Sign in Subscribe

Continuation and Ethics

Welcome back! If you don't recall, we're covering voice phishing against financial institutions to check for employee compliance with policies, procedures, and mandates such as Sarbanes Oxley. You can review this here. Our goal currently is to collect a list of customers of the bank/credit union, profile them, and try to get an account balance out of a teller or account support representative. Before I continue this series, I want to stress the importance of adhering to ethical practices. Under no circumstance should you ever retain personal information you collect on targets for a campaign. You should also refrain from using this skill-set outside of a professional capacity. Nobody likes a creep.

Identifying Customers

If you haven't been given a list of customers to target from the financial institution, you'll need to find your own. There are a few primary places that I rely on for this; Facebook, Instagram, Twitter (now branded as X, in case any future readers are confused, I will still be referencing it as Twitter), and Google Reviews. The key here is avoiding employees.

Most financial institutions have a Facebook presence. In fact, I haven't dealt with any that don't. Here, customers are likely to react to and comment on posts. Occasionally, banks will have giveaways or other community programs and may have posts that directly include a customer. If you're relying on reactions and comments, you need to check your target's profile and see if they have a LinkedIn. You want to be sure that they don't work for the bank. Another approach with Facebook requires a little more time and effort. You'll probably have a list of branch phone numbers that you're calling. Take note of the town each branch is listed in. Then go to Facebook, and look for any kind of "what's happening" or "recommendations" group that is specific to that town/area. Now, join the group. Once you've joined, search for the name of the financial institution. You'll probably have at least a few folks explicitly saying "I use __ bank". Now you have a valid target.

Instagram is a similar situation to Facebook, check comments, check followers of the bank. You can also look at check-ins for the location. Again, you'll need to verify that these people don't work for the bank. If their social media doesn't have any clues, look for a spouse/significant other and see if there are any clues. Twitter is an excellent place to go as well. Nearly any and every brand has a Twitter presence and lots of people interact with companies there. You can either go to the Twitter profile of the target organization, or search the name of the institution.

Google Reviews can be a mixed bag. You might run into a handful of fake accounts, but there can also be a gold mine of information there. In at least one instance I've seen a customer provide pretty specific details about the accounts held with a bank.

Profiling

Now that you have a list of potential customers, it's time to do some digging and note taking. Here are the first pieces of information I typically collect as it is all key to the campaign:

  • Full name
  • Full date of birth
  • Current and previous address
  • Current and previous phone number
  • At least 2 email addresses
  • Same information for spouse/significant other
  • How many kids and/or pets if any

There are many, many ways to get this information. I typically check multiple sources to be sure I have correct information. Having collected at least a first and last name, I'll look for a city and state and significant other. Most people have this listed on their Facebook or LinkedIn profile. If the location isn't there, take a look at their Facebook friends, anyone who regularly interacts with them on Instagram. If a handful of them are all in the same area, you can deduce that your target is likely from the same area. You can also look through pictures for any high school photos, if you can come up with the name of the high school, you can base your determination on that.

From here, it's time to use a data broker service. My go-to is fastpeoplesearch.com, but I also use mylife.com. Type the name and best-guess city/state you have there, and look at the information listed. FPS will typically have an address and phone number, sometimes an email or two, and a birth year. It will also point to a spouse if you haven't managed to collect that. MyLife will provide a full date of birth, and you can cross reference the other data you have with this. Now you can collect this same information on their spouse. From here, go back to social media and look for pictures, posts, or even in their "about me" on Facebook for any children or pets. If you're really struggling to find any of this or having a hard time narrowing it down, I've found ancestry.com to be an excellent resource, while it may not be free, there's a ton of data available there, and you can usually get a free trial for 30 days. Also if you're not 100% sure about the address you've found, check the voter records for the individual. This will also provide more insight about the target.

Once I have all this basic information, I'll add a few more pieces of information based on how much info they have on their social media.

  • Interests or hobbies, favorite sports teams, particular music taste, etc
  • Any pictures of vehicles or home?
  • Employer
  • Gather a couple small pieces of info on their kids and spouse

If they don't have pictures of their vehicles or where they live, it may be useful to look them up in their local tax collector's site. A lot of areas only require first/last name and an address. This will show you if they own their home and typically the make and model of their vehicle as well.

The Why

If you've never done any of this before, you may be thinking "why in the world would I need all of this information". Well, the answer is: you don't. If you want to skate through with the bare minimum and give yourself away as soon as you're unable to provide requested information, then that's on you. However, you're doing yourself, the client, and their employees a disservice. By collecting more information, you have a little window into this individual's life. Not only will this assist in making an educated guess for any unknowns, such as the answer to a security question, it also gives you some leverage. By knowing more about the individual and those in their immediate circle, you can work this information into the conversation. Maybe the teller on the line knows OF this customer but has never really dealt with them, and they're suspicious. By talking about my son's upcoming football game, you lend credibility to the persona. If my target is married, I like to leverage that information here as well like this:

  • Teller - Which account were we checking for you today?
  • Me - My checking account please.
  • Teller - Yes sir, which one would you like?
  • Me - It's the joint account with my wife, ___. Her birthday is ___.
  • Teller - Thank you so much for that, your balance is ___.

Not only are you creating a better pretext and providing more value to the client, you're also improving your own skills. You may stumble across a new pretext you hadn't thought of before with this information. Maybe you aren't familiar with collecting data on a certain platform, this provides the opportunity to do so. You'll start to figure out additional vectors to approach your collection methodology.

Organizing this data

If you hadn't noticed, this is a ton of information. In most cases, you'll be asked to collect information on more than one target. I typically get asked to pick 3-5 targets, which turns into 6 to 10 targets so that I have backups in case a ruse is burned. Once you start compiling this information, it grows rapidly. It's incredibly important that you don't cross-contaminate target information during a call. It's also important that the information is readily accessible. The tools you use to maintain this will be up to you, but some of my favorites are:

  • Excel - A spreadsheet with call activity is usually part of my deliverable set. It's trivial to make a second sheet in the workbook with customer information. Just make sure you clean this up before delivery. One of the downsides is that the more targets you have and more information you collect, this winds up being hard to manage.
  • OneNote - You can create dedicated sections for each target and include screenshots of relevant data or images.
  • Obsidian - My personal favorite, you can create nodes that are linked to one another and navigate as necessary.

More Than Information

It's important to remember that you can collect all the information in the world, but if you don't leverage social engineering techniques and adapt to situations, you won't get anywhere. The key advantage in this specific scenario is that you're dealing with someone in a customer support role. They're trained to be as helpful as possible, and when dealing with a difficult customer, they typically just want to be done with the interaction. You can manipulate this to your advantage in a few different ways.

  • Oversharing - information overload with personal details, even if it's nothing out of the ordinary, can cause people to subconsciously be more trusting.
  • Emotional manipulation - I present this with a caveat, Bill did NOT deserve that. For those unfamiliar with this scene in Mr. Robot, I'll just say there are lines you DO NOT cross. This is a security assessment, there's no need to attack someone. Would you feel comfortable explaining this to a board of directors? Would you want someone treating someone your care about like that? How would you feel in their shoes? One safe ploy is to be overly apologetic. This causes the person to want to help you and make you feel better about the interaction. You could also take the impatient route, but be careful not to over-do it. You don't want them to be more difficult to spite you.

Closing

I've essentially just provided you a getting started guide on leveraging OSINT to profile individuals as well as some very basic social engineering examples. You can practice these new OSINT skills by searching for yourself on these sites and seeing what data is there. You might be surprised. I plan to provide additional material on more in-depth profiling in the future, so subscribe and be notified! (it's free) Thanks for reading!

Vishing for Compliance pt. 2