Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Topic of the article: Social engineering, fraud: analysis of my cases, my experience.
Preface: I'm not very good at the technical part, so I couldn't write articles for competitions here before, now I've seen that articles on the topic of SE and fraud are accepted, well, I can write something here) I hope it will be interesting and informative for you, the readers.
I will tell you two examples of using social engineering in practice. Which I practiced personally. In the first example, I will describe how I earned $ 2,000 on a scam from two people (administrators of telegram channels) in 3 days, using only SE + a website for the scam.
In the second example, I will describe how I used SE to intercept OTP to enter the application of the bank I needed, according to this example, you can, in principle, intercept OTP for different popular services, banks, etc.
I want to say in advance that the second example with the interception of OTP, in my opinion, will be more interesting to the audience of this forum, so it is better to start reading from it, in the first one a typical scam is described as it is and SE is used there in a different way, more precisely on the victim.
Example one: "Scam, SE + Fake crypto exchange"
- Part one "Preparing for a scam"
I think many of you know about a type of scam using your own fake crypto exchange. The essence of such a fake crypto exchange is as follows: You can draw a balance on accounts in this exchange and a history of transactions on all accounts, on your own, on the accounts of victims, answer on behalf of technical support, etc., in short, you have full control and the situation can be described as much as your imagination allows. When trying to withdraw the drawn balance from our exchange, an error will pop up and a message will ask you to verify the external bitcoin address to which you are trying to withdraw funds, and for verification you need to send a certain amount of bitcoin from this external btc address to your account on the exchange, then the address will pass verification and you will be able to make a withdrawal.
The first thing you probably already thought was "we know such a scam, it's a school and a public one in general", so take your time, I will now describe how you can make a couple of thousand dollars on such a public.
What is needed for this? The first thing to do is to come up with a situation due to which our future victim will have a balance on our fake crypto exchange. There is a fine line here, we need exactly the kind of target audience that seems to have money but does not really know about bitcoin but is not afraid to use it.
I came to the conclusion that I will scam the owners of Telegram channels, the owners of YouTube channels, bloggers / bloggers on Instagram. Do you already understand how? Exactly, I will buy advertising from them in bulk for cryptocurrency.
Also, you probably understood why this particular category of people? Because they mainly do not work with crypto, they have money, they will not be afraid to use crypto, especially when ordering in bulk where they are promised a big profit.
So, we have found out the target audience, then we need to come up with a way to contact the victim. If you don’t bother with Instagram and Telegram and write directly there in direct / PM on behalf of the advertising purchase manager, then with YouTube it is more difficult.
By this point, you should already have a rough idea of what you will be allegedly buying wholesale advertising for. I decided that it would be the Vivaldi browser. Do you know why? Because Vivaldi allows you to create an email with the @vivaldi.net domain, while the vivaldi.net website itself does not have a “create email” or “login” button. You are a victim of which we write to the email with an offer to buy wholesale advertising for the Vivaldi browser. The recipient will go to the website using our email domain and see the official blog of the browser, without any hint that anyone can create such an email there.
- Part two “search for victims, English and Russian audience”
You should have a ready-made example of a post that you will give for advertising (In the case of Telegram / Instagram)
With YouTube it is more difficult, but still you can simply find real advertising materials of the trust office on behalf of which you are going to purchase. For YouTube, it is best to find a pre-roll, if you can’t find one, you will have to cut a video about what you are advertising, sit down and come up with another text that the YouTuber from whom you are purchasing will speak under your video.
I started searching for victims in the same way as I wrote above - I wrote to YouTubers by mail from Vivaldi mail, I chose an English audience. I formalized the first message, an offer to advertise our Vivaldi brand, a question about the price, a discount for wholesale. It is also advisable to prepare an agreement for the purchase of advertising, templates can be found online.
I wrote to the admins of the telegram channels in Russian, the standard start of communication, I ask the price list, when free spaces start, whether they can make a discount when purchasing advertising for a month (for example, 1 post per day, come up with a schedule that you will give to the manager and bargain about the discount, this will give him confidence)
When we discussed everything, the schedule, prices, discounts (the total price that you must send to the person must be at least $ 2500 in bitcoins). So, when we discussed everything and our victim noticeably got excited in anticipation of a large profit, it's time to ask if he is against payment in bitcoins. Why such payment? At these moments, I explained everything by the fact that the taxes on advertising are too high, to optimize taxation, we buy some advertising for bitcoin. We also inform you that we will help with the withdrawal of bitcoin to a card / bank account, we will explain everything and advertising can only be launched when you withdraw the money. We will naturally cover all commissions for this matter.
- Part three "Scam, profit x2, x3, etc."
First, I'll give an example of what came out of my idea via telegram.
I wrote to the admins for about 3-4 hours, I was in no hurry, I wrote to about 50 admins. The main problem was that many started to dodge the offer to accept payment in bitcoins, this is solved by the fact that firstly, you take admins of not the largest sites (50-100k subscribers are normal, just take a large wholesale of advertising so that the amount is tempting) secondly, you add officialdom in the form of an agreement sent to the admin's email (again, from the vivaldi.net domain) On the first day, I came across a victim in telegram, to whom I naturally explained that she needed to register a wallet on her phone, withdraw to it, then from it through an exchanger to a card. After registering the victim, I drew her a balance for the amount for which I purchased advertising, she already knew about withdrawing in the exchanger. Here she is trying to make a withdrawal to her wallet installed on the phone, there is an error during the withdrawal, the victim naturally writes to me. I answered that I do not remember such a thing since my account from which I transferred is generally a corporate one and advised me to write to the exchange's technical support.
The victim writes, we do not immediately, but after 1-2 hours, on behalf of the support team, give an answer that the withdrawal is available to a verified external BTC address, since your account was not replenished from an external address - you do not have a verified external BTC address for withdrawal. To verify the address, make a deposit to the exchange account from the address to which you want to make a withdrawal in the future. The most important thing when communicating on behalf of the TP is to write exactly like the TP. Start with "Hello, thank you for contacting" and end with "Sincerely, cryptocoinvalley.com support", also ideally, the exchange is not Russian and on behalf of the TP you accordingly also do not communicate in Russian. I did exactly this.
Then the victim can write to us again, ask for advice, it is best to drag out time and say something like "wait, I will check with other employees" and after a while write that yes, everything TP told you is correct, you need to verify the external BTC with a deposit. My first deposit was $200. After the deposit from the victim, in an hour or two she tries to withdraw and again sees an error, writes to us again in the TP. Here we begin to turn on our imagination, I said first that you paid exactly $200, but you needed $200 + 1% so that the external address was verified. And accordingly, I change the error text when withdrawing, adding there about 1%. Now it may seem stupid to you, but believe me, just believe me, people pay.
After the second payment, the person tries to withdraw again, again an error, writes in the TP. I wrote further that you entered the wrong amount, here is the exact amount in BTC that you should have entered *the amount of BTC equivalent to $204*, the person can grumble for one day but will make the third payment in 90% of cases. After that, the victim tries to withdraw funds again, again an error, writes in the TP. Here I have already included the technical part, since we have access to edit anything on the site, I edited the BTC amount that the victim wrote in the previous request, for example, if it was written 0.01232 BTC, then I edited it to 0.12332 BTC and indicated to the victim that she again entered an incorrect amount of BTC for verification of the external address. This is how I managed to find two TG channel admins, both admins sent me a total of $1k in BTC, one seemed to be about $800, and the second all $1000, unfortunately there are no screenshots left, it was about a year and a half ago. The time to find them + receive all payments from them took about 5-7 days. Then I gave up because the routine quickly got on my nerves, it is very difficult to first find channels and then write them to the admins.
After the success with TG, I somehow gave up on YouTube, but I still think that you can make a pretty good profit from scamming foreign YouTubers in this way.
Example two "Intercepting OTP for popular services, banks, etc., using SE"
Now I will tell you from practice how you can massively intercept OTP for any popular services, banks, etc., in general from places where some information is required (for example, card number, phone number) + OTP.
I needed an interception for one bank, the bank asked for a phone number, card number and OTP after all this entered data, here's how I solved it:
Make an account on Instagram, design the account for a store, choose any theme for the store, but an electronics store is better. We spin 8-10 thousand subscribers (set the speed low), within a week we post on the topic we have chosen, 3-5 posts a day will be normal. It is better to make posts with the store logo, it is not difficult and fast, through services like Canva
After you have finished designing the profile, we make an advertising post, we will advertise the contest, we will naturally advertise by purchasing advertising from admins/bloggers, we choose bloggers for your geo, so that at least 60% of their subscribers are users of the service/bank for which you need OTP.
Our competition can be either a payment to a card (the bank/service you need) or to equipment (like an iPhone, a game console. Such participants can also be further transferred to receive a payment from us for subsequent interception of the OTP) The main thing is that there are 10 or more prize places. For example, a competition for $50,000, 10 prizes of $5,000 each.
In the competition post, we indicate simple rules, write in PM to our Instagram account + subscribe to us. The end date of the competition, how the winner will be chosen, etc., all the necessary details.
We make a video recording in any randomizer as you randomly generate 10 numbers or 15, 20 (depending on how many prize places you have), save the video.
When people who want to participate in the competition start writing in PMs after the advertisement, we send them participant certificates, each certificate must have a number, necessarily a winning one (you can do this using a downloaded template in MS Office or in design services such as Canva), we send each one in turn a certificate with a winning number, from 1 to 10 made certificates or 15 (depending on how many prize places you have, send certificates with winning numbers in a circle, do not send everyone the same one, this reduces the conversion rate several times, people can be friends / relatives, etc.), the main thing is that everyone has a winning number.
When the advertisement has ended and the day of summing up the results of the competition is approaching (by the way, you don’t have to delay this, if the advertisement is for example today, set the end date of the competition in 1-2 days), when the date has come, we post a post with a pre-recorded video where you receive the winning numbers in the randomizer.
People will see the video posted, check their certificate and write to you, the influx will be large and will gradually subside, they will write and ask how to get their winnings. Naturally, each person will be very excited and happy, which is what we need.
Now look, if your drawing was for money and you need an OTP for the bank, we do a payment phishing in advance, phishing supposedly to receive a payment, fields for entering the data you need + then a field for entering an SMS, supposedly to confirm the transfer of funds. (I made it from a script leaked on the Internet, with sending data to the TG bot, I just changed it to the data I needed, instead of collecting the card + date + color + SMS with the script, I left the card + added a phone number and after the victim pressed the "receive payment" button, I took his card + number, entered it into the application of the bank I needed to log in and waited until the victim entered the OTP during phishing)
With a competition for equipment or something else, it takes a little longer and is more boring because of the necessary communication with a large number of people who write.
How to do it - tell people that they must pay a large amount of tax / customs / delivery and payment must be made in advance. Absolutely everyone will be indignant, say that you are a fraudster or will immediately ask if it is possible to transfer its cost to their bank / card instead of the prize, we agree to send its cost to the winners instead of the prize, we say that we can pay to the service / bank that you need and accordingly prepare phishing for this matter in advance.
That's basically it. Also, in theory, this scheme with traffic and phishing on OTP can be used to collect CC, but I have not done this and I don't know what kind of envelope it will be at all. Although I'm lying, for fun I manually asked 5-7 people for full card data for payment, I remember two of these 5-7 sent me.
I hope it turned out interesting and most importantly useful and according to the rules of the competition, thanks to those who read at least one of the examples to the end. Of course, I am not a top scammer or social engineer, but I tried, described what I used myself and earned good money on it. Experience, profit, happiness to everyone. And yes, if there are mistakes somewhere or I thought and wrote some information twice in one paragraph or something like that - I apologize in advance, I ran my eyes before publishing, corrected a couple of things, but probably not everything.
Preface: I'm not very good at the technical part, so I couldn't write articles for competitions here before, now I've seen that articles on the topic of SE and fraud are accepted, well, I can write something here) I hope it will be interesting and informative for you, the readers.
I will tell you two examples of using social engineering in practice. Which I practiced personally. In the first example, I will describe how I earned $ 2,000 on a scam from two people (administrators of telegram channels) in 3 days, using only SE + a website for the scam.
In the second example, I will describe how I used SE to intercept OTP to enter the application of the bank I needed, according to this example, you can, in principle, intercept OTP for different popular services, banks, etc.
I want to say in advance that the second example with the interception of OTP, in my opinion, will be more interesting to the audience of this forum, so it is better to start reading from it, in the first one a typical scam is described as it is and SE is used there in a different way, more precisely on the victim.
Example one: "Scam, SE + Fake crypto exchange"
- Part one "Preparing for a scam"
I think many of you know about a type of scam using your own fake crypto exchange. The essence of such a fake crypto exchange is as follows: You can draw a balance on accounts in this exchange and a history of transactions on all accounts, on your own, on the accounts of victims, answer on behalf of technical support, etc., in short, you have full control and the situation can be described as much as your imagination allows. When trying to withdraw the drawn balance from our exchange, an error will pop up and a message will ask you to verify the external bitcoin address to which you are trying to withdraw funds, and for verification you need to send a certain amount of bitcoin from this external btc address to your account on the exchange, then the address will pass verification and you will be able to make a withdrawal.
The first thing you probably already thought was "we know such a scam, it's a school and a public one in general", so take your time, I will now describe how you can make a couple of thousand dollars on such a public.
What is needed for this? The first thing to do is to come up with a situation due to which our future victim will have a balance on our fake crypto exchange. There is a fine line here, we need exactly the kind of target audience that seems to have money but does not really know about bitcoin but is not afraid to use it.
I came to the conclusion that I will scam the owners of Telegram channels, the owners of YouTube channels, bloggers / bloggers on Instagram. Do you already understand how? Exactly, I will buy advertising from them in bulk for cryptocurrency.
Also, you probably understood why this particular category of people? Because they mainly do not work with crypto, they have money, they will not be afraid to use crypto, especially when ordering in bulk where they are promised a big profit.
So, we have found out the target audience, then we need to come up with a way to contact the victim. If you don’t bother with Instagram and Telegram and write directly there in direct / PM on behalf of the advertising purchase manager, then with YouTube it is more difficult.
By this point, you should already have a rough idea of what you will be allegedly buying wholesale advertising for. I decided that it would be the Vivaldi browser. Do you know why? Because Vivaldi allows you to create an email with the @vivaldi.net domain, while the vivaldi.net website itself does not have a “create email” or “login” button. You are a victim of which we write to the email with an offer to buy wholesale advertising for the Vivaldi browser. The recipient will go to the website using our email domain and see the official blog of the browser, without any hint that anyone can create such an email there.
- Part two “search for victims, English and Russian audience”
You should have a ready-made example of a post that you will give for advertising (In the case of Telegram / Instagram)
With YouTube it is more difficult, but still you can simply find real advertising materials of the trust office on behalf of which you are going to purchase. For YouTube, it is best to find a pre-roll, if you can’t find one, you will have to cut a video about what you are advertising, sit down and come up with another text that the YouTuber from whom you are purchasing will speak under your video.
I started searching for victims in the same way as I wrote above - I wrote to YouTubers by mail from Vivaldi mail, I chose an English audience. I formalized the first message, an offer to advertise our Vivaldi brand, a question about the price, a discount for wholesale. It is also advisable to prepare an agreement for the purchase of advertising, templates can be found online.
I wrote to the admins of the telegram channels in Russian, the standard start of communication, I ask the price list, when free spaces start, whether they can make a discount when purchasing advertising for a month (for example, 1 post per day, come up with a schedule that you will give to the manager and bargain about the discount, this will give him confidence)
When we discussed everything, the schedule, prices, discounts (the total price that you must send to the person must be at least $ 2500 in bitcoins). So, when we discussed everything and our victim noticeably got excited in anticipation of a large profit, it's time to ask if he is against payment in bitcoins. Why such payment? At these moments, I explained everything by the fact that the taxes on advertising are too high, to optimize taxation, we buy some advertising for bitcoin. We also inform you that we will help with the withdrawal of bitcoin to a card / bank account, we will explain everything and advertising can only be launched when you withdraw the money. We will naturally cover all commissions for this matter.
- Part three "Scam, profit x2, x3, etc."
First, I'll give an example of what came out of my idea via telegram.
I wrote to the admins for about 3-4 hours, I was in no hurry, I wrote to about 50 admins. The main problem was that many started to dodge the offer to accept payment in bitcoins, this is solved by the fact that firstly, you take admins of not the largest sites (50-100k subscribers are normal, just take a large wholesale of advertising so that the amount is tempting) secondly, you add officialdom in the form of an agreement sent to the admin's email (again, from the vivaldi.net domain) On the first day, I came across a victim in telegram, to whom I naturally explained that she needed to register a wallet on her phone, withdraw to it, then from it through an exchanger to a card. After registering the victim, I drew her a balance for the amount for which I purchased advertising, she already knew about withdrawing in the exchanger. Here she is trying to make a withdrawal to her wallet installed on the phone, there is an error during the withdrawal, the victim naturally writes to me. I answered that I do not remember such a thing since my account from which I transferred is generally a corporate one and advised me to write to the exchange's technical support.
The victim writes, we do not immediately, but after 1-2 hours, on behalf of the support team, give an answer that the withdrawal is available to a verified external BTC address, since your account was not replenished from an external address - you do not have a verified external BTC address for withdrawal. To verify the address, make a deposit to the exchange account from the address to which you want to make a withdrawal in the future. The most important thing when communicating on behalf of the TP is to write exactly like the TP. Start with "Hello, thank you for contacting" and end with "Sincerely, cryptocoinvalley.com support", also ideally, the exchange is not Russian and on behalf of the TP you accordingly also do not communicate in Russian. I did exactly this.
Then the victim can write to us again, ask for advice, it is best to drag out time and say something like "wait, I will check with other employees" and after a while write that yes, everything TP told you is correct, you need to verify the external BTC with a deposit. My first deposit was $200. After the deposit from the victim, in an hour or two she tries to withdraw and again sees an error, writes to us again in the TP. Here we begin to turn on our imagination, I said first that you paid exactly $200, but you needed $200 + 1% so that the external address was verified. And accordingly, I change the error text when withdrawing, adding there about 1%. Now it may seem stupid to you, but believe me, just believe me, people pay.
After the second payment, the person tries to withdraw again, again an error, writes in the TP. I wrote further that you entered the wrong amount, here is the exact amount in BTC that you should have entered *the amount of BTC equivalent to $204*, the person can grumble for one day but will make the third payment in 90% of cases. After that, the victim tries to withdraw funds again, again an error, writes in the TP. Here I have already included the technical part, since we have access to edit anything on the site, I edited the BTC amount that the victim wrote in the previous request, for example, if it was written 0.01232 BTC, then I edited it to 0.12332 BTC and indicated to the victim that she again entered an incorrect amount of BTC for verification of the external address. This is how I managed to find two TG channel admins, both admins sent me a total of $1k in BTC, one seemed to be about $800, and the second all $1000, unfortunately there are no screenshots left, it was about a year and a half ago. The time to find them + receive all payments from them took about 5-7 days. Then I gave up because the routine quickly got on my nerves, it is very difficult to first find channels and then write them to the admins.
After the success with TG, I somehow gave up on YouTube, but I still think that you can make a pretty good profit from scamming foreign YouTubers in this way.
Example two "Intercepting OTP for popular services, banks, etc., using SE"
Now I will tell you from practice how you can massively intercept OTP for any popular services, banks, etc., in general from places where some information is required (for example, card number, phone number) + OTP.
I needed an interception for one bank, the bank asked for a phone number, card number and OTP after all this entered data, here's how I solved it:
Make an account on Instagram, design the account for a store, choose any theme for the store, but an electronics store is better. We spin 8-10 thousand subscribers (set the speed low), within a week we post on the topic we have chosen, 3-5 posts a day will be normal. It is better to make posts with the store logo, it is not difficult and fast, through services like Canva
After you have finished designing the profile, we make an advertising post, we will advertise the contest, we will naturally advertise by purchasing advertising from admins/bloggers, we choose bloggers for your geo, so that at least 60% of their subscribers are users of the service/bank for which you need OTP.
Our competition can be either a payment to a card (the bank/service you need) or to equipment (like an iPhone, a game console. Such participants can also be further transferred to receive a payment from us for subsequent interception of the OTP) The main thing is that there are 10 or more prize places. For example, a competition for $50,000, 10 prizes of $5,000 each.
In the competition post, we indicate simple rules, write in PM to our Instagram account + subscribe to us. The end date of the competition, how the winner will be chosen, etc., all the necessary details.
We make a video recording in any randomizer as you randomly generate 10 numbers or 15, 20 (depending on how many prize places you have), save the video.
When people who want to participate in the competition start writing in PMs after the advertisement, we send them participant certificates, each certificate must have a number, necessarily a winning one (you can do this using a downloaded template in MS Office or in design services such as Canva), we send each one in turn a certificate with a winning number, from 1 to 10 made certificates or 15 (depending on how many prize places you have, send certificates with winning numbers in a circle, do not send everyone the same one, this reduces the conversion rate several times, people can be friends / relatives, etc.), the main thing is that everyone has a winning number.
When the advertisement has ended and the day of summing up the results of the competition is approaching (by the way, you don’t have to delay this, if the advertisement is for example today, set the end date of the competition in 1-2 days), when the date has come, we post a post with a pre-recorded video where you receive the winning numbers in the randomizer.
People will see the video posted, check their certificate and write to you, the influx will be large and will gradually subside, they will write and ask how to get their winnings. Naturally, each person will be very excited and happy, which is what we need.
Now look, if your drawing was for money and you need an OTP for the bank, we do a payment phishing in advance, phishing supposedly to receive a payment, fields for entering the data you need + then a field for entering an SMS, supposedly to confirm the transfer of funds. (I made it from a script leaked on the Internet, with sending data to the TG bot, I just changed it to the data I needed, instead of collecting the card + date + color + SMS with the script, I left the card + added a phone number and after the victim pressed the "receive payment" button, I took his card + number, entered it into the application of the bank I needed to log in and waited until the victim entered the OTP during phishing)
With a competition for equipment or something else, it takes a little longer and is more boring because of the necessary communication with a large number of people who write.
How to do it - tell people that they must pay a large amount of tax / customs / delivery and payment must be made in advance. Absolutely everyone will be indignant, say that you are a fraudster or will immediately ask if it is possible to transfer its cost to their bank / card instead of the prize, we agree to send its cost to the winners instead of the prize, we say that we can pay to the service / bank that you need and accordingly prepare phishing for this matter in advance.
That's basically it. Also, in theory, this scheme with traffic and phishing on OTP can be used to collect CC, but I have not done this and I don't know what kind of envelope it will be at all. Although I'm lying, for fun I manually asked 5-7 people for full card data for payment, I remember two of these 5-7 sent me.
I hope it turned out interesting and most importantly useful and according to the rules of the competition, thanks to those who read at least one of the examples to the end. Of course, I am not a top scammer or social engineer, but I tried, described what I used myself and earned good money on it. Experience, profit, happiness to everyone. And yes, if there are mistakes somewhere or I thought and wrote some information twice in one paragraph or something like that - I apologize in advance, I ran my eyes before publishing, corrected a couple of things, but probably not everything.
