Joe Gray - Practical Social Engineering: A Primer for the Ethical Hacker

by Joe Gray

PRACTICAL SOCIAL ENGINEERING. Copyright 2022 by Joe Gray.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

First printing

25 24 23 22 1 2 3 4 5 6 7 8 9

ISBN-13: 978-1-7185-0098-3 (print)
ISBN-13: 978-1-7185-0099-0 (ebook)

Publisher: William Pollock
Managing Editor: Jill Franklin
Production Manager: Rachel Monaghan
Developmental Editor: Frances Saux
Production Editors: Rachel Monaghan and Miles Bond
Interior and Cover Design: Octopod Studios
Technical Reviewer: Ken Pyle
Copyeditor: Sharon Wilkey
Compositor: Maureen Forys, Happenstance Type-O-Rama
Proofreader: James M. Fraleigh
Cover Illustrator: Rick Reese
Indexer: Beth Nauman-Montana

For information on distribution, bulk sales, corporate sales, or translations, please contact No Starch Press, Inc. directly at info@nostarch.com or:

No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
1-415-863-9900
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Gray, Joe, author.
Title: Practical social engineering : a primer for the ethical hacker / Joe
Gray.
Description: San Francisco : No Starch Press, [2021] | Includes index. |
Identifiers: LCCN 2021004736 (print) | LCCN 2021004737 (ebook) | ISBN
9781718500983 (print) | ISBN 9781718500990 (ebook)
Subjects: LCSH: Penetration testing (Computer security) | Online social
networks--Security measures. | Internet fraud--Prevention. | Social
engineering--Case studies.
Classification: LCC QA76.9.A25 G7425 2021 (print) | LCC QA76.9.A25
(ebook) | DDC 005.8--dc23
LC record available at https://lccn.loc.gov/2021004736
LC ebook record available at https://lccn.loc.gov/2021004737

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To Junior, Pudding, Mom, Nannie, Mimi, and Mammaw: This one is for youI couldnt have done this without you! Youre the real MVPs!

Joe Gray, a US Navy veteran, is the founder and principal instructor of The OSINTion, the founder and principal investigator of Transparent Intelligence Services, and the inaugural winner of the DerbyCon Social Engineering CTF. A member of the Password Inspection Agency, Gray won the TraceLabs OSINT Search Party at DEFCON 28. He recently authored the OSINT and OPSEC tools DECEPTICON Bot and WikiLeaker.

Ken Pyle is a partner of CYBIR, specializing in information security, exploit development, penetration testing, and enterprise risk management, as well as a graduate professor of cybersecurity at Chestnut Hill College. As a highly rated and popular lecturer on information security, he has presented at industry events such as DEFCON, ShmooCon, Secureworld, and HTCIA International.

First and foremost, to readers: thank you for your patience with my book; I hope you enjoy it and believe it was worth the wait.

I would not be at this point without the support of my family. You are my rockI love you all!

Throughout my career, I have been able to see further by standing on the shoulders of giants. This is a reference to an Isaac Newton quote that Mr. Jack Daniel frequently quoted, and it is the truth. Jack is but one giant whose shoulders I have stood upon to see and learn more in my efforts to grow.

I cannot stress how much I have learned from others in the infosec, social engineering, and OSINT communitiesstarting with my first mentors in infosec, Jim Roller and Luke Winkleman. They took a bubblehead fresh out of the Navy, probably still smelling like amine, and included me in meetings when otherwise I would be doing busywork. I would also like to thank my previous manager and mentor, Jerry Bell, for encouraging me to submit the proposal for this book and helping to rein in my wild ideas.

To the social engineering and OSINT folks, I apologize in advance if I leave anyone out. Social engineering is on the forefront of infosec because of the work that Chris Hadnagy has done (and continues to do). I am eternally thankful for the opportunity to compete in the SECTF, but even before that, for Chriss book being in the school library when I was racking my brain for topics to research for my PhD dissertation (which I havent finished... yet). Michael Bazzell is the OG of OSINT. OSINT wouldnt be where it is without his work.

Conferences like Security BSides, DerbyCon, and especially Layer 8 helped me meet other likeminded people that I was able to collaborate with and learn from. I cherish my conversations with people like Jeff Man, Alethe Denis, Ginsberg5150, Marcelle Lee, the late Jon Case, Judy Towers, Chris Kirsch, Chris Silvers, Micah Hoffman, Jenny Radcliffe, and Chris Kubecka. Again, I apologize if I left anyone off, but this list could probably end up longer than the book itself.

Beyond competing in the SECTF, I am grateful to TraceLabs not only for doing the legwork so I could collaborate with the authorities for the OSINT Search Parties, but also for holding the conferences for hosting them (pre-COVID) and for partnering with The OSINTion to help competitors, the authorities, and most importantly, the missing. Thank you to Adrian, James, Robert, Belouve, Tom, and Levi. Thank you also to BSides Atlanta and NOLACon for hosting OSINT CTFs.

Finally, I must thank Bill, Frances, Rachel, and Sharon at No Starch Press for having the patience to wait for me to finish this book. I hope that they, and you, are happy with the final result, and I apologize for any gray hairs that I may have caused.

Social engineering is a lethal attack vector. It is often used as a means of delivering malware or other payloads, but sometimes it is the endgame, such as in attacks designed to trick victims into handing over their banking information. The beautiful disaster that comes from social engineering is that, aside from phishing, it is really hard to detect. Whether youre just breaking into the information security industry, a seasoned penetration tester, or on the defensive side, you will likely be exposed to social engineering sooner rather than later.

Exploring the why before the how of social engineering can amplify your understanding, help you build better processes and detections, and enable you to identify the singular flaw in the logic of a process to succeed in your exploitation. The how will change over time, but the why is rooted in hundreds, if not thousands, of years of human DNA.