I’m super excited for this talk by @ChristinaLekati about social engineering through social media at #Hacktivity2019 !

Social engineering isn’t all about charm and luck — it involves a strategy & a plan, always.

You gather everything you can about the org, identify the best target based on ROI (highest reward + lowest risk of detection), then craft a story to approach them.

- @ChristinaLekati

Facebook scams were the #1 way to breach networks according to a Cisco report in 2017.

Hence, SOCMINT is becoming such a popular strategy — it helps tailor their operations & also people are shy to report “emotional compromise”

Case study by @ChristinaLekati in her #Hacktivity2019 talk: Mia Ash, used by “Cobalt Gypsy”

They first tried PupyRAT via phishing, but that didn’t work. So they created the fake person Mia Ash to establish relationships with targets (yes Mia was pretty hot)

Attackers will look at your personal brand — how you present yourself, if you excude insecurities, etc.
— @ChristinaLekati

For any future attackers: my personal brand is fluffy kittens, unlimited crispy bacon, resting bitch face & intellectualism as a coping mechanism

This is @ChristinaLekati ‘s profiling matrix (unfortunately it isn’t showing up well in this pic). It includes self image, social life, & professional life combined with personality, interests, wants, & vulnerabilities.

#Hacktivity2019

Personality traits are used to build rapport. Interests / wants are the “hooks.” Vulnerabilities can be used when likability doesn’t work.

We like people who are like us, so social engineers will present themselves like you.
— @ChristinaLekati #Hacktivity2019

Security culture matters, though I would argue someone trying to be nice by reviewing an Excel file shouldn’t cause your organization to crumble. Anticipate that people want to be helpful & will download crazy shit

A great talk by @ChristinaLekati at #Hacktivity2019 !