Penetration Testing: Re: Testing the user community

[Nicolás F. Iglesias <nfiglesias () gmail com>]

Once, i did a personalized phisymail from a personal PC, catched through 
Netbios. The intrusion was as follow:
- I found a Winbox on internet, from Dr. X (i don't remember his real name). 
He has the netbios opened, so it was easy to broke his lan.
- I learned, from DOCs, LOGs, websites visited and all data i found on his 
HD, who was and what kind of person he was.
- I wrote an email, using a language according to his "personality" 
(university phd and so on...) and i "invited" his contacts to test a 
financial software (he and his contacts, all working on economy and 
finances).
- The fake soft has a keylogger on it. The logs was sent to my free 
emailaddress.
- In a few days, i was able to see all data from his friends and very 
interesting people (one working at my country's defense agency as an IT 
consultant), bank accounts, credit cards,etc. But it just was a nice 
experience and i didn't stole a penny.
What i'm trying to expose is that, on phishing, you have to develop social 
engineering.
NiCo 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------