Social Engineering is and will continue to be a pervasive and persistent threat. Social Engineerings (aka con artists) will often do extensive background research on their targets. They use this information to seem to belong, to know the right lingo or terminology, to build common ground, to know where the weaknesses are, to appeal to authority, etc. They then use this information to craft person-specific messages designed to get past the mental filters people have for odd emails. Could someone pose as a coworker from another office? As an old High School aquaintance? As a senior executive in your company several levels above you?
I'm not trying to train you to effectivly phish — rather I want you to consider what steps I should be taking to detect and ignore your attempt. If nothing else, this assignment can be a good cautionary tale about leaving too much info about yourself on the internet.
This assignment will have several steps. You will collect information about me (online mostly?). You'll use that information to create a Spear Phishing email or text to me. You will submit both the research and the actually attack.
The only person you are allowed to social-engineer, lie to, attempt to deceive, is me — Tarun Kumar Yadav.
Here is guidance from Prof. Clift that applies generally:
"Please do not call my teen-aged son at home and try and trick him into revealing personal information about me (or anyone else....). You may already know someone who knows me — feel free to ask them questions. Feel free to ask ME questions — but if I get the feeling you're pumping me for info I may give you evasive or misleading answers. Don't contact people I have a business relationship with to find out about me — e.g. no calling my bank, no calling comcast (yes I have a comcast account) etc. Don't talk to my Bishop or my Boss, etc. You are welcome to use the internet and information you find there that is publicly available. Do not break any laws."
This assignment has three phases - Research, Attack, and Report.
(1 pt) In the research phase, you will try to find out some/any of the following information about me:
(2 pts) For the attack phase, use the gathered information to construct a targeted Spear Phishing email/text to the address or phone number above. (2 points) Think about something that an attacker would want to get from me and take your best shot with the info you've collected.
There may be extra credit if you make me laugh out loud.
(1 pt) For the Report phase, identify all the information you gathered from phase one and where you got it (list the website or person that gave you the information).
Once you think you're done, submit your report and the phishing attempt in a simple text document via Learning Suite. You have to at least attempt the attack phase to receive any credit for this assignment. Merely submitting "your favorite beverage is......" will get you 0 points.