Darknet Diaries - 69: Human Hacker
Episode Date: July 7, 2020We all know that computers and networks are vulnerable to hacking and malicious actors, but what about us, the humans who interface with these devices? Con games, scams, and strategic decepti...on are far older than computers, and in the modern era, these techniques can make humans the weakest link in even the most secure system. This episode, security consultant and master social engineer, Christopher Hadnagy, joins us to share his stories and wisdom. He describes what it was like to be a social engineer before the world knew what social engineering was and tells some of his amazing stories from his long career in penetration testing.A big thanks to Christopher Hadnagy from social-engineer.org for sharing his stories with us.Check out his book Social Engineering: The Science of Human Hacking, affiliate link here.Check out his podcast called The Social-Engineer podcast.SponsorsThis episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.Sources https://www.social-engineer.org/ How phishing scammers manipulate your amygdala and oxytocin TEDxFultonStreet DEF CON 22 - Chris Hadnagy - What Your Body Tells Me - Body Language for the SE https://en.wikipedia.org/wiki/George_C._Parker Book Recommendations with affiliate links: Social Engineering Influence What Every Body is Saying Emotions Revealed Presence It’s Not About “Me”, Top 10 Techniques for Building Rapport
Transcript
Discussion (0)
Before we really had the term social engineer, people used to just say con artist.
Because what a con game is, is where you gain someone's trust and then defraud them.
Social engineers gain people's trust in order to trick them.
Same thing.
And one of my favorite con artists was George C. Parker.
He made a living off of selling things he didn't own.
He lived in New York City in the early 1900s.
A lot of immigrants were moving into the city, and he wanted to take advantage of their lack of knowledge about the
city. Grant's Tomb was built in 1897, which is the final resting place for Ulysses S. Grant.
It's right in Manhattan, and it's an extraordinary monument. You can even go inside and look at the
casket. It's a popular tourist attraction. George C. Parker saw
so many people coming to see Grant's tomb, he wanted to somehow make money off this. And not
by selling popcorn or hot dogs or flowers. No, George's idea was to sell Grant's tomb itself,
even though he didn't own it. He got to work drafting up fake documents, which showed he was
the grandson of Ulysses S. Grant. And then he rented an office to look like a legal place where
you can make such a transaction. And then he went around town looking for victims. There's a lot of
people walking around in New York City, stopping for shoe shines, grabbing the paper. It's easy to
strike up conversations with anyone. George found someone interested in buying Grant's tomb.
George forged some documents, which looked like he was the owner.
And he told the victim that he could make a lot of money off this place
if he would just charge people to come take a look at the casket.
And so he made the deal.
He sold Grant's tomb to someone, even though he didn't own it.
In the following decades, George C. Parker went on to
sell dozens of other landmarks in New York City. He sold the rights to plays and operas. He sold
Madison Square Garden to someone once. He sold the Metropolitan Museum of Art once,
and the Statue of Liberty. But my favorite thing that he sold was the Brooklyn Bridge itself.
He would tell people that they could set up a toll booth on the Brooklyn Bridge
and make a lot of money from all the cars passing by.
This was such a great con game that George sometimes sold the Brooklyn Bridge twice a week.
And the city would often have to come out and stop victims from erecting toll booths on the bridge.
And that's where we get the term.
If you believe that, I've got a bridge to sell you.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless and it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously
works to keep it off. Data brokers hate them because DeleteMe makes sure your personal profile
is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found. And then they got busy deleting things. It was great
to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to join delete me.com
slash darknet diaries and enter code darknet at checkout. That's join delete me.com slash
darknet diaries. Use code darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential
employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Can we start out with who you are and what you do?
Sure.
It's kind of a loaded question.
So, I'm Chris Hadnagy, and primarily I'm the CEO or my fun title is Chief Human Hacker of Social Engineer LLC.
But I also run social-engineer.org, which is a free resource for social engineers or people interested in the topic where they can educate themselves and learn about things like stories and the science behind it.
And then I also run a nonprofit called the Innocent Lives Foundation.
How did you get into social engineering?
Oh, that's fun. So I was working in the industry, but doing vulnerability assessments. So I want to say like maybe many of us started off that way, but I'm not sure. But yeah, back in the day, just kind of doing what I would say,
very light security and understanding light security and then doing vulnerability assessments.
And then I took a course called pen testing with Backtrack at the time before it was Cali
and got addicted to pen testing and ended up spending way more time than was healthy inside their labs
and cracked a server that hadn't been cracked at the time
and got a job offer from OffSec to work with them as their ops manager.
And through that process of working with them
and learning about real pen testing and how to do it,
I found that my natural niche in the field was people,
talking to people and learning how to influence them. So I started to write a framework on social
engineering. That's what the social-engineer.org site is basically based on, is that framework.
And when that framework came out, I got a book offer to write my first book, which no one should
read. And from there, my company was started.
And now we're here 11 years later.
Over a decade ago, Chris set up the website social-engineer.org.
And there he started writing a framework to do social engineering,
which is a guide, if you will, on how to do it.
He wrote a code of ethics.
He defined a bunch of terms,
and he outlines many of the different methods and attacks. X, you know, so like, let's say influence. So I wanted to understand influence. So I bought Robert Cialdini's book, and I read it. And I studied it. And then I took principles from that and tried
them on a phishing email or tried them when we're breaking into a building. So I would write that
down. And I went through my bookshelf and just kind of outlined, these are the skills I used.
These are the places I learned them. And here's how what I took away from those lessons. And
through that,
it took about nine or 10 months that formulated the social engineering framework that is still
alive on the on the site today. It's been updated, of course, since that time, but
took about a year to do and it came out right around 2009.
Yeah. So Chris here, the chief human hacker, has literally written the book on social engineering,
actually three of them at this point. But back in 2010, on literally written the book on social engineering. Actually,
three of them at this point. But back in 2010, on top of the framework he was writing,
he was also writing newsletters on social engineering and putting out a podcast about it.
And then companies start calling because they're reading this, they see it. Again,
it's the first time anyone's ever defined it. And they're saying, hey, would you come and
test our company? Would you come and pen test us hey, would you come and test our company? Would
you come and pen test us? Or would you come and fish us and tell us how we did? And I was like,
yeah, sure, we would try that. And again, at this time in history, there was no companies doing this.
So it was hard. What do we charge them? How do we make a business out of this? We were trying to
figure it out all as we went. And that's what started my company at
that time, which was about 2010, 11 time, is when I separated and formed my own company focused
strictly on social engineering. So you're aware of what a phishing email is, right? An email designed
to get you to click a link in there, which will harm you somehow,
whether it will get you to download malware or scam you or whatever.
And when Chris gets a call to do a phishing campaign against a company, he gives them two options. You have the security awareness phishing, and then you have pen test phishing, right?
So security awareness phishing, the goal is education at the end.
So those are usually done company-wide, like everybody, no matter if there's a thousand
people or a hundred thousand people. They're done every month. And the goal is to get them to click
a link that then brings them to an educational page. Because our end goal with that kind of
fishing is to teach them how to catch it and how to report it properly. But in pen test fishing,
the goal is much different. Pen test fishingishing, our goal is to steal credentials,
to install an implant, to get a trojan or malware on the machine, somehow to compromise the network
or the people for the pen test that we're doing. Now, I've worked with, I don't know, hundreds of
clients as a security engineer myself. And boy, let me tell you, none of them were interested in
me doing phishing attacks on their employees. In fact, my own company that I was working for wouldn't even let me do phishing
tests on our own employees. So it's just rare for companies today to try to phish their employees.
But it was extra rare to see companies doing this in 2010. I got called by a really large
financial institution and they said, we've been doing SE internally for a while, and we use your framework now.
Would you be willing to work with us in actually testing our people?
And for me, it was a shock because like you, I had the same experience.
We would do a pen test for a client, and I would say to them, hey, can we send some phishing emails?
And they're like, nah, we don't really care about that.
And I would offer them for free. I would say, let me send five for free. If you like what you see,
we could talk about more on pay. And then they would be like, okay, yeah, you can send a few.
And they would always work. And they would be like, no, I don't want to pay for them. They
just work too good. And it's like, but that's why we should do it. So you were right. I was
hitting this roadblock where companies didn't want to do it, but then this large financial institution says, let's do this.
And all of a sudden, we are full board doing SE testing and phishing and all this other work in a major company that's global, and that word spread.
And soon as that happened, other companies started saying, well, if you're working with them, maybe we should consider that.
And that is when we were sitting back saying, okay, I don't even know how the heck do we charge for this stuff.
Where do you come up with pricing?
How do you figure out what a service should look like since there was no go-to-glass door and figure out what a typical social engineer makes?
It was just figuring it out as we went.
And then you're right.
It still was a struggle. First five years, I don't, it was like pulling teeth, you would approach companies, and they'd be like, why do I need this? And it was a lot of education. And then as media started
picking up stories of phishing attacks, and vishing attacks, and social engineering impersonation
attacks, as media covered those more and more, it got to the point where
people, companies, you know, C-levels were hearing these stories and going, wow, this is a problem.
And that's when it became easier to now sell those services like it is today, where most companies
know they need social engineering services. But, you know, of course, as it wasn't before,
there's a lot more competition. So it's like every other
industry. Now they have to pick and choose who they deal with. So Chris sometimes gets calls to
send everyone in the company phishing emails. And the goal is to give the employees education
and awareness of this kind of attack. So for us, it's we levelize what I call levelize the fish.
So we have like three different tiers. So let's say it's the same fish like right now uh one of the big things that's going around in the real world is since
everyone's working from home it's a new work at home policies right so if you're working from home
here's some policies you need to read uh so a fish like that let's say with a really basic
levelized number one it might only um it might look like it's just coming randomly to you.
It's not personalized. It's not branded, you know, and it has even some spelling and grammar errors.
Level two might come to you and it's not personalized, but it's, there's no errors in it.
It looks a little more realistic. And then a level three, it looks like it's coming from your HR
department. And all of these are geared to
teach the employee two things. One is, can they catch the fish? So we're recording a lot of data.
Did they report it properly if they caught it? And if not, when they clicked it, did they go
to the landing page that was given to them and read the information? Which in security awareness,
a lot of people love to push like 10, 15, 20 minute CBTs.
CBTs are computer based training, like your typical security awareness training you might
get at a company. And those aren't great. I mean, those are those have a use and a purpose,
but they're not great for what we're, you know, what we're talking about here. You want to give
someone some information they can digest in 60 to 90 seconds. So it should be a, hey, you just clicked on a fish.
Here's how you could have caught it, and please report it to this address.
And we find that that kind of security awareness phishing program helps keep the idea of phishing in people's minds,
and they're much more aware about all fish throughout the month.
And this kind of training works amazingly well.
It really sticks with the employees who did click the link and got phished.
That 60 seconds where they learned that they clicked on a malicious link is a powerful moment.
Their online awareness and digital hygiene are instantly leveled up.
When we've had clients that use a levelized approach that do it consistently.
So these are the things, right?
You have to have a levelized approach, do it consistently and have messaging that isn't damaging. Now, what do I mean by that, right?
Everyone's afraid of COVID-19 right now. So if we start phishing people with like, let's say,
a phish that says, find out who in the office was diagnosed with COVID-19. Everyone's going to
click that. And when they find out it's a test, they're going to feel
hurt, especially if someone lost a family member. Let's say someone had a family member die because
of the virus. And now they find out you use that virus as part of education. They're going to feel
really hurt and you've taken away the ability to educate them. So your program has to be levelized,
consistent, regular, and also it has to not step over that moral line.
And when you do that, we've – probably the case I love to use the most is we fished a client we had for five years.
And after three years of consistently fishing them, they had a 78% reduction in actual malware on their network. So actual malware related cases on
their network reduced by 78 percent because people were catching fish and reporting them
properly without clicking them. So that that's a huge win when you think about doing it right.
Pretty impressive, huh? Conducting phishing campaigns on everyone in the company as part
of your security awareness training seems like a no-brainer in terms of how it helps improve the security of a company.
Because a ton of malware enters the company by people clicking phishing emails.
It's crazy these are still effective today, even though most people know about phishing
attacks and have been told over and over not to click on suspicious links.
And you know what I've seen some companies do?
Where I used to work, they used to give a bonus to employees who could demonstrate healthy
behaviors.
Like if you didn't smoke and you went to the doctor for preventative care and did regular
exercise, they would incentivize you and give you an extra $500 a year as a health bonus.
But some companies take this a step further and incentivize people demonstrating proper
security hygiene.
Like if you're tested
with phishing emails every month and pass, and then have implemented two-factor authentication
properly, and then you use a password manager and you're virus-free for a year, you might get a
digital health bonus too. Because some companies can really save money by incentivizing their
employees to be more vigilant and secure, which results in
less infections company-wide, because the overall benefit to security outweighs the cost.
But enough about security awareness training. I want to hear a story about when Chris
had to do a penetration test on a client.
So I had just hired Ryan. He's my COO now, and him and I were just working together. This was
literally one of our first jobs together, going back a couple years now, and we were hired to go break into a you know, in doing the job. Like what was, when we arrive, were they going to be armed?
Were they not going to be armed?
How hostile would they be?
Their task was to get into the bank in the middle of the day.
Really, this was to see if they could get past security
and into the inner areas of the bank.
Because this bank wasn't really where customers come in typically.
So two foreigners just walking in off the street
with no business being in there should not be able to get in this building. Security should
stop them at the front door. But if they get in, the doors to every secure area in the building
should be locked. So one of our jobs was that we had to put a USB key into random computers
and hack the network.
So we had to have like different pieces of software and malware on the USB keys that
would allow us to show them that we could have, we weren't allowed to steal anything
or get into sensitive parts of the bank.
But if we were to gain access to the network, they wanted us to prove that we would have
been able to destroy them if we gained access to that parts.
So that they
wanted us to have software and tools with us that can prove those parts uh while recording also so
we can show them what what it is that we were doing on top of that they were told to report
any security issues they found along the way so the objective is set time to get to work
so we had done a lot of oscent and we found that the bank was undergoing an audit
from an American company. Okay, OSINT is Open Source Intelligence Gathering, which is where
you look in public areas online for private information about a company. Chris didn't say
how he did it, but here's how I would start. First, go to the company's LinkedIn profile.
This typically lists a bunch of employees who work for that company. From there, you might see employees
posting stuff right on LinkedIn, like, ugh, it's audit time again. Can you believe it?
But if no clues like that show up, you can take this a step further. You take the names of the
employees that are on LinkedIn and then try to find their Facebook profiles to see what they're posting there and look through all that. And if nothing is there, then take it another step further.
Try to take that name and see if you can find their Reddit profile or their Stack Overflow name
or some Twitter name or something else that you can go and scour those posts then.
And you keep pivoting around and eventually you'll find someone,
somewhere, posting something
that they shouldn't be posting.
In this case, Chris found people
posting information about a network audit
being conducted by an American company
on this Jamaican bank.
Specifically, it was a PCI audit,
which stands for Payment Card Industry.
Basically, if any business wants to process credit cards, they need to pass a yearly PCI audit.
Since Chris and Ryan are both from the U.S. and understand the ins and outs of PCI, this would be a perfect cover or pretext.
They were going to pretend to be PCI auditors to try to get access to the building.
So we had printed business cards and
button up shirts with that company's name on it, grab some clipboards. And we arrive in Jamaica
and we drive to the location to scope it out first day. So it's a pretty big building. It was maybe
three or four stories high, huge square. The whole parking lot is surrounded by a fence that has barbed wire pointing in.
There is a guard. As you pull into the to the parking lot, there's a guard booth with two guards sitting in it at the edge of the parking lot.
They drive up to the guard gate, prepared to lie their way in somehow.
So because it was daytime and it was, you know, they were expecting customers in
and out. We weren't stopped at the gate. I mean, we were stopped, but we just said, oh, yeah,
we're here to do some banking. And they let us right in. There was no issues. And as they enter
the parking lot, they see some guys whiz by on dirt bikes. Not only were they on dirt bikes,
but as they drove by, Chris and Ryan saw that mounted on the side of the dirt bikes. Not only were they on dirt bikes, but as they drove by, Chris and Ryan saw that
mounted on the side of the dirt bikes were sawed off shotguns.
They're with security. They were bank security. And we're like, that's like, you know, in
America, bank security is a security guard. Maybe he has a gun on his belt, but he's sitting
at the desk or, you know, up front. These guys were on dirt bikes, like driving through
the parking lot. It was just crazy we were like what ryan and i pulled up the the first thing we both looked at
each other and we we both had this immediate thought like are we still going to do this job
and and you know ryan he he like says it he goes i didn't sign up for this and i'm like well
we just flew all the way here from America to Jamaica.
Like, it'd be real shame to just come all this way and not even try.
And he's like, they have shotguns on dirt bikes. And I'm like, yeah, it's a little odd.
But, you know, a gun's a gun and we break it into armed facilities in America.
And those facilities we, you know, we have a risk of getting shot, too.
Yeah, maybe they're not on dirt bikes running around the parking lot.
But still, you know, getting shot with a shotgun or a rifle or, you know, an AR is no different. It's all
going to suck and we're going to get shot. So, and we do those jobs. That was really poor reasoning,
but that was my reasoning. And, you know, like, you know, see, and he went along with it and we
did it, but, you know, it's looking back, I'm like, whew, boy, that was a scary, scary moment.
They took a deep breath, drove through the parking lot and parked.
The dirt bikes were whizzing by and they were just adding a whole new level of stress that they weren't expecting.
They got out of the van and suited up.
They put on a shirt with the company's name that was conducting the audit.
They got their fake business cards ready.
And, of course, my favorite. And a clipboard and the clipboard's hollow. So inside the clipboard are,
you know, USB keys and other tools that we may need, lock picks, a camera that we can videotape
things with. So there's, you know, inside the clipboard are a lot of different things that
we can carry. So we don't have to have them all in our hands when we're walking in.
We take a look at this building. The building is mirrored glass. So as you're approaching it, you can't see through the windows
because all the glass is mirrored. They got a little information about what's inside this
building before coming in. So they know what it looks like inside before they even get in.
As you open the front doors, there's a security guard desk right there with a um like with a metal detector and uh the security guards
are sitting behind a desk but you have to walk through the front doors right past them to get
to the staircase uh that is the only access into the building so there's no other no other access
into that particular building of in that area you can go around the back there were some loading
docks and other areas but uh the front door was the only access through the security guards to get to the rest of the bank.
So they walk up to the building.
And as we're getting closer to the door, I said to Ryan, look, I'm just going to get on my phone, act like I'm having a conversation.
And when we get inside, I'm going to say something like, hey, we're coming upstairs now.
Just wait. We'll finish the audit in a minute, and we'll just walk past security like we belong and he's like is that going to work i'm like well let's find out
and i open the front door walk in i pick up my phone put it to my ear and i'm like yeah yeah
jack we're in the front we're coming upstairs and we walk right past security and they don't
even stop us i mean not even flinch and you know you don't have time to pause and be like, what the heck? But
as we're walking up the stairs, we're both like, what the heck? You know, like, like that was way
too easy. So we get upstairs and we realize we don't have time to stop and breathe and figure
out where we go. I round the corner and there's a room that says ATM testing center, big sign on it
says ATM testing center. And there's a woman who's walking right in front of us and she enters the room. So I just make a quick right and I enter the room
right behind her. And Ryan follows right along. So we get in the room and she kind of startled.
She turns around and she looks at me like, what are you doing? And I'm like, oh, we're here doing
the audit for PCI. We're finishing it up. And she's like, oh, OK. And she just turns around
and lets us in this room. They made it in.
They look around this room.
It seems to be where they repair ATMs, big machines, which may or may not have cash in them,
but they're all opened up in pieces around the room.
Now, Ryan is like literally climbing up inside giant ATMs,
taking pictures of all their circuit boards and parts.
And there's a guy over with a computer
testing out this ATM.
So I walk up to him and I say,
explain to me what you're doing.
And he walks me through how they code their ATMs.
He shows me their software.
He's basically giving me a free education on ATMs
and I'm videotaping the whole thing.
And he doesn't know I'm covertly videotaping it.
So we were in that room for probably about 30 minutes,
to the point where we're like, we have to leave, otherwise it's going to look really awkward,
that we just keep hanging out here talking to these people.
So we tell them, okay, we're done, we exit.
Now, remember, they are in Jamaica, so they look out of place here.
But they had a ruse.
Like, we're the only two white guys in literally
this whole building. It was it was definitely culturally interesting there because we definitely
stood out. So that's why we chose that we were working for an American audit company.
That made that made sense of why we were there, that we weren't trying to be locals. We didn't
try to make believe we live there. We didn't try to make believe we lived there.
We didn't try to make believe anything that would throw them off.
We were like, yeah, we just came in, flew in from America last night because we're finishing the audit.
So they wander the halls with a clipboard in hand, looking for something else of interest.
And there's a long hallway.
And at the end of the hallway, there's these two glass doors that we could see through.
And there's these two glass doors that we could see through. And there's a there's a call center, I can see all these men and women sitting on phones and headsets, all these rows of computers,
and I'm like, okay, that's a call center. And there's a RFID pad right next to the door. So we
you know, we assume, okay, the door's locked, we can't go just yanking on it. So we I'm walking
really slow towards the door and the hopes that someone would either enter or exit, and I'd be able to hold the door for them or catch the door with my foot and get in without having to have a key.
And it's like you can't even plan this as smoothly.
It's like as I approach the door, this woman's exiting, and I go, oh, let me hold that for you.
And I just – I pull the door.
She unlocks it, and I hold it for her, and she says a really nice thank you. And Ryan and I walk into the test center.
They get in this large office room. Rows and rows of desks and cubicles are here. Lots of people all over with headsets on talking to customers on the phone. open spot. And we're walking up and down these aisles kind of slowly. And I go down this one
aisle and there's a computer that's on, but it's at its lock screen. And there's a woman sitting
right next to it on her computer. So I just say to her, hey, I need you to put your password in
this computer here. And she looks, she stops and looks at me. She's like, what? What do you mean?
And I said, I need you to log into this computer. She like but i'm using this one i'm like yes i know but i need you to log into this computer too
and she goes okay and she just gets up and as she's typing her password i start recording on
my phone and i hold my phone over the keyboard so i'm recording her password on my on my phone
does she see you do this she doesn't so i i'm doing it where i'm holding my phone on the back
of a clipboard and i make a big stink about looking away from her so she thinks I'm not watching her Twitter password in, but I'm recording it on my phone.
I call Ryan over.
He sits down.
He pulls out one of the USB keys, and he starts hacking the network from there.
While Ryan's doing that, I just turn around, and I notice that there's this guy sitting at a desk right behind us about five or six feet.
And he gets up to use the bathroom, I assume.
He just gets up from his desk and he walks away.
And when he walks away, he leaves his computer unlocked.
He leaves his badge on the desk.
He leaves everything there.
So I go over to his computer and sit down and just start scrolling through banking screens, applications.
I take a picture of his badge for cloning later.
And then Ryan comes over and he starts hacking that computer.
So we now are on these two machines and we're like, OK, we've been in the ATM testing center.
We hacked the network. We've run two different machines.
You know, it's time for us to start exiting.
Ryan and Chris start packing up and planning their escape out of there.
We start thinking of an exit strategy and a woman comes over and she says,
what are you doing here?
And we're like, oh, we're finishing up the PCI audit.
So we're just testing speeds on these computers.
And she's like, okay.
And she walks away.
I'm like, man, that was way too easy.
Well, two minutes later, she comes back with a manager and manager says, you
know, who is your contact here? And I said, oh, you know, I don't I don't have a contact here.
And she goes, everyone who's allowed in the bank has a contact. How'd you get in here?
I said, well, we're working with that American audit company. I said the name.
And she goes, yeah, I know them. They've been here for the last month. And I'm like, right.
And we're just finishing up the audit on speed and other things. So I just was told to come do the test.
I said, I can give you my American contacts.
She's like, no, I need your local.
She goes, come with me.
She begins escorting Chris and Ryan to the security desk at the front door of the building.
Now, Chris is already a step ahead.
He thought about what he would do if he got caught.
Because it's never over when you get caught.
This mission has just changed to see if you can escape from being caught. And Chris's plan was pretty brilliant. So they had hired us to come down
and do the social engineering part.
So I said, look, you sit in the van,
you're our local banker guy.
So you use this name
and if they call, you answer as this, right?
Pretty clever.
Someone with a local accent
who can pretend to vouch for them
might just be a pretty convincing
fake get out of jail free card.
So we get to security and she says, you know, check on these people. And then she leaves.
So I tell the security guy, I'm like, look, you want to talk to the, you know,
my contact here at the bank? And he's like, yes. So I call on the phone.
Chris uses his own cell phone to call his buddy who's just in the van in the parking lot
to pose as someone who works at
this company and i say hey i need you to talk to the security guard so he basically said uh the
security guard said so um you know do you know these two people and we gave them the fake names
because we have fake business cards and he said oh yeah yeah they work for this company you know
this um auditing company's like yep that's what their card says and he's like yeah they're supposed
to be there doing a speed and an internet connectivity test.
And he's like, yep, that's what they were doing. And he's like, okay, that sounds legitimate.
And he's like, great, then please let them continue doing their job. And that was it.
And then at that point, you know, he said, well, you're verified. And I'm like, okay,
well, we're going to just take a break and then we'll come back. Because we, this point, we didn't know if if going back in the building was going to get us arrested.
And, you know, I don't know about you.
I've been arrested a lot of times on jobs in the States.
Getting out of that's relatively easy.
I did not know how getting arrested in Jamaica was going to be.
So we decided to exit the building.
Plus, I mean, we hacked the network.
We hacked the ATM stuff.
So we were like, yeah, we're pretty much done here.
So we exited the building and then went to our next location.
All objectives on the first building have been accomplished.
In and out, no problem. Easy peasy.
At least to someone who's as skilled as Chris and Ryan.
Time to head over to the second bank building.
The next one, though, is where their knock is.
This is the Network Operations Center,
the room where a bunch of network technicians
and engineers are all actively looking
for network security incidents
within the bank's network to resolve them.
Well, Chris and Ryan are about to be
two major network security incidents
if they can get into the NOC.
So this should be an interesting match.
Inside the banking property,
which looked just like the other property,
you know, the barbed wire fence, the whole nine yards, there was a smaller building
that was surrounded by another barbed wire fence, and that was the knock. And we, you know, we ring
the bell and the security guard comes out and he says, you know, what's your name? I told him what
we were doing. And he looks at his list and he's like, you are not on the list.
I'm going to need to call and get approval.
So I said, oh, man, if you can, I said, look, we're two Americans, and we're not used to the heat here.
Can we come in and wait in the air conditioning while you make the calls and verify us?
And he thought about it for like a good five, ten seconds, and he's like, yeah, okay.
So he presses the button, unlocks the gate, and we get in.
I'm thinking, this is it. While he's in his office making calls,'re gonna hack the whole knock we're gonna be out so um he lets us into the front we're sitting by these two computers
which i'm like ryan as soon as he leaves this is it and he goes okay you guys wait here i gotta go
to my office and we're like sure no problem we won't move we'll just sit here in the nice ac
thanks for being so cool and uh and he gets up and he puts his head around the corner and he yells something to some guy. I couldn't understand what it was.
And a second later, this dude, I swear, he was the biggest man I've ever seen in my life.
And I am by no means a small person. This guy made me look like a miniature human.
This guy must have been 6'10", 6'11",
and he was as wide as a doorway.
He had a flak jacket on that had knives
at different intervals in his flak jacket.
He had a giant billy stick on his one hip.
On his other hip, he had a sawed-off shotgun,
and then he had a handgun on the belt on his other side.
This guy comes and he stands with his arms folded in the doorway,
and I just leaned over to, like, touch the computer, and he went,
mm-mm, just like that.
I went, no, no, I'm not doing anything, man.
I'm not doing anything.
And, like, Ryan leans over.
He's like, I'm not going to try.
And I'm like, don't try.
Don't try.
At this point, Chris makes a decision.
This is not going to work.
Time to figure out a way to escape.
But you don't want to just get up and run
while this big guy with weapons is staring at you.
But Chris has prepped really well for this and has a plan.
That morning, before coming into this building,
he compiled a lot of data on this company.
He scoured the internet and researched a bunch of employees here and even made some phone calls to
talk with some of those people. All this was done that same morning. We went to LinkedIn and we
pulled up the employees of this bank and then we found ones who listed their phone numbers and we
started calling people who were in positions that we thought would be able to say, like, they would be our contacts if we were legitimate auditors.
So calling like the CISO or the CIO.
And what we wanted to do was call them, ask them a couple weird questions and nothing about audits.
Just be like, oh, hey, is this Joe?
And they'd be like, no, this is not Joe, to hear their voice.
And we were hoping that if one of them sounded a lot like our Jamaican contact, you know, like we don't like if they were older or had a rough voice or whatever, if they sounded similar, that we can have that guy play the part of of of the CISO and then give us that fake permission.
You get it right. They were trying to find somebody within the company that sounded like their third guy in the van so that he could pretend to be the person on the phone. And one of the people they tried calling was the chief information officer. But
when they called the CIO, they never got through. The secretary said, oh, he's not into it. He's on
a business trip. He flew to another island. And then I just asked, so when will he be back? Well,
not till later this afternoon. You know, like, OK, great. Then, you know, we'll call back then.
Now, he took this little bit of information he learned earlier that day, and he's sitting in the building with a knock,
and this huge armed guard is staring at him,
and he waits for the other guard to come back.
When the guy came back, he's like, look, I can't verify you.
No one knows who you are.
I'm a little worried.
I said, oh, you know, the guy who's supposed to be in contact with us,
I heard he's off the island today. He's on a business trip somewhere. And he said, oh, you know, the guy who's supposed to be in contact with us, I heard he's off the island today.
He's on a business trip somewhere. And he said, yeah, that's what they told me.
And that was the only thing that saved us because I knew a story that he had found out just now on the phone.
I said, yeah, well, that guy's our contact. You know what? Why don't we do this?
He's supposed to be back in a couple hours. So why don't we go?
We have another site that we're supposed to go to. We'll go do that site. And then we'll come back in a
couple hours when he's landed from his business trip. And he's like, OK, that's cool. And we got
the heck out of there and left and never came back. We had no other sites. We were done. So we
did nothing there. We didn't hack that. We completely failed on that job. But it was like
this guy could break both of us in half without thinking about it.
And failing is actually good. It means their security was better than Chris.
And Chris is a professional. So at this point, Chris and Ryan write up a full report
and have a meeting with the client to go over everything.
Yeah, you know, that's what I love about working with clients like that,
is they were very happy. So they weren't mad. They weren't like, oh, you guys are jerks. They
really loved the story. They loved how far we went. They loved that we also didn't try to hurt anybody or damage anybody. They loved that we followed all the rules, but mostly they just loved that we proved where their vulnerabilities were because at the end they said, well, what could have stopped you? And I gave them like three or five different points of where we could have been stopped at any point in time, and we weren't.
I'm interested to hear those points.
Sure. So the first the first point was when we entered the building on the phone, the security guard didn't stop us and he should have.
He should have said, well, well, hang on before you get upstairs.
Like, who are you here to see? And I and I would have came up with the same fake name and he would have went, I don't see you on the list.
Let me call upstairs and see if Jack is there. And when he called upstairs and there's no Jack, I would have been stopped.
That was the first time I could have been stopped.
The second time is when I entered the ATM center with Ryan, and the lady turned around and went, whoa, what are you doing in here?
And I said, PCI audit.
She should have said, well, I don't have you authorized in this room.
This is a private room.
It had a whole separate security system.
She could have called downstate of security and say, hey, are there supposed to be auditors doing the ATM center?
And that may have triggered them to check in, and I could have been stopped there.
Yeah, or she could have just shut the door and said –
Yeah, you're not allowed in. The third time was when we were in the call center,
and I said to that woman, put your password in here. She should have said, I don't think I'm
allowed to do that. Let me go get my manager, you know, or just rejected entering her password. She didn't
do that. The fourth time was when we went over to the computer that the guy didn't lock. He could
have stopped us by locking his computer before he left for the bathroom, you know. And then the
fifth time was back at the security guards when we called a fake, you know, Jack and said, hey,
yeah, here, talk to our contact here.
And he accepted that we were telling the truth and let us, you know, was going to let us back in.
That that could have stopped us if he was like, I'm not handling your phone. I want to call this
guy directly on the extension I know. And he took my phone, which could have been any person,
and spoke to him as a bank contact. He could have just called the extension directly
instead of trusting me. So when I told them those five things, they were like, yeah, those are all
good points. And I'm like, and you set training and you set policies in place and then you train
them on those policies and you give them avenues to do this smart. And next time we will not be
able to break in. What if I start a podcast? My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off.
Because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing business. Shipping, taxes, and payments are
all visible from one dashboard, allowing you to focus on the important stuff. So what happens if
you don't act now and someone beats you to the idea? The best time to start your new business
is now with Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet. Go to shopify.com
slash darknet and start selling back in the United States.
They got a job to break into a building and gain remote access to the network inside.
The guy who hired Chris and Ryan to try to break in was the head of physical security of the building.
So the head of security authorized this, which is what
made it legal. And Chris had printed out this authorization letter and put it in his pocket.
Because if all goes wrong, they've got this letter which says the head of security paid them to test
this facility. They plan out their pretext or ruse. They were going to pose as pest control,
which could get them access into the building. And then from there,
they could try to sneak a USB drive into one of the computers. They had a uniform, spray bottles,
boxes, and more to look like they were actually doing pest control. They decided to go the night
before to scout out the place. It's a big office building, lots of glass windows and even a glass door in the front.
They came by at night. There was no security around.
They tugged on the doors, but they were locked.
So they decided to try an old trick.
Yeah, there was like two glass doors that led into the place and they had a gap in between them that was wide enough for us to shove a USB key through. Their theory is that if they slip one of their malicious USB sticks
through the gap of the door and into the building,
when someone finds it the next day,
they might be just curious enough to see what's on it
and plug it into a computer.
Which, by the way, you should never do.
USB keys can contain a ton of icky malware that you want to avoid.
But if a user opened any of the files that were on this
USB drive, it would create a reverse connection back to Chris's server, which would allow him
remote access to that computer the user plugged the USB key into. So they shoved this USB stick
through the gap of the door. And there was two sets of these doors. And what, sadly, the first door, perfect. We did great. The second door, nobody ever uses it. And we didn't know that. So when we slid the USB key through, when someone found it the next morning, they went, hey, you know that door that is like totally never used? There's a USB key on the floor there. And that made security go look at the videotapes from the night before.
So they saw Ryan and I at the building outside sliding these keys through the door.
So we didn't know that. None of this we knew. So the next day we come and I'm reversing into my parking spot. I'm in this big, huge SUV and I'm reversing into the parking spot.
And I had just turned around to make sure I wasn't hitting anything and I heard the
door open I thought Ryan was getting out and when I turned back there's a cop that ripped Ryan out
you know a security guard but an armed security guard who ripped Ryan out of the front door
and had him slammed on the hood and was cuffing him now Ryan knows this everyone knows this look
if we got to get away I may run so I can come back and break in later like you're going to deal with it.
So I put the car in drive like I'm going to flee. And he's looking at me like shaking his head like, don't leave me, man.
And I'm like, see you, sucker. You know, I'm just about to take my foot off the brake.
And a woman jumps out in front of the car with her gun drawn and she's like, get out of the car.
And I'm like, hey, hey, put the gun away. We're all good. And I put it in park and she's like like get out of the car and i'm like hey hey put the gun away we're all good and i put it in park and she's like get out of the car and i'm like i'm not getting out of the
car until you put the gun away like i need you to put the gun away and she's like i'm not putting
the gun away and we're yelling back and forth and uh eventually i get out of the car and she was
short she must have been like five two five three and i'm six three she slammed me on the hood so
hard that it knocked my hat and my sunglasses off and they
flew across the hood. Before my face bounced off the hood, she had both my arms in cuffs.
And it was so impressive. I said, whoa, that was like maybe the quickest cuffing I've ever had.
It just came out of my mouth, right? And she goes, you get cuffed all the time, don't you,
scumbag? And I'm like, OK, I can see you're very angry.
I don't know why you're so angry.
I mean, we're just driving, you know, pulling in here.
We're doing some pest control.
And she's like, you're not doing pest control, scum.
And then she takes me up and she stands me up.
And I'm like, hey, it's really hot here.
It was a summertime in a really hot area.
I'm like, can we go over to the shade?
So she takes us over to the shade.
Ryan and I are now kneeling on the ground, like in execution style.
We're on our knees, both of us cuffed behind our back.
And they're like, what are you doing here?
And Ryan whispers to me, give her the letter.
And I'm like, now we can get out of this.
So I'm like, we're here doing pest control. And she's like, you're not doing pest control. And I'm like, no, no, we can get out of this. So I'm like, we're here doing pest control.
And she's like, you're not doing pest control.
And I'm like, we are.
I said, look, go up in the back of our SUV up.
You'll see this.
We had pest control sprayers and we had fake chemical cartons and everything.
We had all this stuff to look the deal.
So she's like, you're not here doing pest control.
I'm like, just open it up and look.
So they see the pest control equipment and she's like, I don't believe and i'm like i don't know why you don't believe me look i got
a work order here's my clipboards in the car if you want to get it and she's like i'm not going
anywhere scum what are you doing here and i'm like i'm telling you i don't know how many ways to
answer it and then ryan's like dude the letter they're getting mad then i'm like no we don't
need the letter and uh and then and then the guy guard comes over and he's like,
why were you here 11 o'clock last night?
And I'm like, crap.
So I'm quickly thinking and I'm like, well,
one of the things we were hired to spray for was scorpions
and they don't come out in the daytime.
This breed of scorpion only comes out at nighttime.
So we came at night to just check the area
to make sure that we were going to spray at night.
And he said, we saw you on video.
We didn't see any sprayers.
You were just walking around the building
looking at our doors.
And I'm like, well, we were just scoping it out.
We're going to do the spraying now and tonight.
And he's like, what are you really doing here?
And I'm like, no, I'm telling you, that's the truth and ryan's like give him the letter dang it and i'm like no man like we could do this like i feel like we're gonna win this right and and then
he goes what are what about the usb keys you dropped and then i'm like crap yeah now it's over
so i'm like okay look man there's a letter in that clipboard and he's like I'm not grabbing your clipboard for all I know
it's some kind of device and I'm like no no
just grab the letter please
you can grab the letter so the lady goes over
she grabs the letter and they open it
and they see the contact name and they know him
personally and they're like that mother
I can't believe it and I'm like
yeah yeah that he's a real
jerk that guy's a jerk you should uncuff
us we're buddies and she's like we yeah that he's a real jerk yeah that guy's a jerk you should uncuff us we're
we're buddies and she's like we're not uncuffing you scum and i'm like no come on we're not scum
anymore now you know we're good guys right she's like no you know we stayed kneeling there on the
ground for like 10 more minutes while while we waited for our contact to come out who we found
out was in the bushes filming us getting arrested.
You know, we're like, really, man?
And he's like, this was great.
These guys did so good.
I'm like, yeah, they did great. But you could have saved us.
And he's like, no, this was awesome.
I'm like.
The name on the letter was actually the security guard's boss.
And once they called him and he said, yep, this is all a test, situation calmed down. And
the security guards eventually started laughing about this whole situation and started asking
Chris and Ryan, like, what are their jobs as pen testers? Everyone started being more friendly.
You know, and the whole time I'm grilling them for info. I'm like, so yeah, you know,
you guys did really good. We should have came later, but you're probably here 24 hours, right?
And they're like, no, no, no, no security here is after 7 p.m.
And I'm like, oh, yeah, we should have chose then.
That's too bad.
So I got their schedules, you know, like from them just by talking.
So then we come back that night at like 9 p.m. after they're gone.
And we break into the place and we break into their office.
And we stole their badges and some of their stuff for
getting into other buildings. And then I left all of my pest control equipment on their desks
with a big thank you note and a couple of smiley hearts, you know. And the next day when they came
in, they knew that we had broken into all the cameras and, you know, us stealing their stuff.
But then our pest control equipment was on their desk.
So, you know, a little fun humor back and forth.
Okay, for this next story.
Actually, can I just take a moment and say thank you for being here as a listener?
I mean, look at this.
We're, what, 40 minutes into this episode and you're still with me?
It's unbelievable.
Just thanks so much for being here with me, right here, right now.
So for you, the listener who's made it this far,
I have something I'm really excited to be able to share with you.
This is a rare find, and I've been looking for something like this for quite a while.
So I was really excited when Chris said he could do it.
So the story starts with Chris doing a phishing campaign against a company with the goal of raising security awareness for the company.
So in this particular test, we started off with a phishing email.
And it was out to 1,000 people, and it was about a brand-new iPhone.
So to register to win one of the brand new iPhones,
all you had to do was go to this website
and put in your credentials for your computer.
It was a corporate-sponsored raffle.
So you went to a site that looked like your corporate site,
entered the info,
and then you were entered to win one of these iPhones.
So many of the people in this company wanted a free iPhone.
And the email looked like it was sponsored by the company itself.
So the employees were like, heck yeah, let me register to win this thing.
From this email alone, Chris got 750 people to click the link and then go to his website
and enter in their work username and password.
It's insane.
At this point, you could send each of these people an email explaining how the raffle their work username and password. It's insane.
At this point, you could send each of these people an email explaining how the raffle was just a test and they failed.
And that could be the end of the security awareness training.
But besides raising awareness, Chris had a secondary objective, which was to also gain
remote access to the network inside.
So he comes up with a plan.
We had their username and password, but our job was to gain
access to their network remotely. So the goal was to call each one of these people and tell them
that the link they just clicked on was a phish. And that they had to, you know, hopefully they
went and when they were notified of that, that was a phish, that they had to you know hopefully they went and when when they were notified of
that they had that was a phish that they had to go change their password and that once they
changed their password we had to just make sure that there was no residual malware on the computer
from clicking that phish and to clean their system we created a PC cleaner program for them that would clean their machine from any malware.
And of course, it was not a PC cleaner.
It was a meterpreter reverse shell that gave us access into their machine.
So the goal was to call like 25 people who clicked the link and somehow convince them to run some malware.
This is vishing, which is voice phishing.
But like I was saying earlier, it's the same thing that con artists have been doing for 100 years.
So Chris changed into Paul and acted like he's from tech support. He emails one of the people
who clicked the phish and told them, hey, look, this was a phishing email. You clicked it. You shouldn't have.
Change your password immediately.
Then Chris, or Paul now, calls up the employee.
And here's the actual phishing call that took place.
This is Paul over at Tech Support.
How are you doing?
Good.
We got that you filled out for that iPhone.
The iPhone app.
You went in and you did your password change?
Yes, I did.
Okay, excellent.
Just wanted to tell you that was really good.
That's the way it should have been handled.
Okay, yeah.
As soon as we realized it, two of us jumped right on it.
Okay, so there was another guy on your team that also?
Yeah, I think it was JR.
JR, okay.
I'm just going to write that down. I'll be talking to him later on.
So just to follow up what we're doing, are you on the VPN right now?
You're on your work machine?
Yes.
Okay, I'm going to give you an internal address.
It's an FTP site that we set up for the employees.
You can go there.
You can see there's one file there that you'll be able to download,
and it will just clean up any residual mess from that website that we did that we used for the audit.
Okay.
So if you're at your machine, just open up a browser, and I'll give you the address.
Oh, you mean like go on like I'm going to send an email?
I'm not real.
Well, Internet Explorer, you can open up that.
Okay, yep.
I got you.
Okay.
And then up on the top line, the address, type in FTP. FTP? Yep, F as in Frank. Okay. And then up on the top line, the address, type in FTP.
FTP?
Yep, F as in Frank, T as in Tom, and then P as in Paul, and then a colon.
And then two slashes, and these are the slashes that are by your question mark,
the same button as your question mark.
Gotcha, FTP, okay.
And then the word is update, dash, and the dash is like the minus sign.
Gotcha.
.com.
Okay.
And when you post there, it should open up.
It should say index of, and it should have one file.
It's a file called PC Checker.
Okay, you know it's there.
Okay, double click on that?
Yeah, click on that.
Okay.
And it should download.
Okay.
Or it should ask you if you want to run or save. You get click run. Okay. And it should download. Okay. It should ask you if you want to run or save.
You get click run.
Okay.
And if everything goes good, you should get no alerts.
You know, if you have a residual problem from that site, then you'll get a message.
But if nothing happens and everything's clean and good and we're done.
Okay.
I just got a second thing.
It said the publisher could not be verified.
Are you sure you want to run this software?
Yeah.
Click okay.
Run again?
Okay.
Okay.
Now it took me back to the original screen.
Okay.
That's good.
So if you've got no error message, then you're good to go.
You're clean.
Okay.
Well, thanks for the help.
Not a problem.
We'll talk to you later.
Yeah.
Sorry about clicking on that.
That's okay. Thanks for thinking about it afterward, though.
Okay, man. All right, thank you.
Bye.
Just like that, Chris has gained remote access to this guy's computer.
He can now do anything he wants on it.
Open a webcam, turn on the microphone, record keystrokes, transfer files, screenshot the desktop, or move to
another computer deeper inside. And this is fascinating. So let me break it down for you.
The company had state-of-the-art network equipment, a firewall to block all the bad
connections coming into the building or going out of the building, an intrusion detection system to
inspect traffic coming and going and blocking anything that looks malicious. And the employees all have antivirus on their PCs too to stop any bad
software from running. But of course, none of their security listens for phishing phone calls.
It bypasses all that. So that's one problem. Then Chris got the employee to download this
executable software. They downloaded it and ran it. There was a warning,
are you sure you want to run this kind of thing?
But the computer didn't block it from running.
And once the program had been run,
it started a reverse connection back to Chris's computer.
To all the security devices in the network,
this simply looked like a regular web request.
Chris's server, and from there,
Chris was able to ride that connection
back into the employee's PC and get in.
And this is easily set up too,
with a tool called Metasploit.
This is just a reverse shell put on the victim's PC.
And antivirus doesn't stop it either.
No, because it wasn't seen as a virus.
It's taking advantage of the built-in remote control capabilities
within Windows itself. And so even a fully updated computer has the ability to run remote access
commands on it. And that's all this did. And when you get someone inside the company to run this
program, it's all it takes to bypass everything that's supposed to stop it. Scary stuff.
A lot of times when we talk about this topic people go i would never
fall for that and when you hear this guy he sounds like a normal everyday guy a guy you probably work
with he sounds like just an average dude he's not dumb he's he's he's not uh you know he's not like
just throwing security to the wind he sounds like your average everyday guy and he's just like oh
my gosh i can't believe i clicked on that fish. Thanks for helping me.
And it's – we're not – I don't like that phrase.
There's no patch for human stupidity.
We don't use that because that means that everyone that falls for these things is stupid, and I don't think that's true.
This guy wasn't stupid.
So I think when people hear the call, they get to put themselves in it and go, yeah, I get that.
That could have been me.
There probably are some current steps that
companies can take to stop these things. You know, now we, you know, this was a couple years ago. Now
we'd probably have to do a little more fancier footwork with Meterpreter. I do think a lot of
antiviruses do detect reverse shells now. And maybe a a packet inspection system you know uh could have
stopped this but you know we we embedded this just in a normal exe over an encrypted tunnel
um and had no malware in it no trojans and no viruses we wanted to get on the machine and then
exploit it once we were on so it literally was for any lax intensive purpose, it was like opening up an
SSH server on the box. That's it. It was just opening up a reverse connection.
Now, a lot of my listeners ask me all the time, how can you practice social engineering?
So I asked Chris.
This is a question I get all the time in my classes, you know, because you really can't
just go out and break into places or fish people for fun. So I say, look, when you look at SE as a science, it is literally
just learning how to communicate with people on a level that they like to be communicated with,
learning how to get that person to open up to you. So you can do that without having to be
a pen tester. You can, I mean, maybe not now because of COVID-19, but you could do this with
delivery people. You could do this when you go to Starbucks the next time. You can, I mean, maybe not now because of COVID-19, but you could do this with delivery people.
You could do this when you go to Starbucks the next time.
You can have a conversation with a complete stranger and get information from that stranger that's non-malicious.
What is their full name? Where do they live? What job do they have?
How many kids do they have? Are they married?
What did they do in their career? Where did they go to school? All these questions, which are vital to understand about a person that you're, if you're a pen
tester, you can get in a normal conversation.
And the more comfortable you are just having a conversation with a random human, the easier
being a social engineer will be when it's time to do it for a living.
And if you want to know more about social engineering, check out Chris's book,
Social Engineering, The Science of Human Hacking.
And make sure you get the updated second edition.
This is a great book,
which breaks down all the concepts of how to be a great social engineer.
That's probably my favorite book that I've written.
I've written four.
And that one is,
I feel like it's 11 years of my experience
and science behind it.
So unlike the first edition of
that, which was very new and it was not very well written, this one I feel was like really done well.
But if you're like Cialdini's book called Influence, that's an amazing book. Joe Navarro's
book on what everybody is saying is just a phenomenal book. Ekman's book on emotions revealed all about nonverbals is truly a great book.
Amy Cuddy's book called Presence on getting yourself into character.
I could just kind of list books after books about books that I've read that are integral
in my life that may be not about social engineering, but they're about an aspect of communications
and social engineering, but they're about an aspect of communications and social
engineering.
Robin Dreek's book on the top 10 ways to build rapport with anyone fast.
These books are like integral to understand them if you are going to be a social engineer.
Of course, I'll have links to all these books in the show notes.
So make sure to visit darknetdiaries.com for that.
And besides being the chief human hacker for his company and writing books on this, Chris has accomplished so much more. He's the one who started the social engineering
village at DEF CON, which is the most popular village at DEF CON. It has some great talks,
but also a competition where contestants have to social engineer someone live on stage over the
phone in front of a crowd. It's awesome to watch and to learn new tricks.
I might have to do an episode just on that village one day. And on top of all that,
he started a nonprofit called the Innocent Lives Foundation, where people use OSINT and hacking
skills to try to help authorities find and capture child predators and human traffickers. And I think
I'm going to have to have Chris back at some point to tell his stories about that for sure.
But we'll save that for another time.
Wow, thank you so much for sharing this.
I'm going to leave it with this last question.
Have you ever been phished?
Ha, yes.
You know, I love that question
because I think sometimes people that are in the industry
don't want to talk about the times they were hacked.
And yeah, I got phished hardcore.
So I probably been phished a couple of couple times but the most notable to me because i fell for this
hook line and sinker is like i am an amazon junkie you know i'm i i love i buy everything
on amazon that i can and i i was preparing for defcon and i had must have ordered like
10 20 things for the kids competition out of vegas and I'm packing up my office for DEF CON, and I get an email that looks just like an Amazon order email.
And it says one of your recent orders will not be shipped due to the client credit card.
And everything I always tell my customers is don't ever click those links in the email.
You open up your browser.
You go to Amazon.com.
You log into your account, and it will tell you exactly what the problem is.
But not critically thinking, being stressed about DEF CON, packing my office, seeing that email going, oh, my gosh, how can it be declined?
My credit card never gets declined.
I click the link.
And then the browser opens.
I go to a page that says it looks like Amazon login page.
It looks identical to it.
But I'm one of those guys that has my username saved, but not my password. So I start typing
my password. And when I go to click the submit button, before I click it, I realize my username
is not there. And I'm like, what the heck? My username is always there. So I look up at the URL
bar and it was like something something dot RU. And I'm like, oh my gosh, I just, I just clicked
a fish and literally fell for it from a Russian site. So of course, you know, clean the computer,
you know, change my passwords, burn the house down, you know, sell the family, move to another
country, you know, do all the normal things you do when you click on a fish. Um, and then I tell,
I tell my, my team, I'm like, I just got fish. I'm never telling anyone. That's so embarrassing.
And then one of the people on my team, she's like, you need got fished. I'm never telling anyone. That's so embarrassing. And then
one of the people on my team, she's like, you need to tell the whole world the story. Like this,
this can help so many people because you're the guy who wrote the book on fishing. Like you need
to tell the story how you got fished. And I thought about it. I'm like, yeah, that's a pretty good
point. So I do tell the story now, but I mean, I fell for that. Like I fell for that a hundred
percent because that, that, that email, I, if I did not look at that URL bar, I would have clicked submit and given them my credentials.
So I did not – there wasn't a – the only thing that caught me was the one flaw, that my username was not in that box.
Otherwise, I fell for that thing 100%.
Later on when I went back and inspected the email, it was like for a George Foreman grill and some Lee Press
on nails.
You know, it was like not even real items that I would ever order.
And I'm like, oh my gosh, if I had just read the dang email, I could have caught it.
Like if I had looked at the URL bar, if I opened my browser and typed the address and
there's like five ways I could have caught that fish and I ignored them all because of
stress and lack of critical thinking.
So I'm like, yeah, yeah, I've been phished, man.
I've fallen for it.
A big thank you to Christopher Hadnagy, the human hacker, for being here.
You can learn more about him by visiting social-engineer.org. A big thank you to Christopher Hadnagy, the human hacker, for being here.
You can learn more about him by visiting social-engineer.org. Or check out his podcast, which is just called The Social Engineer Podcast.
As always, for every episode, there'll be links of all this stuff out on darknetdiaries.com, so head over there.
And while there, check out the bonus Darknet Diaries episodes.
These are exclusive to Patreon members.
If this show brings value to you,
if you've binged through all 69 episodes now and can't wait for the next one,
keep in mind you got all that entertainment for free.
And it's because of the help of Patreon members that this show keeps running.
So please consider joining Patreon to help support the show and unlock some bonus episodes.
This show is made by me, the ghost in the shell code, Jack Recider.
Sound design and original music was created by the sometimes bored Andrew Merriweather.
Editing help this episode was by the devilish Damien.
And our theme music is by the maraca-wielding Breakmaster Cylinder.
And even though when management sends me an email,
sometimes I write back with just unsubscribe.
This is Darknet Diaries.