Operation Luigi: How I hacked my friend without her noticing

This is the best commentary on a real-life social engineering hack I've seen. Whats really interesting is how he was able to be undetected mostly, because services like linkedin only had an optional requirement for forcing all devices to re-login when a password was changed, and that the hacked individual wasn't using 2FA on her email.

One of my favorite low key social engineering hacks is that I used to have a keylogger installed on every machine I own. Whenever a friend needs to hop on my machine to show me something, they&#x27;d log into an account they own and I would have their password.<p>Then I&#x27;d do the same Luigi-like low key messing with them for a while. My favorite was when a friend had a VNC server running on their machine with control capabilities. I would sit next to them and subtly jerk the mouse pointer right before they were about to click on something and it drove them mad for a good 20 minutes before I couldn&#x27;t hold onto the giggles anymore.<p>edit: To add a bit of context, this was in the Windows 98 era, before the age of social media where we started putting all of our secrets onto our machines. And it was among a group of friends where everyone was trying to hack everyone else and pretty much anything was considered fair game. All of us were high school kids so there wasn&#x27;t some super serious reputation we had to protect.

This post was at bit hard to read with the buzzfeed-esque jokes and writing style.<p>Here&#x27;s my summary:<p><pre><code> 1. Someone gets permission to hack their friend 2. They find their email &#x2F; phone number online 3. They lookup old password leaks for the email (passwords don&#x27;t work) 4. They end up setting up a fake page to phish their friend (it works) 5. They wait until their friend falls asleep to reset the twitter password 6. They make their friend follow a bunch of fake Mario accounts on Twitter 7. Friend notices, they meetup to swap stories (the friend doesn&#x27;t follow the fake Mario accounts)</code></pre>

While slightly enjoyable (for the first few paragraphs) I couldn&#x27;t finish reading it. The author is trying _way_ too hard to be funny.<p>I suppose it is written to another audience, perhaps the people that use tumblr find this funnier.

Quite long ago, I read a fairly similar article (without this ridiculous commentary, of course). It went something like this:<p>- a friend asks author to try and hack him<p>- author tries a bunch of things in vain, finally decides to use a rogue wireless AP and does a MITM<p>- identifies that notepad++ has automatic updates turned on and that it&#x27;s over HTTP<p>- creates a custom executable and writes a script (or something) to serve this payload when notepad++ tries to download a EXE<p>- fakes an update (by returning true when notepad++ queries an HTTP endpoint for the latest version on startup)<p>I&#x27;d be really thankful if someone could link me to this post. My usually powerful google-fu has let me down this time (I tried all _sorts_ of things). Notepad++ and MITM are the only things I strongly remember.

I found it really enjoyable and rather funny. I really liked the attention to detail as well, e.g. replicating last 5 searches in order to stay stealthy. I imagine that lots of effort went into the hacking exercise and the write-up. Nicely done.

&gt; I use the incredibly cutting edge “Inspect Element” feature of the popular hacking software, Google Chrome, to edit the text of the email but keep the look.<p>I used do this to fake screenshots as well. People assumed I edited them with Photoshop!

I actually found this post really good. The buzzfeed-esque jokes are made this way with the only purpose of helping raise awareness about online security and how anyone with a minimum knowledge of the Internet can easily breach into your accs.

Social Engineering is a thing to watch out for. I&#x27;ve learnt to never answer honestly when they&#x27;re asking stuff like &quot;Where were you born?&quot; &quot;What&#x27;s your first pet&quot; etc.<p>Instead I&#x27;ve made up some answers that I&#x27;ll never tell anyone else.<p>However that doesn&#x27;t really make those details secure. 2FA is where it&#x27;s at.

my notes from this article:<p><pre><code> * don&#x27;t use linkedin * don&#x27;t use hotmail * always use 2FA * use complicated and different passwords * security questions matter * avocado toast? * change passwords periodically</code></pre>

This is the same guy who did a great blog post about finding his friends tinder accounts by spoofing a new tinder service. They&#x27;re absolutely hysterical, and I hope he keeps doing more.

I had no problems with the humor parts. Good article.

&quot;Hello and welcome to a blog post. I am writing it and you are reading it. It’s amazing what we can do with computers these days.&quot;<p>Ugh. And I&#x27;m closing the tab. Appreciate the effort with humor, but you really should concentrate on being able to write something that&#x27;s informative and enjoyable to read, and THEN try your hand at making your writing funny. The first sentence&#x2F;paragraph needs to be a hook to get people interested, not some meta jokey blurb that doesn&#x27;t have anything to do with anything.

It&#x27;s possible to discover this girls full name, twitter, Instagram, Linkedin, etc (full identity) based on a few careless clues left by the author. Very irresponsible considering he has revealed her password habits and other personal vulnerabilities.<p>Loved the write up though.

&gt;There are entire criminal industries built on the idea that people use the same password all over the place because nobody cares enough to remember more than a few passwords because they’ve got things to scroll on their phone okay.<p>Or... because having to remember more than 3 random combinations of arbitrary letters, numbers, and a subset of extended ASCII, is not a tenable solution. Of course people use things like l33tspeak. We can remember words. I wouldn&#x27;t say laziness has anything to do with it.

If there was no salt in the database, it looks Tumblr used a secret &quot;pepper&quot; (<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Pepper_(cryptography)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Pepper_(cryptography)</a>)? Why wouldn&#x27;t they include a salt as well? Or did the database dump just not have the salt column?

If you liked this, the same guy has also written other stuff in the past - <a href="https:&#x2F;&#x2F;defaultnamehere.tumblr.com&#x2F;post&#x2F;139351766005&#x2F;graphing-when-your-facebook-friends-are-awake" rel="nofollow">https:&#x2F;&#x2F;defaultnamehere.tumblr.com&#x2F;post&#x2F;139351766005&#x2F;graphin...</a>

An opsec screwup in that post has told me what&#x27;s possibly the real first name of “Diana”.<p>Opsec is hard.

So basically we&#x27;ve learned that the best defense to getting hacked is to not become a target of bored script kiddies, because those bastards are as ingenious as they are terrible writers.

Google cache is unforgiving: <a href="https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:RzU97rMfqbQJ:https:&#x2F;&#x2F;twitter.com&#x2F;i&#x2F;moments&#x2F;885059758667051009+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:RzU97r...</a>

This has gotta be the funniest blogpost in years, yet so legit that it makes one sad how easy it is to pull this off.

Reminds me strongly of the hacking as shown in <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mr._Robot_%28TV_series%29" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mr._Robot_%28TV_series%29</a>

Hey, I use inspect! I&#x27;ve run untrusted code every computing day of my life, so I guess that makes me a script kiddie. My advice, keep on script kiddie&#x27;ing, because it will definitely pay off.

I really enjoyed this despite it being veeeeeeerry long, nice work!

Even with her permission he is still breaking the law. Unlawful access to a system is not the user&#x27;s prerogative but the system operator&#x27;s.

So phishing?. He did it with phishing.

I hope they tried &#x27;3ertyui&#x27;.

VZerbst

I don&#x27;t know if I&#x27;m in an especially good mood today, but it&#x27;s quite a while ago I read something that I found as amusing as this.<p>I&#x27;m actually really impressed by the phishing approach.

Well I enjoyed reading it, a little bit too much cringe, but still interesting articel!

I like the personality here.

It is just… great. Did you write that as it happened? It really unfolds like a novel.

This has been posted 3 times in the past 24 hours. And so has the last thing this person has posted.

Can help it but i find the article kind of creepy.<p>Is he hacking her cause of romantic interests?<p>Is he hacking her for the thrill?<p>Is he hacking her to be able to write the article?<p>Is he hacking her to show her that he can?, or to show her that it is possible, or to show her the world she is living in?

Hacked? cool, so what new unintended abilities has you friend gained?... yes i&#x27;m futilely rejecting the twisted definition perpetuated by the media and co.

The part that perturbed me the most about his account is he didn&#x27;t even backtrace the IP floppy disk log via the DHCP authenication backtrace. It&#x27;s a rookie mistake, but so is misspelling &#x27;nothin personnel kid&#x27;.