Social Engineering: Sell Me This Pen

Roman Tolstosheyev
6 min readJan 21, 2024

--

This article is intended solely for educational purposes, aiming to raise awareness about cybersecurity and social engineering tactics. It does not endorse or encourage any form of illegal activity. The scenarios and methods described are for informational use only and should not be misused; any illegal activities should be reported to the appropriate authorities.

Hacking, hacking, hacking. We see this word everywhere, and it usually implies that someone became a victim of nefarious individuals lurking in dark holes, spending their entire lives in front of laptops with green characters on dark screens. Of course, people, especially those who are not tech-savvy, may imagine cybercriminals differently, influenced by movies and media. However, real-life cases often demonstrate that these stereotypical images are not always accurate. Surprisingly, some regular computer users might fit this description.

Statistics readily available on the Internet suggest that when it comes to hacking attacks, we are predominantly dealing with Social Engineering ones. The idea is to manipulate the feelings of a potential victim, mesmerize them with a crafted truth, and persuade them to take some action. In the realm of the Internet, computers, smartphones, and all things IT, this is often recognized as a subset of Social Engineering known as a Phishing Attack.

But before delving into the attacker’s perspective, as typically portrayed, let’s consider the experience of the victim. Fortunately, I have a personal example. A long time ago, I was attempting to sell some unused gadgets and posted advertisements on some popular Azerbaijani classified websites. My interaction with one potential customer went as follows:

Translation of the Chat:

— Alright, I’m okay with that. Can I use courier delivery? The courier will pick up the item and deliver it straight to me. You will receive the money on your card right now, as I don’t have the opportunity to pick it up myself.

— No, unfortunately.

— Why not? You will receive the money instantly; the courier will take the item from your home.

— Honestly, it seems suspicious to me.

It was even more suspicious because I had read almost the same message from another person. The main difference was that the previous conversation was in Russian and from a Ukrainian phone number. This time, the attacker seemed a bit more prepared, communicating in Azerbaijani from an Azerbaijani phone number.

— The fact is that I cannot come to you personally, so I need you to arrange for courier delivery. I will transfer money to your bank card and provide you with the courier’s phone number. The courier will arrive at the scheduled time. I live in Khachmaz [a city in the northern part of Azerbaijan], and courier delivery is the only option for me. I will arrange the courier…

Alright, perhaps this unusual indentation style is just the buyer’s way of expressing himself. The picture attached to his message was supposedly a testament to a legitimate service provided by the local post office, “Azərpoçt” (Azerpost). However, I couldn’t find any information about this service on the official website, www.azerpost.az. Perhaps it was published elsewhere; let’s ask about it:

— … I’ve already provided your phone number to the courier; they will contact you. There’s just one thing. I’ve already paid for the delivery.

— Where did you get this picture?

— Follow the link to receive your money. After that, the courier will contact you.

Quite ambitious, isn’t it? But one question still lingers in my mind: where was this picture taken from? Perhaps I’m outdated, but why wouldn’t he want to share the source of what seems to be one of the most utilized services of Azerpost, embraced by millions of Azerbaijanis? With this question, I turned to a conversation with Azerpost support on Facebook:

[screenshot of the chat] … and they sent me this link: <link>. I suspect this might be a phishing attempt. Or could the person actually be telling the truth?

— Dear user, cyber criminals are sending fake links to the different lottery games related to the “Azerpost” LLC in online marketplaces and social media. By accessing the link, people participating in the game are asked to share it with their friends and send their personal information to receive the cash rewards they have earned. And when the card data is presented, the funds on the account go into the hands of cyber criminals.

Huge thanks to the Azerpost support for a quick response and informative message. Let’s block these sneaky customers and scrutinize the links they’ve sent. Now, if I were to open it in an Incognito tab of my browser (and I must emphasize, do not try this at home):

Everything seems to be very convenient. I can see all the information about my ‘delivery’, including the name of the receiver, which is even more detailed than our chat provided. There’s also a support chat featuring someone named Alice, though, unfortunately, they’re not very responsive. The domain begins with ‘azerpost’ and the connection is encrypted, evident from the HTTPS and the lock symbol in the address bar. There’s a prominent ‘ALMAQ’ (GET) button and the amount of money specified. To ensure a minimum level of sandboxing and isolation, I’ll open the link in my Kali VM for a deeper investigation (after all, I am a cybersecurity expert, aren’t I?):

Remarkably, to receive the money, I was required to enter all my card details, including the CVV (Card security code) and expiration date. It’s highly likely that an OTP (One Time Password) would be requested after entering all the necessary information. Let’s conclude our investigation at this point. Naturally, all the relevant authorities, including Azerpost, have been informed about these scammers.

Overall, here’s what we’ve uncovered:

  • Two fraudulent buyers adept at adapting their approach to gain a victim’s trust.
  • A fake website that skillfully mimics the interface and domains of the Azerpost website.
  • A scheme aimed at extorting money.

The pattern we observe:

  • Finding ways or connection points to earn the victim’s trust, often through direct conversations, requires persuasive arguments to prompt actions desired by the attacker.
  • Creating an illusion that the actions required of the victim are legitimate and safe.
  • Leveraging familiar and well-known environments, such as popular logistics companies, banks, or social networks.
  • Utilizing programming skills.

Therefore, do not blindly trust every link you receive, even from friends and family. Always double-check and think twice before responding to avoid falling prey to scammers. In case of suspicion, inform the corresponding companies or even your local Computer Emergency Response Team (CERT). It’s better to err on the side of caution with a false positive than to become a victim of cyberfraud.

In the second part of this series, we’ll delve into how these deceptive websites are created. [Link]

Stay cyber safe!

--

--

Roman Tolstosheyev
Roman Tolstosheyev

Written by Roman Tolstosheyev

Application Security specialist and Cyber Security passionate. Java Web Developer and Certified Specialist in Cloud Computing.

No responses yet