|
Cover |
1 |
|
|
Title Page |
5 |
|
|
Copyright |
6 |
|
|
About the Author |
9 |
|
|
About the Technical Editor |
9 |
|
|
Credits |
11 |
|
|
Acknowledgments |
13 |
|
|
Contents |
17 |
|
|
Foreword |
21 |
|
|
Preface |
23 |
|
|
1 A Look into the New World of Professional Social Engineering |
25 |
|
|
What Has Changed? |
26 |
|
|
Why Should You Read This Book? |
28 |
|
|
An Overview of Social Engineering |
30 |
|
|
The SE Pyramid |
35 |
|
|
OSINT |
35 |
|
|
Pretext Development |
36 |
|
|
Attack Plan |
36 |
|
|
Attack Launch |
36 |
|
|
Reporting |
36 |
|
|
What’s in This Book? |
38 |
|
|
Summary |
39 |
|
|
2 Do You See What I See? |
41 |
|
|
A Real-World Example of Collecting OSINT |
41 |
|
|
Nontechnical OSINT |
46 |
|
|
Observational Skills |
46 |
|
|
Technical Open Source Intelligence |
56 |
|
|
Two Other Things |
76 |
|
|
Tools of the Trade |
83 |
|
|
SET |
83 |
|
|
IntelTechniques |
83 |
|
|
FOCA |
84 |
|
|
Maltego: The Granddaddy of Them All |
84 |
|
|
Summary |
85 |
|
|
3 Profiling People Through Communication |
87 |
|
|
The Approach |
90 |
|
|
Enter the DISC |
92 |
|
|
What Is DISC? |
93 |
|
|
To Know Thyself Is the Beginning of Wisdom |
95 |
|
|
Summary |
104 |
|
|
4 Becoming Anyone You Want to Be |
107 |
|
|
The Principles of Pretexting |
108 |
|
|
Principle One: Thinking Through Your Goals |
109 |
|
|
Principle Two: Understanding Reality vs. Fiction |
111 |
|
|
Principle Three: Knowing How Far to Go |
112 |
|
|
Principle Four: Avoiding Short-Term Memory Loss |
115 |
|
|
Principle Five: Getting Support for Pretexting |
118 |
|
|
Principle Six: Executing the Pretext |
119 |
|
|
Summary |
122 |
|
|
5 I Know How to Make You Like Me |
125 |
|
|
The Tribe Mentality |
127 |
|
|
Building Rapport as a Social Engineer |
129 |
|
|
The Moral Molecule |
130 |
|
|
The 10 Principles of Building Rapport |
131 |
|
|
The Rapport Machine |
144 |
|
|
Use the Friends and Family Plan |
144 |
|
|
Read |
144 |
|
|
Take Special Note of Failures |
145 |
|
|
Summary |
145 |
|
|
6 Under the Influence |
147 |
|
|
Principle One: Reciprocity |
149 |
|
|
Reciprocity in Action |
149 |
|
|
Using Reciprocity as a Social Engineer |
151 |
|
|
Principle Two: Obligation |
152 |
|
|
Obligation in Action |
152 |
|
|
Using Obligation as a Social Engineer |
154 |
|
|
Principle Three: Concession |
155 |
|
|
Concession in Action |
155 |
|
|
Using Concession as a Social Engineer |
157 |
|
|
Principle Four: Scarcity |
158 |
|
|
Scarcity in Action |
159 |
|
|
Using Scarcity as a Social Engineer |
159 |
|
|
Principle Five: Authority |
161 |
|
|
Authority in Action |
163 |
|
|
Using Authority as a Social Engineer |
164 |
|
|
Principle Six: Consistency and Commitment |
166 |
|
|
Consistency and Commitment in Action |
166 |
|
|
Using Commitment and Consistency as a Social Engineer |
168 |
|
|
Principle Seven: Liking |
170 |
|
|
Using Liking as a Social Engineer |
171 |
|
|
Principle Eight: Social Proof |
172 |
|
|
Social Proof in Action |
173 |
|
|
Using Social Proof as a Social Engineer |
173 |
|
|
Influence vs. Manipulation |
175 |
|
|
Manipulation in Action |
175 |
|
|
Principles of Manipulation |
177 |
|
|
Summary |
180 |
|
|
7 Building Your Artwork |
181 |
|
|
The Dynamic Rules of Framing |
183 |
|
|
Rule 1: Everything You Say Evokes the Frame |
186 |
|
|
Rule 2: Words T hat Are Defined with the Frame Evoke the Frame |
188 |
|
|
Rule 3: Negating the Frame |
189 |
|
|
Rule 4: Causing the Target to T hink About the Frame Reinforces the Frame |
190 |
|
|
Elicitation |
192 |
|
|
Ego Appeals |
192 |
|
|
Mutual Interest |
194 |
|
|
Deliberate False Statement |
196 |
|
|
Having Knowledge |
198 |
|
|
The Use of Questions |
201 |
|
|
Summary |
206 |
|
|
8 I Can See What You Didn’t Say |
207 |
|
|
Nonverbals Are Essential |
208 |
|
|
All Your Baselines Belong to Us |
211 |
|
|
Be Careful of Misconceptions |
214 |
|
|
Know the Basic Rules |
218 |
|
|
Understand the Basics of Nonverbals |
220 |
|
|
Comfort vs. Discomfort |
222 |
|
|
Anger |
222 |
|
|
Disgust |
225 |
|
|
Contempt |
227 |
|
|
Fear |
229 |
|
|
Surprise |
231 |
|
|
Sadness |
235 |
|
|
Happiness |
239 |
|
|
Summary |
244 |
|
|
9 Hacking the Humans |
247 |
|
|
An Equal Opportunity Victimizer |
248 |
|
|
The Principles of the Pentest |
249 |
|
|
Document Everything |
252 |
|
|
Be Judicious with Pretexts |
252 |
|
|
Phishing |
253 |
|
|
Educational Phishing |
253 |
|
|
Pentest Phishing |
254 |
|
|
Spear Phishing |
255 |
|
|
Phishing Summary |
256 |
|
|
Vishing |
257 |
|
|
Credential Harvesting |
257 |
|
|
Vishing for OSINT |
259 |
|
|
Vishing for Full Compromise |
260 |
|
|
Vishing Summary |
263 |
|
|
SMiShing |
264 |
|
|
Impersonation |
265 |
|
|
Planning an Impersonation Pentest |
266 |
|
|
Considerations of Sanitization |
268 |
|
|
Equipment Procurement |
269 |
|
|
Impersonation Summary |
270 |
|
|
Reporting |
270 |
|
|
Professionalism |
271 |
|
|
Grammar and Spelling |
272 |
|
|
All the Details |
272 |
|
|
Mitigation |
272 |
|
|
Next Steps |
273 |
|
|
Top Questions for the SE Pentester |
274 |
|
|
How Can I Get a Job Being a Social Engineer? |
274 |
|
|
How Do I Get My Clients to Do SE Stuff? |
275 |
|
|
How Much Should I Charge? |
277 |
|
|
Summary |
278 |
|
|
10 Do You Have a M.A.P.P.? |
281 |
|
|
Step 1: Learn to Identify Social Engineering Attacks |
283 |
|
|
Step 2: Develop Actionable and Realistic Policies |
285 |
|
|
Take the Thinking out of the Policy |
285 |
|
|
Remove the Ability for Empathy Bypasses |
286 |
|
|
Make Policies Realistic and Actionable |
287 |
|
|
Step 3: Perform Regular Real-World Checkups |
288 |
|
|
Step 4: Implement Applicable Security-Awareness Programs |
290 |
|
|
Tie It All Together |
291 |
|
|
Gotta Keep ’Em Updated |
292 |
|
|
Let the Mistakes of Your Peers Be Your Teacher |
294 |
|
|
Create a Security Awareness Culture |
295 |
|
|
Summary |
298 |
|
|
11 Now What? |
301 |
|
|
Soft Skills for Becoming an Social Engineer |
301 |
|
|
Humility |
302 |
|
|
Motivation |
302 |
|
|
Extroverted |
302 |
|
|
Willingness to Try |
303 |
|
|
It Really Works! |
303 |
|
|
Technical Skills |
304 |
|
|
Education |
305 |
|
|
Job Prospects |
307 |
|
|
Start Your Own Company |
307 |
|
|
Get Hired by a Pentest Company |
307 |
|
|
Get Hired by a Social Engineering Company |
308 |
|
|
The Future of Social Engineering |
308 |
|
|
Index |
311 |
|
|
EULA |
322 |
|