, the attacker is now able to hack into someone else's connection now. All that was needed was someone's username and basic account information.Conclusions:
  1. They verified with the information which was publicly available.
  2. What was needed to change the number?
    • Old Phone number
    • Address
3. Final Conclusions: It is not always necessary to be a programmer or an “elite” to hack into someone’s network or someone's internet connection via hardcore hacking skills. You can do it non-technically too. I hope you all learned from this. Do let me know if you find some error or anything. Feel free to share what's in your mind.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry