Gather around while I tell you an interesting story. About six months ago or so I get an email from an interesting woman named Amybeth. She tells me she works in this industry called “Sourcing” and helps run a conference called SourceCon. She wanted to know if I was interested in coming to talk to their group about how social engineers gather information.
First I was very curious what sourcing even was. She helped me to understand that basically a sourcer is a head hunter or a recruitment specialist that helps locate specific talent that their client’s needs. When they do they have to convince the “target” to consider switching careers.
Sound familiar yet? Well if you are like me, I started to see how similar this was to social engineering and decided to take Amybeth up on her offer. I booked my travels and this past week went to the Big Apple to listen in on the con and give a speech entitled, “Social Engineering for Sourcers.”
The goal of the speech was to go through the tools and methodology that social engineers use to gather information on their targets then how to use that information to elicit more information, eventually leading to an attack.
As I sat there through out most of the day listening to the speeches that were being held during the day something kept reoccurring to me. Sourcers are basically social engineers that just have different goals.
I saw how they use social media, web searches and other profiling techniques to locate the talent they are looking for. This is interesting in itself, but the next stage I saw how much we have in common. Sourcers may place a well thought out phone call or email to gain the “targets” trust. After a conversation and rapport are built they will start elicit more information from them. Maybe from their information gathering or their conversation they are able to identify their pain points, the points that cause the target the most discomfort in their present job, and help them paint a mental picture that will ease that pain.
From there they can groom the targets and continue to work with them convincing them to consider a change. Elicitation, pretexting, information gathering as well as persuasion and influence are all the tools of the professional recruiter, yes and the professional social engineer. In the end what I said in my speech was that “Sourcers and Social Engineers are exactly the same just with different intent and goals.”
This whole event taught me that branching out to whole other field can teach us a lot about social engineering. I learned some new techniques and tips and also really got the inside scoop on this great field called sourcing which gives me a great vector to use in my next pretext. Spending some time with them has given me the language and the tools they use in this industry to sound like a real sourcer and make my pretext even stronger.
The moral of the story is that we have a lot we can learn from other industries as social engineers. Until next time…