Social Engineering is and will continue to be a pervasive and persistent threat. Social Engineerings (aka con artists) will often do extensive background research on their targets. The use this information to seem to belong, to know the right lingo or terminology, to build common ground, to know where the weaknesses are, to appeal to authority etc. They then use this information to craft person-specific messages designed to get past the mental filters people have for odd emails. Could someone pose as a coworker from another office? As an old High School aquaintance? As a senior executive in your company several levels above you?
I'm not trying to train you to effectivly phish - rather I want you to consider what steps I should be taking to detect and ignore your attempt. If nothing else, this assignment can be a good cautionary tale about leaving too much info about yourself on the internet.
This Extra Credit assignment will have several steps. You will collect information about me (online mostly?). You'll use that information to create a Spear Phishing email or text to me. You'll get a response from me, and then answer the question I ask you.
The only person you are allowed to social-engineer, lie to, attempt to deceive, is me - Fred Clift. Please do not call my teen-aged son at home and try and trick him into revealing personal information about me (or anyone else....) You may already know someone who knows me - feel free to ask them questions. Feel free to ask ME questions - but if I get the feeling you're pumping me for info I may give you evasive or misleading answers.
Don't contact people I have a business relationship with to find out about me - e.g. no calling my bank, no calling comcast (yes I have a comcast account) etc. Don't talk to my Bishop or my Boss, etc. You are welcome to use the internet and information you find there that is publicly available. Do not break any laws.
ALL EMAIL communication to me for this assignment should be to my new email address: scamme@clift.org or to my google voice number 801-318-3106
This assignment has three phases - Research, Attack, and Post-Mortem.
In the research phase, you will try to find out some/any of the following information about me:
1) My reddit username (2 points)
2) 3 hobbies I enjoy (3 points)
3) My favorite soft-drink (1 point) - you should already know this one if you are observant.
4) My (former) favorite hot sauce (2 points)
5) The names and occupations of 2 of my brother-in-laws (6 points)
6) What my high-school mascot was (3 points)
For the attack phase, use the gathered information to construct a targeted Spear Phishing email/text to the address or phone number above. (5 points) Think about something that an attacker would want to get from me and take your best shot with the info you've collected.
There may be extra credit if you make me laugh out loud.
For the Post-Mortem phase, I'll respond to you and you will need to answer the question(s) I ask. (3 points)
Once you think you're done, submit what you've found and what you did in a simple text document via learningsuite. You have to at least attempt the attack phase to receive any credit for this assignment. Merely submitting "your favorite beverage is......" will get you 0 points.
Note: I have pretty good spam filtering on that email - if I haven't responded in a more than a day, I probably didn't get your email. Contact me on slack to ask if I received your Spear Phish message.