Training session 27: Social Engineering #2
Learn the Art of the Scam
The best way to learn social engineering is to practise it, once you have the theory go out and try it. A very small case to social engineer is to go down to your local deli, and convince them to give your five cents of something in the store. Although its only five cents, and its generally rather easy to do, it is still a perfectly legal excercise you can do to practise social engineering. Small scamming like this can lead onto larger excercises, the following is one that was actually followed through and affected a reasonable portion of the population.
A business advertised itself in the newspaper with a large add, offering to sell people a computer for $300 australian, in exchange for you filling out a survey once a month for two years. You send away the mone and they deliver a computer to your door.
This scam worked extremely well, a very large ammount of people sent away for the computer, and recieved nothing. Even a few intelligent people were scammed by this. Let us examine why this perfectly legal scam worked:
The first thing that everyone saw was the advertisement. It was very colourful and used good english to explain itself. It explained that you ring a toll free number and give them your details, from there they would post out the application form for a computer. The advertisement itself was relatively expensive to put in the newspaper, and its full page positioning made it seem like this business was an experienced large corporation. The colour used was mostly blue and relaxed the reader. Since the phone call to get an application form was toll free, anyone could ring it and get a form without feeling any loos or risk.
For the more intelligent, if you were to search on the internet for the business, they had a .com site which links to three diferent countries with which the business was being run. A reasonable ammount of effort was put into this to make the business appear much bigger than it actually was. If you were to go further into the site, you would find a lack of information, and the diferent countries pages unusually nearly the same, the only changes were the addresses. A quick look at the website would make it appear legit, but a deep look would reveal a slight bit of hesitation.
When you rang the hotline, the normal 'please ring during business hours, thankyou for calling' message was played. If you were to ring it during business hours, you would be put onto a young man, roughly in his thirties who would answer general questions. Any questions would pretty much just be just answered the same way the ad did. Nothing is said to arise any suspicion, and the young mans voice is reasonably convincing. You give him your details and he says your application form will be sent out to you within a few days, and says thankyou for showing interest.
The next step was the letter, it arrived on time in a nice neat envelope. The application for was nice and detailed with a colour logo at the top. You would write a check and send the money with the application for to the business. The business waited a few weeks before cashing all the cheques and declaring they are bankrupt, and sending out a few more letters saying they were unable to get the computers. The business would then startup in another country or state and do it again.
The profit from this excercise is rather large, if they only 'sold' ten computers that would be $3000. The number of sold computers was actually much higher than this, and was around the 400 computers mark, thats a huge $120,000 from a few weeks work and about $1000 worth of expense. The entire process could be run over five diferent states at the same time with minimal expense. The profit of this would roughly be $600,000. The process would then be started in another country.
Lets look at what effort the scammer put in. Firstly the advertisement had to be made convinving, if first impressions were that it was a scam, no money would be made. Second a toll free hotline would be used so as to not associate any real phone numbers with the scammer. A business is started with a fake name so the real creator doesnt have his name disgraced and cant do it again. The scammer sits at the phones and answers questions, more than one person may be needed for this. After a while a mass load of letters is made and mailed out to the applicants. The postal address is a Post Office Box so that no real address is associated and the business premises are never seen. After a nice ammount of money has come in and no more appears to be coming, the money is taken and the business is declared bankrupt, and therefore unable to pay back the people who bought computers.
From this scam we learn that people are gullible, and even intelligent people can be scammed. The idea that you fill out surveys which are then sold, and the roughly half price wholesale cost of the prebuilt computers seems very possible. The extent of effort in making the scam seem believable is what made it work. Playing with people trust of companies that appear large make them less worried about sending money. Although i do not recommend scamming people on this scale, the process that is taken to perform this can teach us alot. Now practise what you have learnt, go out there and convince McDonalds that you should be given more food for free, social engineer yourself a free internet account, make your teacher believe you really did do that homework that you never really did, everything can be reality cracked, you just need to find the hole in the process...