Episode Show Notes

							
			

[START OF RECORDING] JACK: Before we really had the term ‘social engineer’, people used to just say ‘con artist’ because what a con game is, is where you gain someone’s trust and then defraud them. Social engineers gain people’s trust in order to trick them. Same thing. One of my favorite con artists was George C. Parker. He made a living off of selling things he didn’t own. He lived in New York City in the early 1900s. A lot of immigrants were moving into the city and he wanted to take advantage of their lack of knowledge about the city. Grant’s Tomb was built in 1897 which is the final resting place for Ulysses S. Grant. It’s right in Manhattan and it’s an extraordinary monument. You can even go inside and look at the casket. It’s a popular tourist attraction. George C. Parker saw so many people coming to see Grant’s Tomb, he wanted to somehow make money off this, and not by selling popcorn or hot dogs or flowers.

No, George’s idea was to sell Grant’s Tomb itself even though he didn’t own it. He got to work drafting up fake documents which showed he was the grandson of Ulysses S. Grant and then he rented an office to look like a legal place where you can make such a transaction, and then he went around town looking for victims. There’s a lot of people walking around in New York City stopping for shoe shines, grabbing the paper. It’s easy to strike up conversations with anyone. George found someone interested in buying Grant’s Tomb. George forged some documents which looked like he was the owner and he told the victim that he could make a lot of money off this place if he would just charge people to come take a look at the casket.

So, he made the deal. He sold Grant’s Tomb to someone even though he didn’t own it. In the following decades, George C. Parker went on to sell dozens of other landmarks in New York City. He sold the rights to plays and operas. He sold Madison Square Garden to someone once. He sold The Metropolitan Museum of Art once, and the Statue of Liberty. But my favorite thing that he sold was the Brooklyn Bridge itself. He would tell people that they could set up a toll booth on the Brooklyn Bridge and make a lot of money from all the cars passing by. This was such a great con game that George sometimes sold the Brooklyn Bridge twice a week. The city would often have to come out and stop victims from erecting toll booths on the bridge. That’s where we get the term ‘if you believe that, I’ve got a bridge to sell you.’

JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Can we start out with who you are and what do you do?

CHRIS: Sure. It’s kind of a loaded question; Chris Hadnagy and primarily I’m the CEO or my fun title is Chief Human Hacker of Social Engineer LLC. But I also run social-engineer.org which is a free resource for social engineers or people interested in the topic where they can educate themselves and learn about things like stories and the science behind it. Then I also run a nonprofit called The Innocent Lives Foundation.

JACK: How did you get into social engineering?

CHRIS: Oh, that’s fun. I was working in the industry but doing vulnerability assessments, so I want to say maybe many of us started off that way but I’m not sure. But yeah, back in the day, just kind of doing what I would say very light security and understanding light security and then doing vuln assessments. Then I took a course called Pentesting with [00:05:00] BackTrack at the time before it was Kali and got addicted to pen testing. Ended up spending way more time than was healthy inside their labs and cracked a server that hadn’t been cracked at the time and got a job offer from OffSec to work with them as their ops manager.

Through that process of working with them and learning about real pen testing and how to do it, I found that my natural niche in the field was people, talking to people and learning how to influence them. I started to write a framework on social engineering. That’s what the social-engineer.org site is basically based on, is that framework. When that framework came out, I got a book offer to write my first book which no one should read, and from there my company was started and now we’re here eleven years later.

JACK: Over a decade ago, Chris set up the website social-engineer.org. There, he started writing a framework to do social engineering which is a guide, if you will, on how to do it. He wrote a code of ethics, he defined a bunch of terms, and he outlines many of the different methods and attacks.

CHRIS: It came about because I wanted to understand social engineering from a scientific and an artistic level. [MUSIC] The way I went about it was kind of looked at my bookshelf and said man, I read this book ‘cause I wanted to understand ‘x’, so let’s say ‘influence’. I wanted to understand influence so I bought Robert Cialdini’s book and I read it and I studied it. Then I took principles from that and tried them on a phishing e-mail or tried them where we were breaking into a building, so I would write that down. I went through my bookshelf and just outlined these are the skills I used, these are the places I learned them, and here’s how – what I took away from those lessons. Through that, it took about nine or ten months that formulated the social engineering framework that is still alive on the site today. It’s been updated, of course, since that time. But took about a year to do and it came out right around 2009.

JACK: Yeah, so Chris here, the Chief Human Hacker, has literally written the book on social engineering; actually, three of them at this point but back in 2010 on top of the framework he was writing, he was also writing newsletters on social engineering and putting out a podcast about it.

CHRIS: Then companies start calling ‘cause they’re reading this, they see it. Again, it’s the first time anyone’s ever defined it. They’re saying hey, would you come and test our company? Will you come and pen test us? Or will you come and phish us and tell us how we did? I was like yeah, sure, we would try that. Again, at this time in history, there was no companies doing this so it was – what do we charge them? How do we make a business out of this? We were trying to figure it out all as we went. That’s what started my company at that time which was about 2010, ’11 time is when I separated then formed my own company focused strictly on social engineering.

JACK: You’re aware of what a phishing e-mail is, right? An e-mail designed to get you to click a link in there which will harm you somehow, whether it will get you to download malware or scam you or whatever. When Chris gets a call to do a phishing campaign against a company, he gives them two options.

CHRIS: You have the security awareness phishing and then you have pen test phishing, right? Security awareness phishing, the goal is education at the end. Those are usually done company-wide, like, everybody, no matter if there’s 1,000 people or 100,000 people. They’re done every month and the goal is to get them to click a link that then brings them to an educational page, ‘cause our end goal with that kind of phishing is to teach them how to catch it and how to report it properly. But in pen test phishing, the goal is much different. Pen test phishing, our goal is to steal credentials, to install an implant to get a trojan or malware on the machine; somehow to compromise the network or the people for the pen test that we’re doing.

JACK: Now, I’ve worked with, I don’t know, hundreds of clients as a security engineer myself. Boy, let me tell you, none of them were interested in me doing phishing attacks on their employees. In fact, my own company that I was working for wouldn’t even let me do phishing tests on our own employees. It’s just rare for companies today to try to phish their employees but it was extra-rare to see companies doing this in 2010.

CHRIS: I got called by a really large financial institution and they said we’ve been doing SE internally for a while and we use your framework now. Would you be willing to work with us in actually testing our people? For me, it was a shock ‘cause like you, I had the same experience. We would do a pen test for a client and I would say to them hey, can we send some phishing e-mails? They were like nah, we don’t really care about that. I would offer them for free. I would say, let me send five for free. If you like what you see, we could talk about more on pay. Then they would be like okay, yeah, you could send a few. They would always work and they would be like nah, I don’t want to pay for them; they just worked too good. It’s like, but [00:10:00] that’s why we should do it, you know?

You were right; I was hitting this roadblock where companies didn’t want to do it but then this large financial institution says let’s do this and all of a sudden we are full-board doing SE testing and phishing and all this other work in a major company that’s global, and that word spread. Soon as that happened, we – other companies started saying well, if you’re working with them, maybe we should consider that. That is when we were sitting back saying okay, I don’t even know – how the heck do we charge for this stuff? Where do you come up with pricing? How do you figure out what a service should look like since there was no go-to-glass-door and figure out what a typical social engineer makes, you know? It was just figuring it out as we went. Then, you’re right, it still was a struggle.

First five years, I don’t – it was like pulling teeth. You would approach companies and they would be like, why do I need this? It was a lot of education. Then as media started picking up stories of phishing attacks and vishing attacks and social engineering impersonation attacks, as media covered those more and more, it got to the point where people, companies, C-levels were hearing these stories and going wow, this is a problem, and that’s when it became easier to now sell those services like it is today where most companies know they need social engineering services. But of course, as it wasn’t before, there’s a lot more competition. It’s like every other industry; now they have to pick and choose who they deal with.

JACK: Chris sometimes gets calls to send everyone in the company phishing e-mails and the goal is to give the employees education and awareness of this kind of attack.

CHRIS: For us, it’s – we levelized, what I call levelized the phish, so we have three different tiers. Let’s say it’s the same phish; like, right now one of the big things that’s going around in the real world is since everyone’s working from home, it’s new work-at-home policies, right? [MUSIC] So, if you’re working from home, here’s some policies you need to read. A phish like that, let’s say with a really basic levelized number one, it might only – it might look like it’s just coming randomly to you. It’s not personalized, it’s not branded, and it has even some spelling and grammar errors.

A level two might come to you and it’s not personalized but there’s no errors in it. It looks a little more realistic. Then a level three looks like it’s coming from your HR department. All of these are geared to teach the employee two things; one is can they catch the phish? We’re recording a lot of data. Did they report it properly if they caught it? If not, when they clicked it, did they go to the landing page that was given to them and read the information which in security awareness, a lot of people love to push ten, fifteen, twenty-minute CBTs.

JACK: CBTs are computer-based training, like your typical security awareness training you might get at a company.

CHRIS: Those aren’t great. Those have a use and a purpose but they’re not great for what we’re talking about here. You want to give someone some information they can digest in sixty to ninety seconds. It should be a ‘hey, you just clicked on a phish. Here’s how you could have caught it. Please report it to this address.’ We find that that kind of security awareness phishing program helps keep the idea of phishing in people’s minds and they’re much more aware about all phish throughout the month.

JACK: This kind of training works amazingly well. It really sticks with the employees who did click the link and got phished. That sixty seconds where they learned that they clicked on a malicious link is a powerful moment. Their online awareness and digital hygiene are instantly leveled up.

CHRIS: When we’ve had clients that use a levelized approach that do it consistently, so these are the things; you have to have a levelized approach, do it consistently, and have messaging that isn’t damaging. What do I mean by that? Everyone’s afraid of Covid-19 right now. If we start phishing people with like, let’s say a phish that says ‘Find out who in the office was diagnosed with Covid-19.’ Everyone’s gonna click that and when they find out it’s a test, they’re gonna feel hurt, especially if someone lost a family member.

Let’s say someone had a family member die because of the virus and now they find out you used that virus as part of education, they’re gonna feel really hurt and you’ve taken away the ability to educate them. Your program has to be levelized, consistent, regular, and also, it has to not step over that moral line. When you do that, we’ve – probably the case I love to use the most, is we phished a client we had with – for five years and after three years of consistently phishing them, they had a 78% reduction in actual malware on their network. Actual malware-related cases on their network reduced by 78% ‘cause people were catching phish and reporting them properly without clicking them. That’s a huge win when you think about doing it right.

JACK: Pretty impressive, [00:15:00] huh? Conducting phishing campaigns on everyone in the company as part of your security awareness training seems like a no-brainer in terms of how it helps improve the security of a company because a ton of malware enters a company by people clicking phishing e-mails. It’s crazy these are still effective today even though most people know about phishing attacks and have been told over and over not to click on suspicious links. You know what I’ve seen some companies do? Where I used to work, they used to give a bonus to employees who could demonstrate healthy behaviors like if you didn’t smoke and you went to the doctor for preventative care and did regular exercise, they would incentivize you and give you a extra $500 a year as a health bonus.

But some companies take this a step further and incentivize people demonstrating proper security hygiene. Like, if you’re tested with phishing e-mails every month and pass and then have implemented two-factor authentication properly, and then you use a password manager and you’re virus-free for a year, you might get a digital health bonus too, because some companies can really save money by incentivizing their employees to be more vigilant and secure which results in less infections company-wide, because the overall benefit to security outweighs the cost. But enough about security awareness training. I want to hear a story about when Chris had to do a penetration test on a client.

CHRIS: I had just hired Ryan. He’s my COO now and him and I were just working together; this was literally our – one of our first jobs together, going back a couple years now. We were hired to go break into a couple banks in the country of Jamaica. This is an interesting one because it’s my first time breaking into banks in a foreign country. We didn’t know what to expect in doing the job, like what was – when we arrive, were they gonna be armed? Were they not gonna be armed? How hostile would they be?

JACK: Their task was to get into the bank in the middle of the day. Really, this was to see if they could get past security and into the inner areas of the bank because this bank wasn’t really where customers come in, typically. Two foreigners just walking in off the street with no business being in there should not be able to get in this building. Security should stop them at the front door but if they get in, the doors to every secure area in the building should be locked.

CHRIS: One of our jobs was that we had to put a USB key into random computers and hack the network. We had to have different pieces of software and malware on the USB keys that would allow us to show them that we could’ve – we weren’t allowed to steal anything or get into sensitive parts of the bank but if we were to gain access to the network, they wanted us to prove that we would have been able to destroy them if we gained access to that part. They wanted us to have software and tools with us that can prove those parts while recording also so we could show them what it is that we were doing.

JACK: On top of that, they were told to report any security issues they found along the way. The objective is set; time to get to work.

CHRIS: [MUSIC] We had done a lot of OSINT and we found that the bank was undergoing an audit from an American company.

JACK: Okay, OSINT is open-source intelligence-gathering which is where you look in public areas online for private information about a company. Chris didn’t say how he did it but here’s how I would start. First, go to the company’s LinkedIn profile. This typically lists a bunch of employees who work for that company. From there, you might see employees posting stuff right on LinkedIn like ‘Ugh, it’s audit time again. Can you believe it?’ But if no clues like that show up, you can take this a step further. You take the names of the employees that are on LinkedIn and then try to find their Facebook profiles to see what they’re posting there and look through all that.

If nothing is there, then take it another step further; try to take that name and see if you can find their Reddit profile or their Stack Overflow name or some Twitter name or something else that you can go and scour those posts, then. You keep pivoting around and eventually you’ll find someone somewhere posting something that they shouldn’t be posting. In this case, Chris found people posting information about a network audit being conducted by an American company on this Jamaican bank. Specifically, it was a PCI audit which stands for Payment Card Industry. Basically, if any business wants to process credit cards, they need to pass a yearly PCI audit. Since Chris and Ryan are both from the US and understands the ins and outs of PCI, this would be a perfect cover or pretext. They were gonna pretend to be PCI auditors to try to get access to the building.

CHRIS: We had printed business cards and button-up shirts with that company’s name on it, grabbed some clipboards, and we arrive in Jamaica. We drive to the location to scope it out first day. [MUSIC] It’s a pretty big building. It was maybe three or four [00:20:00] stories high, huge square. The whole parking lot is surrounded by a fence that has barbed wire pointing in. There is a guard as you pull into the parking lot. There’s a guard booth with two guards sitting in it at the edge of the parking lot.

JACK: They drive up to the guard gate, prepared to lie their way in somehow.

CHRIS: Because it was daytime and it was – they were expecting customers in and out, we weren’t stopped at the gate. We were stopped but they were – we just said oh yeah, we’re here to do some banking, and they let us right in. There was no issues.

JACK: As they entered the parking lot, they see some guys whiz by on dirt bikes. [BIKE ENGINES] Not only were they on dirt bikes but as they drove by, Chris and Ryan saw that mounted on the side of the dirt bikes were sawed-off shotguns.

CHRIS: They were security. They were bank security where like, that – in America, bank security’s a security guard. Maybe he has a gun on his belt but he’s sitting at the desk or up front. These guys were on dirt bikes driving through the parking lot. It was just crazy. We were like, what? Ryan and I pulled up. The first thing, we both looked at each other and we both had this immediate thought like, are we still gonna do this job? You know, Ryan, he says it; he goes, I didn’t sign up for this. I’m like well, we just flew all the way here from America to Jamaica. It’d be a real shame to just come all this way and not even try.

He’s like, they have shotguns on dirt bikes. I’m like yeah, it’s a little odd. But a gun’s a gun and we’re breaking into armed facilities in America and those facilities, we have a risk of getting shot, too. Yeah, maybe they’re not on dirt bikes running around the parking lot but still, getting shot with a shotgun or a rifle or an AR is no different; it’s all gonna suck and we’re gonna get shot, so – and we do those jobs. That was really poor reasoning but that was my reasoning. He went along with it and we did it. Looking back, I’m like phew, boy, that was a scary, scary moment.

JACK: They took a deep breath, drove through the parking lot, and parked. The dirt bikes were whizzing by and they were just adding a whole new level of stress that they weren’t expecting. Got out of the van and suited up. They put on a shirt with the company’s name that was conducting the audit. They got their fake business cards ready and of course, my favorite…

CHRIS: The clipboard. The clipboard’s hollow so inside the clipboard are USB keys and other tools that we may need; lockpicks, a camera that we can videotape things with. Inside the clipboard are a lot of different things that we can carry so we don’t have to have them all in our hands when we’re walking in.

JACK: They take a look at this building.

CHRIS: [MUSIC] The building is mirrored glass so as you’re approaching it, you can’t see through the windows ‘cause all the glass is mirrored.

JACK: They got a little information about what’s inside this building before coming in, so they know what it looks like inside before they even get in.

CHRIS: As you open the front doors, there’s a security guard desk right there with a metal detector. The security guards are sitting behind a desk but you have to walk through the front doors right past them to get to the staircase. That is the only access into the building, so there’s no other access into that particular building in that area. You can go around the back; there were some loading docks and other areas but the front door was the only access in through the security guards to get to the rest of the bank.

JACK: They walk up to the building.

CHRIS: As we’re getting closer to the door, I said to Ryan, look, I’m just gonna get on my phone, act like I’m having a conversation. When we get inside, I’m gonna say something like hey, we’re coming upstairs now; just wait. We’ll finish the audit in a minute, and we’ll just walk past security like we belong. He’s like, is that gonna work? I’m like well, let’s find out. I open the front door, walk in, I pick up my phone, put it to my ear. I’m like yeah, yeah, Jack, we’re in the front. We’re coming upstairs. We walk right past security and they don’t even stop us. I mean, not even flinch. You don’t have time to pause and be like, what the heck? But as we’re walking up the stairs, we’re both like what the heck? Like, that was way too easy.

We get upstairs and we realize we don’t have time to stop and breathe and figure out where we go. I round the corner and there’s a room that says ATM testing center; big sign on it says ATM testing center. There’s a woman who’s walking right in front of us and she enters the room. I just make a quick right and I enter the room right behind her. Ryan follows right along. We get in the room and she kind of startled; she turns around and she looks at me like what are you doing? I’m like oh, we’re here doing the audit for PCI. We’re finishing it up. She’s like oh, okay. She just turns around and lets us in this room.

JACK: They made it in. They look around this room. It seems to be where they repair ATMs, big machines which may or may not have cash in them, but they’re all opened up in pieces around the [00:25:00] room.

CHRIS: Now, Ryan is like, literally climbing up inside giant ATMs, taking pictures of all their circuit boards and parts. There’s a guy over with a computer testing out this ATM so I walk up to him and I say, explain to me what you’re doing. He walks me through how they code their ATMs, he shows me their software. He’s basically giving me a free education on ATMs and I’m videotaping the whole thing and he doesn’t know I’m covertly videotaping it. We were in that room for probably about thirty minutes to the point where we were like, we have to leave otherwise it’s gonna look really awkward that we just keep hanging out here talking to these people. We tell them okay, we’re done. We exit.

JACK: [MUSIC] Now, remember, they are in Jamaica so they look out of place here. But they had a ruse.

CHRIS: We’re the only two white guys in literally this whole building. It was definitely culturally interesting there because we definitely stood out. That’s why we chose that we were working for an American audit company. That made sense of why we were there, that we weren’t trying to be locals, we didn’t try to make-believe we lived there, we didn’t try to make-believe anything that would throw them off. We were like yep, we just came in, flew in from America last night and we’re finishing the audit.

JACK: They wander the halls with a clipboard in hand, looking for something else of interest.

CHRIS: There’s a long hallway and at the end of the hallway, there’s these two glass doors that we could see through. There’s a call center; I can see all these men and women sitting on phones and headsets, these rows of computers. I’m like okay, that’s a call center. There’s a RFID pad right next to the door so we assume okay, the door’s locked. We can’t go just yanking on it. I’m walking really slow towards the door in the hopes that someone would either enter or exit and I would be able to hold the door for them or catch the door with my foot and get in without having to have a key. It’s like, you can’t even plan this as smoothly. As I approached the door, this woman’s exiting and I go oh, let me hold that for you. I pull the door, she unlocks it, and I hold it for her. She says a really nice thank you and Ryan and I walk into the test center.

JACK: They get in this large office room. [BEEPING, DIALING] Rows and rows of desks and cubicles are here, lots of people all over with headsets on, talking to customers on the phone.

CHRIS: We’re trying to find a quiet, open spot. We’re walking up and down these aisles kinda slowly and I go down this one aisle and there’s a computer that’s on but it’s at its lock screen. There’s a woman sitting right next to it on her computer so I just say to her, hey, I need you to put your password in this computer here. She looks; she stops and looks at me and she’s like, what? What do you mean? I said I need you to log in to this computer. She’s like, but I’m using this one. I’m like yes, I know, but I need you to log into this computer, too. She goes, okay. She just gets up and as she’s typing her password, I start recording on my phone and I hold my phone over the keyboard so I’m recording her password on my phone.

JACK: Does she see you do this?

CHRIS: She doesn’t, so I’m doing it where I’m holding my phone on the back of a clipboard. I make a big stink about looking away from her so she thinks I’m not watching her put her password in, but I’m recording it on my phone. I call Ryan over. He sits down, he pulls out one of the USB keys and he starts hacking the network from there. [MUSIC] While Ryan’s doing that, I just turn around and I notice that there’s this guy sitting at a desk right behind us about five or six feet and he gets up to use the bathroom, I assume.

He just gets up from his desk and he walks away. When he walks away, he leaves his computer unlocked, he leaves his badge on the desk, he leaves everything there. So, I go over to his computer and sit down and just start scrolling through banking screens, applications, I take a picture of his badge for cloning later. Then Ryan comes over and he starts hacking that computer. We now are on these two machines and we’re like okay, we’ve been in the ATM testing center, we hacked the network, we’ve run two different machines, it’s time for us to start exiting.

JACK: Ryan and Chris start packing up and planning their escape out of there.

CHRIS: We start thinking of an exit strategy and a woman comes over and she says what are you doing here? We’re like oh, we’re finishing up the PCI audits so we’re just testing speeds on these computers. She’s like okay, and she walks away. I’m like man, that was way too easy. Well, two minutes later she comes back with a manager and the manager says who is your contact here? I said oh, you know, I don’t have a contact here. She goes, everyone who’s allowed in the bank has a contact. How did you get in here? I said well, we’re working with that American audit company. I said the name and she goes, yeah, I know them. They’ve been here for the last month. I’m like right, and we’re just finishing up the audit on speed and other things, so I just was told to come do the test. I said, I can give you my American contact. She’s like no, I need your local. She goes, come with me.

JACK: She begins escorting Chris and Ryan to the security desk at the front door of the building. Now, Chris is already a step ahead. He thought [00:30:00] about what he would do if he got caught because it’s never over when you get caught. This mission has just changed to see if you can escape from being caught. Chris’s plan was pretty brilliant. Back in their van, in the parking lot of this building, is a third guy they brought with them.

CHRIS: He’s a local in Jamaica that works for a pen test company that was – the bank was his client, so they had hired us to come down and do the social engineering part. I said look, you sit in the van, you’re our local banker guy so you use this name and if they call, you answer as this, right?

JACK: Pretty clever. Someone with a local accent who could pretend to vouch for them might just be a pretty convincing fake get out of jail free card.

CHRIS: We get to security and she says check on these people, and then she leaves. I tell the security guy; I’m like look, you want to talk to my contact here at the bank? He’s like, yes. So, I call on the phone.

JACK: Chris uses his own cell phone to call his buddy who’s just in the van in the parking lot to pose as someone who works at this company.

CHRIS: I say hey, I need you to talk to the security guard. The security guard said so, you know, do you know these two people? We gave them the fake names ‘cause we have fake business cards. He said oh yeah, yeah. They work for this company, this auditing company. He’s like yep, that’s what their card says. He’s like yeah, they’re supposed to be there doing a speed and internet connectivity test. He’s like yeah, that’s what they were doing. He’s like okay, that sounds legitimate. He’s like, great, then please let them continue doing their job. That was it. Then at that point he said well, you’re verified.

I’m like okay, well, [MUSIC] we’re gonna just take a break and then we’ll come back ‘cause we, at this point, we didn’t know if going back into the building was gonna get us arrested. I don’t know about you; I’ve been arrested a lot of times on jobs in the states. Getting out of that’s relatively easy. I did not know how getting arrested in Jamaica was gonna be so we decided to exit the building. Plus, we hacked the network, we hacked the ATM stuff, so we were like yeah, we’re pretty much done here. So, we exited the building and then went to our next location.

JACK: All objectives on the first building have been accomplished; in and out, no problem, easy-peasy, at least to someone who’s as skilled as Chris and Ryan. Time to head over to the second bank building. The next one though, is where their NOC is. This is the Network Operations Center, the room where a bunch of network technicians and engineers are all actively looking for network security incidents within the bank’s network to resolve them. Well, Chris and Ryan are about to be two major network security incidents if they can get into the NOC. So, this should be an interesting match.

CHRIS: Inside the banking property which looked just like the other property; you know, the barbed wire fence, the whole nine yards. There was a smaller building that was surrounded by another barbed wire fence and that was the NOC. We ring the bell and the security guard comes out and he says what’s your name? I told him what we were doing and he looks at his list and he’s like, you are not on the list. I’m gonna need to call and get approval. I said, oh man, if you can – I said, look, we’re two Americans and we’re not used to the heat here. Can we come in and wait in the air conditioning while you make the calls and verify us? He thought about it for like, a good five, ten seconds and he’s like yeah, okay. He presses the button, unlocks the gate, and we get in. I’m thinking this is it; we’re gonna – while he’s in his office making calls, we’re gonna hack the whole NOC, we’re gonna be out.

He lets us into the front, we’re sitting by these two computers which I’m like Ryan, as soon as he leaves, this is it. He goes ‘kay, you guys wait here. I gotta go to my office. We’re like sure, no problem. We won’t move. We’ll just sit here in the nice AC. Thanks for being so cool. He gets up and he puts his head around the corner and he yells something to some guy. I couldn’t understand what it was. A second later this dude, I swear, [MUSIC] he was the biggest man I’ve ever seen in my life and I am by no means a small person. This guy made me look like a miniature human.

This guy must’ve been 6”10, 6”11, and he was as wide as a doorway. He had a flak jacket on that had knives at different intervals in his flak jacket. He had a giant billy stick on his one hip. On his other hip, he had a sawed-off shotgun, and then he had a handgun on the belt on his other side. This guy comes and he stands with his arms folded in the doorway. I just leaned over to touch the computer and he went mm-mm. Just like that. I went no, no, I’m not doing anything, man. Not doing anything. Ryan leans over and he’s like, I’m not gonna try it. I’m like, don’t try. Don’t try.

JACK: At this point Chris makes a decision; this is not gonna work. Time to figure out a way to escape. But you don’t want to just get up and run while this big guy with weapons is staring at you. But Chris has prepped really well for this and has a plan. [MUSIC] [00:35:00] That morning, before coming into this building, he compiled a lot of data on this company. He scoured the internet and researched a bunch of employees here and even made some phone calls to talk with some of those people. All this was done that same morning.

CHRIS: We went to LinkedIn and we pulled up the employees of this bank. Then we found ones who listed their phone numbers and we started calling people who were in positions that we thought would be able to say, like, that would be our contacts if we were legitimate auditors. So, calling the CISO or the CIO. What we wanted to do was call them, ask them a couple weird questions and nothing about audits. Just be like oh, hey, is this Joe? They’d be like, no, this is not Joe; to hear their voice and we were hoping that if one of them sounded a lot like our Jamaican contact, like, if they were older or if they had a rough voice or whatever, if they sounded similar, then we could have that guy play the part of the CISO and then give us that fake permission.

JACK: You get it, right? They were trying to find somebody within the company that sounded like their third guy in the van so that he could pretend to be the person on the phone. One of the people they tried calling was the Chief Information Officer. But when they called the CIO, they never got through.

CHRIS: The secretary said oh, he’s not in today. He’s on a business trip. He flew to another island. Then I just asked so, when will he be back? Well, not ‘til later this afternoon. Okay, great. We’ll call back then.

JACK: Now, he took this little bit of information he learned earlier that day and he’s sitting in the building with the NOC and this huge armed guard is staring at him. He waits for the other guard to come back.

CHRIS: When the guy came back, he’s like look, I can’t verify you. No one knows who you are. I’m a little worried. I said ah, you know, the guy who’s supposed to be in contact with us, I heard he’s off the island today. He’s on a business trip somewhere. He said yeah, that’s what they told me. That was the only thing that saved us because I knew a story that he had found out just now on the phone. I said yeah, well, that guy’s our contact. You know what? Why don’t we do this; he’s supposed to be back in a couple hours so why don’t we go?

We have another site that we’re supposed to go to. We’ll go do that site and then we’ll come back in a couple hours when he’s landed from his business trip. He’s like okay, that’s cool. We got the heck out of there and left and never came back. We had no other sites; we were done but we were like, we just needed to get out of there before King Kong broke us into little pieces, you know? We did nothing there. We didn’t hack that. We completely failed on that job but it was like, this guy could break both of us in half without thinking about it.

JACK: Failing is actually good. It means their security was better than Chris, and Chris is a professional. At this point, Chris and Ryan write up a full report and have a meeting with the client to go over everything.

CHRIS: Yeah, you know, that’s what I love about working with clients like that, is they were very happy. They weren’t mad, they weren’t like oh, you guys are jerks. They really loved the story, they loved how far we went, they loved that we also didn’t try to hurt anybody or damage anybody. They loved that we followed all the rules but mostly they just loved that we proved where their vulnerabilities were. ‘Cause at the end they said well, what could have stopped you? I gave them three or five different points or where we could have been stopped at any point in time.

JACK: I’m interested to hear those points.

CHRIS: Sure. The first point was when we entered the building on the phone. The security guard didn’t stop us and he should have. He should have said whoa, whoa, hang on, before you get upstairs, who are you here to see? I would have came up with the same fake name and he would have went, I don’t see you on the list. Let me call upstairs and see if Jack is there, and when he called upstairs and there’s no Jack, I would have been stopped. That was the first time I could have been stopped. The second time is when I entered the ATM center with Ryan and the lady turned around and went whoa, what are you doing in here? I said, PCI audit. She should have said well, I don’t have you authorized in this room. This is a private room. It had a whole separate security system. She could have called downstairs to security and say hey, are there supposed to be auditors doing the ATM center? That may have triggered them to check in and I could have been stopped there.

JACK: Yeah, or just, she could have just shut the door and said…

CHRIS: Yeah, you’re not allowed in. The third time was when we were in the call center and I said to that woman, put your password in here. She should have said, I don’t think I’m allowed to do that; let me go get my manager, or just rejected entering her password. She didn’t do that. The fourth time was when we went over to the computer that the guy didn’t lock. He could have stopped us by locking his computer before he left for the bathroom. Then the fifth time was back at the security guards when we called the fake Jack and said, hey, yeah, here, talk to our contact here. He accepted that we were telling the truth and let us – was gonna let us back in.

That could have stopped us, if he was like, I’m not handling your phone. I want to call this guy directly on the extension I know. He took my phone which could have been any person and spoke to him as a bank contact. He could have just called the extension directly instead of trusting me. When I told him those five things, they were like yeah, those are all good points. I’m [00:40:00] like you know, you set training and you set policies in place and then you train them on those policies and you give them avenues to do this smart, and next time we will not be able to break in.

JACK: [MUSIC] A few years later, Chris and Ryan were back in the United States. They got a job to break into a building and gain remote access to the network inside. The guy who hired Chris and Ryan to try to break in was the head of physical security of the building. The head of security authorized this which is what made it legal and Chris had printed out this authorization letter and put it in his pocket because if all goes wrong, they’ve got this letter which says the head of security paid them to test this facility. They plan out their pretext or ruse.

They were going to pose as pest control which could get them access into the building and then from there, they could try to sneak a USB drive into one of the computers. They had a uniform, spray bottles, boxes, and more to look like they were actually doing pest control. They decided to go the night before to scout out the place. [MUSIC] It’s a big office building; lots of glass windows and even a glass door in the front. They came by at night. There was no security around. They tugged on the doors but they were locked. So, they decided to try an old trick.

CHRIS: Yeah, there was like, two glass doors that led into the place and they had a gap in-between them that was wide enough for us to shove a USB key through.

JACK: Their theory is that if they slip one of their malicious USB sticks through the gap of the door and into the building, when someone finds it the next day, they might be just curious enough to see what’s on it and plug it into a computer, which by the way, you should never do. USB keys can contain a ton of icky malware that you want to avoid. But if a user opened any of the files that were on this USB drive, it would create a reverse connection back to Chris’s server which would allow him remote access to that computer the user plugged the USB key into. They shoved this USB stick through the gap of the door.

CHRIS: There was two sets of these doors and what – sadly, the first door, perfect; we did great. The second door, nobody ever uses it and we didn’t know that. When we slid the USB key through, when someone found it the next morning, they went hey, you know that door that is like, totally never used? There’s a USB key on the floor there. That made security go look at the video tapes from the night before. They saw Ryan and I at the building outside sliding these keys through the door. We didn’t know that. None of this we knew. The next day we come and I’m reversing into my parking spot. I’m in this big, huge SUV and I’m reversing into the parking spot. I had just turned around to make sure I wasn’t hitting anything and I heard the door open.

I thought Ryan was getting out and when I turned back, there’s a cop that ripped Ryan out – a security guard, but an armed security guard who ripped Ryan out of the front door [MUSIC] and had him slammed on the hood and was cuffing him. Now, Ryan knows this, everyone knows this; look, if we gotta get away, I may run so I can come back and break in later. Like, you’re gonna have to deal with it. I put the car in drive like I’m gonna flee. He’s looking at me shaking his head like don’t leave me, man. I’m like, see ya, sucker. I’m just about to take my foot off the break and a woman jumps out in front of the car with her gun drawn and she’s like, get out of the car. I’m like hey, hey, put the gun away. We’re all good. I put it in park and she’s like, get out of the car. I’m like, I’m not getting out of the car until you put the gun away.

I need you to put the gun away. She’s like, I’m not putting the gun away. We’re yelling back and forth and eventually I get out of the car. She was short. She must’ve been like, 5”2, 5”3, and I’m 6”3. She slammed me on the hood so hard that it knocked my hat [00:45:00] and my sunglasses off and they flew across the hood. Before my face bounced off the hood, she had both my arms in cuffs. It was so impressive, I said, whoa, that was maybe the quickest cuffing I’ve ever had. It just came out of my mouth, right? She goes, you get cuffed all the time, don’t you, scumbag? I’m like, okay, I can see you’re very angry. I don’t know why you’re so angry. We’re just driving, pulling in here. We’re doing some pest control. She’s like, you’re not doing pest control, scum. Then she like, takes me up and she stands me up.

I’m like hey, it’s really hot here. It was the summertime in a really hot area. I’m like, can we go over to the shade? She takes us over to the shade. Ryan and I are now kneeling on the ground like in execution-style. We’re on our knees, both of us cuffed behind our back. They’re like, what are you doing here? Ryan whispers to me, give her the letter. I’m like, no, no, we can get out of this. I’m like, we’re here doing pest control. She’s like, you’re not doing pest control. I’m like, we are. I said look, go open the back of our SUV; you’ll see the – we had pest control sprayers and we had fake chemical cartons and everything. We had all the stuff that looked the deal. She’s like, you’re not here doing pest control. I’m like, just open it up and look. So, they see the pest control equipment and she’s like, I don’t believe you.

I’m like, I don’t know why you don’t believe me. Look, I got a work order. My clipboard’s in the car if you want to get it. She’s like, I’m not going anywhere, scum. What are you doing here? I’m like, I’m telling you, I don’t know how many ways to answer it. Then Ryan’s like dude, the letter. They’re getting mad. I’m like no, we don’t need the letter. Then the guy guard comes over and he’s like, why were you here at 11:00 last night? I’m like, crap. I’m quickly thinking and I’m like well, one of the things we were hired to spray for were scorpions and they don’t come out in the daytime. This breed of scorpion only comes out at nighttime so we came at night to just check the area to make sure that we were gonna spray at night. He said, we saw you on video. We didn’t see any sprayers. You were just walking around the building looking at our doors. I’m like well, we were just scoping it out.

We’re gonna do the spraying now and tonight. He’s like, what are you really doing here? I’m like no, I’m telling you, that’s the truth. Ryan’s like, give him the letter, dangit. I’m like no, man, we can do this. I’m feeling like we’re gonna win this, right? Then he goes, what about the USB keys you dropped? Then I’m like, crap. Yeah, now it’s over. I’m like okay, look man, there’s a letter in that clipboard. He’s like, I’m not grabbing your clipboard. For all I know, it’s some kind of device. I’m like no, no, just grab the letter please. You can grab the letter. The lady goes over, she grabs the letter, they open it and they see the contact name and they know him personally and they’re like that mother. I can’t believe it.

I’m like, yeah. Yeah, he’s a real jerk. That guy’s a jerk; you should uncuff us. We’re buddies. She’s like, we’re not uncuffing you, scum. I’m like, no, come on, we’re not scum anymore. Now you know we’re good guys, right? She’s like, no. We stayed kneeling there on the ground for like, ten more minutes while we waited for our contact to come out who we found out was in the bushes filming us getting arrested. We’re like, really, man? He’s like, this was great. These guys did so good. I’m like yeah, they did great, but you could have saved us. He’s like no, this was awesome.

JACK: The name on the letter was actually the security guard’s boss. Once they called him and he said yep, this is all a test, the situation calmed down and the security guards eventually started laughing about this whole situation and started asking Chris and Ryan what are their jobs as pen testers? Everyone started being more friendly.

CHRIS: The whole time, I’m grilling them for info. I’m like, so yeah, you guys did really good. We should have came later but you’re probably here twenty-four hours, right? They’re like no, no, no. No security here is after 7:00 p.m. I’m like oh, yeah, we should have chose then. That’s too bad. I got their schedules, you know, like from them just by talking. Then we come back that night at like, 9:00 p.m. after they’re gone and we break into the place and we break into their office. We stole their badges and some of their stuff for getting into other buildings. Then I left all of my pest control equipment on their desks with a big thank you note and a couple smiley hearts. The next day when they came in, they knew that we had broken into all the cameras and us stealing their stuff, but then our pest control equipment was on their desk. A little fun humor back and forth.

JACK: [MUSIC] Okay, for this next story – actually, can I just take a moment and say thank you for being here as a listener? I mean, look at this; we’re what, forty minutes into this episode and you’re still with me? [00:50:00] It’s unbelievable. Just, thanks so much for being here with me, right here, right now. For you, the listener who’s made it this far, I have something I’m really excited to be able to share with you. This is a rare find and I’ve been looking for something like this for quite a while so I was really excited when Chris said he could do it. The story starts with Chris doing a phishing campaign against a company with the goal of raising security awareness for the company.

CHRIS: In this particular test, we started off with a phishing e-mail and it was out to 1,000 people. It was about a brand-new iPhone. To register to win one of the brand-new iPhones, all you had to do was go to this website and put in your credentials for your computer. It was a corporate-sponsored raffle so you went to a site that looked like your corporate site, entered the info, and then you were entered to win one of these iPhones.

JACK: So many of the people in this company wanted a free iPhone and the e-mail looked like it was sponsored by the company itself, so the employees were like heck yeah, let me register to win this thing. From this e-mail alone, Chris got 750 people to click the link and then go to his website and enter in their work username and password. It’s insane. At this point, you could send each of these people an e-mail explaining how the raffle was just a test and they failed. That could be the end of the security awareness training. But besides raising awareness, Chris had a secondary objective which was to also gain remote access to the network inside. He comes up with a plan.

CHRIS: We had their username and password but our job was to gain access to their network remotely. The goal was to call each one of these people and tell them that the link they just clicked on was a phish and that they had the – hopefully they went when they were notified of that, that it was a phish, that they had to go change their password and that once they changed their password, we had to just make sure that there was no residual malware on the computer from clicking that phish. To clean their system, we created a PC cleaner program for them that would clean their machine from any malware. Of course, it was not a PC cleaner; it was a meterpreter reverse-shell that gave us access into their machine.

JACK: The goal was to call like, twenty-five people who clicked the link and somehow convince them to run some malware. This is vishing which is voice-phishing, but like I was saying earlier, it’s the same thing that con artists have been doing for a hundred years. Chris changed into Paul and acted like he’s from tech support. He e-mails one of the people who clicked the phish and told them hey, look, this was a phishing e-mail. You clicked it. You shouldn’t have; change your password immediately. Then Chris, or Paul now, calls up the employee. Here’s the actual vishing call that took place.

CHRIS: This is Paul from tech support. How you doing?

MSPKR: Good.

CHRIS: We got that you filled out for that iPhone, the iPhone…

MSPKR: Yep, yep.

CHRIS: You went in and did your password change?

MSPKR: Yes, I did.

CHRIS: Okay, excellent. Just wanted to tell you that was really good. That’s the way it should have been handled.

MSPKR: Okay, yeah. As soon as we realized it, two of us jumped right on it.

CHRIS: Okay, so there was another guy on your team that – also?

MSPKR: Yeah, I think it was JR [CENSORED].

CHRIS: JR? Okay. Just gonna write down that I’ll be talking to him later on. Just to follow-up what we’re doing, are you on the VPN right now? You’re on your work machine?

MSPKR: Yes.

CHRIS: Okay, I’m gonna give you an internal address. It’s an FTP site that we set up for the [CENSORED] employees. You can go there; you can see there’s one file there you’ll be able to download and it will just clean up any residual mess from that website that we did – that we used for the audit.

MSPKR: Okay.

CHRIS: So, if you’re at your machine, just open up a browser and I’ll give you the address.

MSPKR: You mean like go on like I’m gonna send an e-mail? I’m not real…

CHRIS: Well, Internet Explorer? You can open up that.

MSPKR: Okay, yep, I got the – okay.

CHRIS: Then up at the top line, the address, type in ftp…

MSPKR: Ftp?

CHRIS: Yep, F as in Frank, T as in Tom, and then P as in Paul, and then a colon. Then two slashes and these are the slashes that are by your question mark, the same button as your question mark.

MSPKR: Gotcha; ftp. Okay.

CHRIS: Then the word is update- and the dash is like the minus sign.

MSPKR: Gotcha.

CHRIS: [CENSORED].com.

MSPKR: Okay.

CHRIS: When you close that, you should open up – it should say index sub and it should have one file. There’s a file called [CENSORED] PC Checker.

MSPKR: Okay, yeah, no, it’s here. Okay, double-click on that?

CHRIS: Yeah, click on that.

MSPKR: Okay.

CHRIS: It should download or it should ask you [00:55:00] if you want to Run or Save. Click Run.

MSPKR: Okay.

CHRIS: If everything goes good, you should get no alerts. If you have a residual problem from that site then you’ll get a message but if nothing happens, then everything’s clean and good and we’re done.

MSPKR: Okay, I just got a second thing. It said, ‘The publisher could not be verified. Are you sure you want to run this software?’

CHRIS: Yeah, click OK.

MSPKR: Run again? Okay, now it took me back to the original screen.

CHRIS: Okay, that’s good. If you got no error message, then you’re good to go. You’re clean.

MSPKR: Okay, well, thanks for the help.

CHRIS: Not a problem. We’ll talk to you later.

MSPKR: Yeah, sorry about clicking on that.

CHRIS: It’s okay, thanks for thinking about it afterward though.

MSPKR: Okay, man. Alright, thanks.

CHRIS: Bye.

JACK: Just like that, Chris has gained remote access to this guy’s computer. He can now do anything he wants on it; open a webcam, turn on the microphone, record keystrokes, transfer files, screenshot the desktop, or move to another computer deeper inside. This is fascinating so let me break it down for you. [MUSIC] The company had state-of-the-art network equipment, a firewall to block all the bad connections coming into the building or going out of the building, an intrusion detection system to inspect traffic coming and going and blocking anything that looks malicious. The employees all have antivirus on their PCs too, to stop any bad software from running. But of course, none of their security listens for phishing phone calls.

It bypasses all that. That’s one problem. Then Chris got the employee to download this executable software. They downloaded it and ran it. There was a warning; are you sure you want to run this kind of thing? But the computer didn’t lock it from running. Once the program was ran, it started a reverse connection back to Chris’s computer. To all of the security devices in the network this simply looked like a regular web request, Chris’s server, and from there, Chris was able to ride that connection back into the employee’s PC and get in. This is easily set up, too, with a tool called Metasploit. This is just a reverse-shell put on the victim’s PC. Antivirus doesn’t stop it, either.

CHRIS: No, because it wasn’t seen as a virus.

JACK: It’s taking advantage of the built-in remote-control capabilities within Windows itself. Even a fully-updated computer has the ability to run remote-access commands on it and that’s all this did. When you get someone inside the company to run this program, it’s all it takes to bypass everything that’s supposed to stop it. Scary stuff.

CHRIS: I think a lot of times when we talk about this topic, people go ‘I would never fall for that.’ When you hear this guy, he sounds like a normal, everyday guy, a guy you probably work with. He sounds like just an average dude. He’s not dumb, he’s not just throwing security to the wind. He sounds like your average, everyday guy and he’s just like oh my gosh, I can’t believe I clicked on that phish. Thanks for helping me. I don’t like that phrase ‘there’s no patch for human stupidity.’ We don’t use that because that means that everyone that falls for these things is stupid and I don’t think that’s true. This guy wasn’t stupid. I think when people hear the call, they get to put themselves in it and go yeah, I get that.

That could have been me. There probably are some current steps that companies can take to stop these things. This was a couple years ago; now we’d probably have to do a little more fancier footwork with meterpreter. I do think a lot of antiviruses do detect reverse-shells now. Maybe a packet inspection system could have stopped this but we embedded this just in a normal exe. over an encrypted tunnel and had no malware in it, no trojans, and no viruses. We wanted to get on the machine and then exploit it once we were on. It literally was, for any lack – intents and purposes, it was like opening up an SSH server on the box. That’s it. It was just opening up a reverse connection.

JACK: Now, a lot of my listeners ask me all the time, how can you practice social engineering? So, I asked Chris.

CHRIS: [MUSIC] This is a question I get all the time in my classes ‘cause you really can’t just go out and break into places or phish people for fun. I say look, when you look at SE as a science, it is literally just learning how to communicate with people on a level that they like to be communicated with, learning how to get that person to open up to you. You could do that without having to be a pen tester. Maybe not now ‘cause of Covid-19 but you could do this with delivery people, you could do this when you go to Starbucks the next time.

You can have a conversation with a complete stranger and get information from that stranger that’s non-malicious. What is their full name? Where do they live? What job do they have? How many kids do they have? Are they married? What did they do in their career? Where’d they go to school? All these questions which are [01:00:00] vital to understand about a person that you’re – if you’re a pen tester, you can get in a normal conversation. The more comfortable you are just having a conversation with a random human, the easier being a social engineer will be when it’s time to do it for a living.

JACK: If you want to know more about social engineering, check out Chris’s book Social Engineering: The Science of Human Hacking. Make sure you get the updated second edition. This is a great book which breaks down all the concepts of how to be a great social engineer.

CHRIS: That’s probably my favorite book that I’ve written. I’ve written four and that one is – I feel like it’s eleven years of my experience and science behind it, so unlike the first edition of that which was very new and it was not very well-written, this one I feel was like, really done well. Like Cialdini’s book called Influence, that’s an amazing book. Joe Navarro’s book on What Every Body is Saying is just a phenomenal book. Ekman’s book on Emotions Revealed, all about nonverbals, is truly a great book.

Amy Cuddy’s book called Presence on getting yourself into character; I could just kind of list books after books about books that I’ve read that are integral to my life that may be not about social engineering but they’re about an aspect of communications and social engineering. Robin Dreeke’s book on The Top 10 Ways to Build Rapport with Anyone Fast. These books are integral to understand them if you are going to be a social engineer.

JACK: Of course, I’ll have links to all these books and more in the show notes so make sure to visit darknetdiaries.com/episode/69. Besides being the Chief Human Hacker for his company and writing books on it, Chris has accomplished so much more. He’s the one who started the social engineering village at Defcon which is the most popular village at Defcon. It has some great talks but it also has a competition where contestants have to social engineer someone live on stage over the phone in front of a crowd. It’s awesome to watch and to learn new tricks.

I might have to do an episode just on that village alone one day. On top of that, he started a non-profit called The Innocent Lives Foundation where people use OSINT and hacking skills to try to help authorities find and capture child predators or human traffickers. I think we’re gonna have to have Chris come back on to tell his stories about that and more, but we’ll have to save that for another time. Wow, thank you so much for sharing this. I’m gonna leave it with this last question; have you ever been phished?

CHRIS: Yes. You know, I love that question because I think sometimes people that are in the industry don’t want to talk about the times they were hacked. Yeah, I got phished hardcore. I probably have been phished a couple times but the most notable to me, ‘cause I fell for this hook, line, and sinker, is – I am an Amazon junkie. I love – I buy everything on Amazon that I can. I was preparing for Defcon and I must have ordered like, ten, twenty things for the kid’s competition out of Vegas. I’m packing up my office for Defcon and I get an e-mail that looks just like an Amazon order e-mail and it says one of your recent orders will not be shipped due to a declined credit card. Everything I always tell my customers is don’t ever click those links in the e-mail.

You open up your browser, you go to amazon.com, you log into your account, and it will tell you exactly what the problem is. But not critically thinking, being stressed about Defcon, packing my office, seeing that e-mail, going oh my gosh, how can it be declined? My credit card never gets declined. I clicked the link. The browser opens, I go to a page that says – it looks like Amazon login page. It looks identical to it but I’m one of those guys that has my username saved but not my password. I start typing my password and when I go to click the Submit button, before I click it, I realize my username’s not there. I’m like, what the heck? My username’s always there. I look up at the URL bar and it was like, somethingsomething.ru. I’m like, oh my gosh, I just got – I just clicked a phish and literally fell for it from a Russian site.

Of course, you know, cleaned the computer, changed my passwords, burned the house down, sell the family, move to another country, do all the normal things you do when you click on a phish. Then I tell my team; I’m like, I just got phished. I’m never telling anyone. That’s so embarrassing. Then one of the people on my team, she’s like, you need to tell the whole world this story. This can help so many people ‘cause you’re the guy who wrote the book on phishing. You need to tell the story how you got phished. I thought about it and I’m like yeah, that’s a pretty good point. I do tell the story now but I fell for that 100% because that e-mail, if I did not look at that URL bar, I would have clicked Submit and given them my credentials. The only thing that caught me was the one flaw that my username was not in that box.

Otherwise I fell for that thing 100%. Later on, when I went back and inspected the [01:05:00] e-mail, it was like, for a George Foreman Grill and some Lee press-on nails. It was like, not even real items that I would ever order. I’m like oh my gosh, if I had just read the dang e-mail, I could have caught it. If I had looked at the URL bar, I could have – if I opened my browser and typed the address. There’s like, five ways I could have caught that phish and I ignored them all because of stress and lack of critical thinking. I’m like yeah, yep, I’ve been phished, man. I’ve fallen for it.

JACK (OUTRO): [OUTRO MUSIC] A big thank you to Christopher Hadnagy, the Human Hacker, for being here. You can learn more about him by visiting social-engineer.org or check out his podcast which is just called The Social Engineer Podcast. As always, for every episode, there’ll be links of all this stuff out on darknetdiaries.com so head over there. While there, check out the bonus Darknet Diaries episodes. These are exclusive to Patreon members.

If this show brings value to you, if you’ve binged through all 69 episodes now and can’t wait for the next one, keep in mind, you got all that entertainment for free and it’s because of the help of Patreon members that this show keeps running, so please consider joining Patreon to help support the show and unlock some bonus episodes. This show is made by me, the ghost in the shell code, Jack Rhysider. Sound design and original music was created by the sometimes-bored Andrew Merryweather. Editing help this episode was by the devilish Damienne, and our theme music is by the maraca-wielding Breakmaster Cylinder. Even though when management sends me an e-mail, sometimes I write back with just ‘Unsubscribe’, this is Darknet Diaries.

[OUTRO MUSIC ENDS]

[END OF RECORDING]

Transcription performed by Leah Hervoly www.leahtranscribes.com