FSFlow – A Social Engineering Call Flow Application

Outsmart Malicious Hackers


FSFlow is a Social Engineering Call Flow Application, which was created to improve and standardize social engineering calls. It’s a difficult thing to do, conversations can go almost anywhere over the span of a phone call which makes defining a specific process hard, if not impossible.

FSFlow is mostly a proof of concept tool but it’s fully functional, it’s an interesting tool and an area which not many people have thought about or looked into. Social Engineering is part science and part art (charisma and charm helps a lot), so a tool like this helps a lot especially in creating repeatable social engineering tests.

FSFlow - A Social Engineering Call Flow Application

It’s based on the concept of the call flow software that is involved in most telemarketer jobs. Nearly everything that they say is presented to them on a screen in front of them, and they would navigate through a process flow as the call progressed.

Judging User Response

One of the major pains with designing an application like this is judging the response of a user. You can never predict the user’s exact response so the measure of the response needs to be somewhat abstracted. The approach here is to identify if the user’s response is positive or negative. For instance, if you say “Hi, How are you?” and they say “Great!” – that’s a clearly positive response, while “What do you want.” is a bit more negative. Similarly, if you ask someone “What is your password?” and they provide it to you, that would be positive, while anything else is likely to be negative.

The difficult thing here is that many user responses aren’t easily categorized as negative or positive; perhaps a sliding scale would be more appropriate – but that would create tons of possible branches, making a complete call flow impractical.

Logging

Another hugely important part of FSFlow is to capture how the call progressed. The call log records how the call progresses and what information is obtained at what points in the call flow. You could potentially use this information to determine where users need more security awareness training – e.g. every user was willing to disclose their IP address, but only some gave their password or even when asking this specific question, users got suspicious and ended the call.

The Interface

FSFlow’s interface is meant to be as simple and straightforward as possible so that the caller is not overwhelmed or distracted during the call.

The first release resulted in 4 major areas: the statement pane, response pane, objectives and call variables:

  • Statement Pane – The statement pane is the actual wording the caller says during the call. This is your social engineering attack. The important thing about this pane is that the wording is clear and easy to read aloud. You’ll notice in the screenshot above that there are placeholders, e.g. “[TARGETNAME]”, this are call specific variables that are populated once you populate the Call Variables pane (described below).
  • Response Pane – Directly under the statement pane is the response pane compromised of the “Negative Response”, “Positive Response”, Busted” and “Recovery Mode” buttons. Each of these buttons progress the call to the next flow state. The “Recovery Mode” button is meant to gently direct the call to an end without aggravating the callee. The “Busted” button is more of an “Ok, you got me” response where you let the callee know that this is a social engineering call, they should contact the point of contact for the company (the person that hired the caller), and to please not tell the coworkers of the test :)
  • Objectives – The Objectives pane is where the caller can log what elements of information they’re able to obtain during the call.
  • Call Variables – Call Variables customize the flow to each individual call. Before the call starts, the caller populates these variables so that the placeholders in the statement pane are replaced with pertinent information. It also serves as a reminder to the caller to who they are pretending to be!

The Call Flow

Thee most important component of FSFlow is its XML based call flows. The idea behind the call flow is that they could be easily shared to be improved and make standardized attacks. Let’s look at sample.xml that’s included with the application.


The entire call flow is included within a block which takes one attribute, name. Within the CallFlow block, you have Objective, CallBlock, and FlowBlocks.

Objectives

Defining objectives is pretty straightforward:

CallBlocks

A CallBlock is effectively a container for an individual statement. These statements are then linked together within the FlowBlock below. Place holders can be anything you’d like, as long as they’re wrapped in brackets. FSFlow analyzes the flow on start up to populate the “Call Variables” pane.

The “Busted” Call block is a static value used throughout the call:

FlowBlocks

The FlowBlock links together individual CallBlock and ties them to buttons.

You can download FSFlow here:

fsflow-0.1.2.zip

Or read more here.

Posted in: Social Engineering


Latest Posts:


Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.
Yuki Chan - Automated Penetration Testing Tool Yuki Chan – Automated Penetration Testing Tool
Yuki Chan is an Automated Penetration Testing Tool that carries out a whole range of standard security auditing tasks automatically.


Comments are closed.