by guylhem on 4/30/13, 12:16 AM
The title is a bit misleading. It's not an attack, more like well done social engineering.
But the context is very helpful - especially with the amount of detail you provide, along with the email exchange, one can see the target was totally abused.
The lanyard, laptop, false recruiting - you really overdid it, but I mean that in a positive way. I like it, it's so great - you could almost make a movie out of it ;-)
That's creative thinking. Congrats on your victory.
by ivybridge on 4/29/13, 11:24 PM
You would have been better off forcing them to register on your site to submit the resume, then check if they reused a password. Also you exploited trust in a way that could easily lead back to you.
by noonespecial on 4/30/13, 1:37 AM
The best attacks are always the ones where the victim is truly surprised at how far you were willing to go to pull it off. So are the best magic tricks.
by bluehex on 4/30/13, 2:40 AM
I felt pretty bad for the target. Even though he was fairly warned, and knew to expect social engineering attacks, you could see he was quite excited about the potential opportunity at X co; else he wouldn't have put so much energy into that looong email exchange. Poor, guy. But good lesson, I suppose.
by cdwhite on 4/29/13, 10:23 PM
by shmageggy on 4/30/13, 2:18 AM
I thought "Please find attached herewith my resume for your kind perusal" was a joke but apparently that's how this person really responded. Recruiters: how does this forced, over-formal tone affect your impression of a candidate?
by jabbernotty on 4/29/13, 10:48 PM
> With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought.
Does he mean 'feasible to gain access to login information for online accounts'?
I have read the page, and i'm not seeing it.
Yes, according to the page they had access to some degree of personal information beyond the more publicly accessible.
But that isn't the same as having access to their online accounts, or being near to getting it.
by louthy on 4/30/13, 1:32 AM
Very enjoyable read. Congratulations on your success, I can only imagine how stunned they were!
by sohamsankaran on 4/30/13, 4:12 AM
Interesting. If the author is still around, I have a question - would the whois data have given you away, or was this faked/spoofed in some way?
by jsumrall on 4/29/13, 11:51 PM
I was hoping that by getting them to sign up with the recruiter you would have used that to intercept communication.
by tempestn on 4/30/13, 12:04 AM
Is Xrecruting.com a typo in the blog post, or in the domain actually registered?
by cbhl on 4/30/13, 4:04 AM
Found this a rather amusing read. Best of luck on your exam!
by justx1 on 4/30/13, 6:31 AM
Well played...
Missing to redact X.com's phone number allows "social engineering" of the company name, though.
by pit on 4/30/13, 12:35 PM
Wait a minute. Isn't this guy an asshole?
by iancarroll on 4/29/13, 10:23 PM
Duplicate.