Does someone know any statistics showing how much such attacks actually work and how often people react correctly? Pretty sure that the outcome would be more than 10:1 for successful attacks. Quite frightening when one think about it..
I personally have compromised over 80% of the organizations (typically financial institutions) I've attempted. The ones I didn't compromise were just flukes (i.e. someone performed the same service a day ago and there was nothing for me to do - bad intel
). Not a single person thus far has detected I wasn't who I appeared to be.
Most other analysts I work with have a similar success rate. I don't think even the newbies sink under 50%.
This is slightly off topic, but not exactly:
I am a horrible actor and half the time I can barely contain myself from giggling when I attempt social engineering. Needless to say, I am not very successful at it.
Has anyone considered or has taken some acting lessons at a local art school? If anyone has taken acting lessons did your employer pay for the courses?
Some of the things people say can really catch you off guard. Last week, I got a user to give me her password (I was pretending to be a support rep from a 3rd party and said I had to reset her account because of an account db corruption). Unlike the other users who used dictionary words, she actually had what I consider to be a strong password. After she gave it to me, she's like, "Yea, I really try to be security conscious." It was difficult not to laugh at the irony.
BTW, that's an awesome premise. Once you "reset" the password, you can ask the user to try to log in and make sure the update worked. That obviously tells you whether the user told you the same password that was in use previously and whether you can log in with it. And they're grateful for you helping them out before they even realized there was a problem.
The acting really isn't too bad, and I don't consider myself to be a good actor at all. Crying, feigning anger and yelling, etc. are all certainly valid avenues that could be explored. However, I find that I have a respectable amount of success by just being friendly. My inability to play some Shakespearean role really doesn't impact me as much as you would think.
When I do my on-site engagements, I legitimately perform the service I'm there to do (or at least look like). If I'm performing a pest inspection, I get down on the ground and inspect every nook and cranny. One of my contacts once called a branch after I left and asked how I did. They gave me a glowing review and were obviously impressed with how thorough I was. The most difficult part is often just walking in the door.
OSCP - Offensive Security Certified Professional : Class Scheduled 6/8 - Linux n00b
