Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Playing Nicely with Scammers … Wasting their time for giggles :)

So I am in the business of social engineering people (with authorisation of course), and depending on who you speak to this could be interpreted as scamming, conning, or generally straight up manipulation. The reason I do this is to simulate a real world threat to see how people hold up and utilise the training they have had, as well as identify those gaps that need improving. Now I see alot of examples of real scammers and phishers in action, but rarely would I rate them as being very good, but I do appreciate they dont actually have to be that good to get decent results when they play the numbers game.

So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face :)

So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner. Below is a pic of the ad:

Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.

About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (

+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.

So I make the call and I speak to what I think was an African guy calling himself Francis Saine ([email protected]), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.

Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.

My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time :D

Now as you can see this PayPal email is set so the response will be sent to [email protected] which obviously isnt PayPal, so I decided to also check the headers and I saw this:

MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: [email protected]

Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.

About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.

So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!

Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page :)

Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.

Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.

The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one :D takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way :)

So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself :)

So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs :) Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.

This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more :)

So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.

Body Language Revealed: Part 1

By guest blogger Eric Goulard

Eric Goulard is a nonverbal and body language expert as well as Humintell’s France affiliate.  He offers online education and resources in the field of non-verbal communication through his website Non-Verbal.info.  Below he offers some insightful comments accompanied by telling pictures. 

Perfect Harmony in Gestures

Emotion Management Skills

Many people think that as adults they are good, if not great, at managing their emotions but is that really the case?

How equipped are you at managing your emotions? 

According to PsychCentral  many of us don’t really know how to regulate beyond simply distracting ourselves from the problem.  Author of The Emotional Toolkit, Darlene Mininni Ph.D. states,

We often turn to the strategies we know. If you’re a man, you might distract yourself by playing video games, tinkering with your tools or drinking alcohol, she points out.  If you’re a woman, you might shop or eat.

The good news is that distracting yourself sometimes is not bad.  It’s when we turn to these “strategies” most times that coping with real emotions becomes a problem. “Emotions send us important messages and help us connect with others and accomplish great things,” Mininni purports.

Decoding Your Emotions according to Mininni:

1.  Understand what you are Really Feeling? Anxiety, Sadness, Anger, Happiness.

2. Identify the message of the emotion:  Why am I afraid, How have my values been attacked, What have I lost (sadness)? etc.

3.  Cope with Emotions by Taking Action:  That is is there anything you can do to solve the situation even if it is onlyt baby steps to your goal. What if there is no action you can take?

Mininni suggests meditating, getting social support and or seeking therapy.

 What are some strategies you use to manage your emotions?

A related article by RedOrbit delves into the emotional impact of drinking more specifically of social drinking.  It suggests that alcohol has an emotionally positive impact on us.

The new study conducted by researchers from the University of Pittsburgh, which will be published in the journal of Psychological Science suggests that a moderate amount of alcohol enhances a person’s positive emotions and relieves them of negative emotions in social settings.

Unlike past studies, this study focuses on alcohol consumption in social settings and notes that moderate doses of alcohol in group settings has the opposite effect than the negative impact moderate drinking has on a man or woman who drink in isolation.

Michael A. Sayette, lead author of the study and a psychology professor at the university’s Kenneth P. Dietrich School of Arts and Sciences, said, “We felt that many of the most significant effects of alcohol would more likely be revealed in an experiment using a social setting.”

Participants consumed a total of three drinks during a span of 36-minutes, and the researchers recorded video of each session. The duration and sequence of each subject’s facial and speech behaviors was “systematically coded frame by frame using FACS and Grouptalk (a model for speech behavior).

“By demonstrating the sensitivity of our group formation paradigm for studying the rewarding effects of alcohol, we can begin to ask questions of great interest to alcohol researchers — Why does alcohol make us feel better in group settings? Is there evidence to suggest a particular participant may be vulnerable to developing a problem with alcohol?” Sayette added.

Do you find social drinking to have positive or negative effects?