Social Engineering Lab 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 1 minute
Video Transcription
everyone Welcome back to the course. So in the last lab, we took a look at a fictitious profile of our user, Philip Nomad. Now, that was inside this operate lab environment.
What I've done here is I've created a fake Facebook profile. So I just want to add some things in on this particular profile that I've seen. A lot of people actually leave open for anyone to view, and we'll talk a little bit about how an attacker could use that information against you.
So this is gonna be a pretty short lab where again, just could be accessing the Facebook profile, reviewing it, and then moving forward from there
so you can go to Facebook and trying to search for T. S. Smith. That's our fictitious user in this scenario. But the easier option is actually, just click on this link here or copied and pasted that into your browser, and that'll take you directly to Tia's Facebook page.
That way, you don't have to worry about trying to figure out where is Tia at and searching like that through Facebook.
All right, so once you click that, you'll notice that I'm actually loved interest here, right? now, So I've got access to a little more information than you'll likely see on your end. But I grabbed these questions here based off what information?
So first thing we're gonna do here just for review her timeline post. So let's go ahead and do that now.
So we see a poster. I love Cy Berry.
We'll see another one. That may be a photo or something didn't come through on,
and that's related to Bitcoin. And then we see that you know, T has got a pretty recent profile here, and I kept that that way on purpose.
We noticed that, T I just put up kind of a photo of her, and that's again just kind of silhouette there. We also noticed about Bitcoin. They're So maybe we could figure out what kind of exchange she's on, or we can communicate with her and say, Hey, I'm into Bitcoin or you and into Bitcoin. And of course you'll say, Oh yeah, yeah, I invested in it and then you can figure out what Cryptocurrency
Uh, excuse me. She's, you know, using Bitcoin. But you could figure out
how much he's invested in that sort of stuff
and of course. We see she loves cyberia. So that might tell us. Maybe she works there. Or maybe she just likes the website.
Let's go back to our lab document here.
So now we're gonna click on the about section, So Step number four here. That's actually our last step of this lab. We're just gonna answer these additional questions here,
So let's click on the about section right here.
Yes, we see that it looks like she lives in Salt Lake City, Utah. Okay,
if we keep clicking around here, we'll see that we've got some work and education information, So Looks like she works at Siberia's a hacker,
and she looks like she went to be why you were Brigham Young University. If you're not familiar here in the United States,
we also see a high school there as well.
So it's trying to answer a few of these questions here. So what company does she work for? What? We just had seen that cyber re, At least according to her profile,
what school did she attend? Well, we noticed that for college, at least she went to be why you
And then it looks like for high school. She went to Medora South High School
yourself. Hi.
All right, well, next question is do we see her birthday, huh? Well,
let's take a look around to see if we have CIA birthday anywhere at all.
So let's click on places you've lived. While we were already there, we noticed that was Salt Lake City contact and basic info. Let's see here. Oh, looks like we have a birthday right there. Right?
The April 5th, 1978.
All right, so that answers that question there. Let's see how long she's been married for. So let's go to family and relationships.
Uh, looks like she's single. They're so ah ha. That was a trick question, right? She's single. So she hasn't been married for any period of time.
All right, And then, finally, question number six year. What is she like? Well, let's, uh, let's take a look at details about you. Maybe she's got some more information right there.
Well, we she's to see that she's just a profile used for testing. Ah, but she likes long walks on the beach and anything outdoors. Okay, great.
Now, of course, this was fictitious, right? But you can get a general idea of some of the information people leave out there for you. You can also in many cases, see phone numbers. So if you go back to contact in basic info, I didn't put a phone number. And here because, as you probably already know, Facebook verifies your phone number. S o. I didn't want to put like, a real phone number in there,
but we see for, you know, for our example, that many people will actually put their mobile phone mobile phone number in there for you. And you could just grab that information. I found that Lincoln is even a little worse. People leave a phone number an actual ah, phone number, email address.
They'll leave website your l believe, like personal website information.
Some people have even seen link like their Facebook or other social media to linked in. So just be mindful as you're setting, setting up your own profiles were talking to your own family members and stuff like that. Just always tell them, like, don't share all that information because anybody can see it
now. I mentioned at the start of this lab we want to talk about, like, what can we actually do with this information? Obviously, if we can get the email address here, which I'm not gonna show you because that's hidden from the timeline.
But if we give that information or her date of birth or even the information about Bitcoin or Sigh Berry, that's all information that we can use to target Tia. Now let's say we're going after cyber for an example. I don't recommend that because we have a lot of people that know howto happen. So that's not a good thing for you to do.
We also have a lot of forensic investigators that give back to the site. So
again, not a good thing for you to do. But let's say cyber was our target company and we noticed that Tia works there. So now we can look a T s profile, we can get some information about her address. Would you see her date of birth? That sort of stuff we see also, as I mentioned before about Bitcoins, weakened
either here on Facebook or we can go try to find her unlike linked in, because many people will have a profile on both
so we can go track her down a linked and that's probably easier platform to initiate communication on this. I Hey, are you in the Bitcoin it off? She might even have a list of There is a scale or something like that. We could say, Hey, you know, Do you like Bitcoin? If you do great, let's talk about it. You know, I'm into Bitcoin. Hello? I see you're in. You know, I see you're in a Salt Lake City, Utah. Oh, so and I
let's meet for coffee
and then you could actually go metea and find out more information about her as well as trying to find out more information about the company.
So what A lot of different things we could do with all this information people love to share on social media. Some things I didn't add in here, I didn't have photos. Of course, I didn't friend anybody because I want to keep this effect profile, and I didn't wanna try to trick anybody else.
But many people are gonna allow you to access their friends list as well as photos so you can find a good deal. Information off people's friends list. You can click on their friends and you can usually see a lot of good information about the target themselves from their friends. A lot of friends would post a lot of information. So for people that might be a little more security conscious and leaving off like your date of birth or email of your set sort of stuff
we can if they got it open where we can look at their friends list on social media,
then from there we can potentially get more information about our target.
So this was just a quick example again, just looking at a social Media profile just want to show you more of a real life example. Aside from our fake one inside of the the cyber re lab environment there and the next lab, we're gonna go ahead and use a tool called the Social Engineering Tool Kit or set, as it's more commonly called. And we're going to use that to craft a phishing e mail
and then send it to our target, which in this case will actually be us,
and we'll go ahead and click on the email with our malicious file. Open it up and then we'll take a look at what the file has done to us at that point.
So I look forward to seeing you, and in the next video
Up Next
Social Engineering

We will explore some fake social media profiles, craft our very own phishing email and malicious payload using the Social Engineering Toolkit (SET) in Kali Linux, and play the “victim” by opening the malicious file.

Instructed By