Contents
Social Engineering: The Art of Human Hacking
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright 2011 by Christopher Hadnagy
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-63953-5
ISBN: 978-1-118-02801-8 (ebk)
ISBN: 978-1-118-02971-8 (ebk)
ISBN: 978-1-118-02974-9 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions .
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Control Number: 2010937817
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc. is not associated with any product or vendor mentioned in this book.
To my beautiful wife and my wonderful family; without you this would not have been possible. Mati, there are no words to describe the gratitude I feel for what you have done.
About the Author
Christopher Hadnagy is the lead developer of www.social-engineer.org , the worlds first social engineering framework. In more than 14 years of security and IT activity, he has partnered with the team at www.backtrack-linux.org and worked on a wide variety of security projects. He also serves as trainer and lead social engineer for Offensive Securitys penetration testing team.
About the Technical Editor
Jim OGorman is a professional penetration tester and social engineering auditor with more than 14 years of experience working for companies ranging from small ISPs to Fortune 100 corporations. Jim is co-trainer of the Offensive Security Advanced Windows Exploitation class, one of the most difficult exploit development classes available. A founding member of www.social-engineer.org , Jim is an authority on educating the public about social engineering threats.
Credits
Executive Editor
Carol Long
Project Editor
Brian Herrmann
Technical Editor
Jim OGorman
Production Editor
Kathleen Wisor
Copy Editor
Paula Lowell
Editorial Director
Robyn B. Siesky
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Marketing Manager
Ashley Zurcher
Production Manager
Tim Tate
Vice President and Executive Group Publisher
Richard Swadley
Vice President and Executive Publisher
Barry Pruett
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Lynsey Stanford
Compositor
Maureen Forys, Happenstance Type-O-Rama
Proofreader
Jen Larsen, Word One New York
Indexer
Johnna VanHoose Dinse
Cover Image
Digital Vision/Getty Images
Cover Designer
Ryan Sneed
Foreword
Security is a puzzle with two sides. From the inside, we look for a sense of comfort and assurance. From the outside, thieves, hackers, and vandals are looking for gaps. Most of us believe our homes are safe until one day, we find ourselves locked out. Suddenly, our perspective shifts and weaknesses are easily found.
To completely understand any kind of security it is essential to step outside of the fence, in essence locking ourselves out, and start looking for other ways in. The problem is that most of us are blinded to potential problems by our own confidence or our belief that strong locks, thick doors, a high-end security system, and a guard dog are more than enough to keep most people at bay.
Im not most people. In the last ten years I have pulled more cons and scams than anyone in history. Ive beaten casinos, faked sports events, fixed auctions, talked people out of their dearest possessions, and walked right past seemingly unbeatable levels of security.
I have made a living exposing the methods of thieves, liars, crooks, and con men on a hit TV show called The Real Hustle . If Id been a real criminal I would probably be rich, famous, or deadprobably all three. I have used a lifetime of research into all forms of deception to teach the public just how vulnerable they really are.
Each week, along with Alexis Conran, I pull real scams on real people who have no idea they are being ripped off. Using hidden cameras, we show the audience at home what is possible so they can recognize the same scam.
This unusual career has resulted in a unique understanding of how criminals think. Ive become a sheep in wolves clothing. Ive learned that, no matter how impossible something might seem, theres almost always a clever, unexpected way to solve the problem.
An example of this is when I offered to show how easy it would be to not only steal a womans purse, but also to get her to tell me the PIN to her ATM or credit cards. The BBC didnt think it was possible to accomplish this. When we presented this as an item for The Real Hustle , the BBC commissioner wrote will never happen beside it and sent it back. We knew it was entirely possible because different versions of the same scam had been reported, where victims of theft were talked into revealing their PINs in several clever scams around the UK. We took elements from different scams to illustrate exactly how someone might be duped into giving someone else complete access to their bank account.