How I attacked a fellow student

The title is a bit misleading. It's not an attack, more like well done social engineering.<p>But the context is very helpful - especially with the amount of detail you provide, along with the email exchange, one can see the target was totally abused.<p>The lanyard, laptop, false recruiting - you really overdid it, but I mean that in a positive way. I like it, it's so great - you could almost make a movie out of it ;-)<p>That's creative thinking. Congrats on your victory.

You would have been better off forcing them to register on your site to submit the resume, then check if they reused a password. Also you exploited trust in a way that could easily lead back to you.

The best attacks are always the ones where the victim is truly surprised at how far you were willing to go to pull it off. So are the best magic tricks.

I felt pretty bad for the target. Even though he was fairly warned, and knew to expect social engineering attacks, you could see he was quite excited about the potential opportunity at X co; else he wouldn't have put so much energy into that looong email exchange. Poor, guy. But good lesson, I suppose.

Google cache: <a href="http://webcache.googleusercontent.com/search?hl=en&#38;q=cache%3Ahttp%3A%2F%2Fshaanan.cohney.info%2Fblog%2F2013%2F04%2Fthe-attack%2F" rel="nofollow">http://webcache.googleusercontent.com/search?hl=en&#38;q=cac...</a> (Page is taking some time to load.)

I thought "Please find attached herewith my resume for your kind perusal" was a joke but apparently that's how this person really responded. Recruiters: how does this forced, over-formal tone affect your impression of a candidate?

&#62; With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought.<p>Does he mean 'feasible to gain access to login information for online accounts'? I have read the page, and i'm not seeing it. Yes, according to the page they had access to some degree of personal information beyond the more publicly accessible. But that isn't the same as having access to their online accounts, or being near to getting it.

Very enjoyable read. Congratulations on your success, I can only imagine how stunned they were!

Interesting. If the author is still around, I have a question - would the whois data have given you away, or was this faked/spoofed in some way?

I was hoping that by getting them to sign up with the recruiter you would have used that to intercept communication.

Is Xrecruting.com a typo in the blog post, or in the domain actually registered?

Found this a rather amusing read. Best of luck on your exam!

Well played...<p>Missing to redact X.com's phone number allows "social engineering" of the company name, though.

Wait a minute. Isn't this guy an asshole?

Duplicate.