Corporate Reconnaissance for the Anti-Social

by Azazel

I will preface this by saying a few things.

First is the usual legal disclaimer: This information is for educational purposes only.

What you do with it is your business and I'm not responsible for your actions.

Second, the thing I like most about this is that, for the most part, you won't have to talk to a live person to gather tons of useful information.  Notice I say "for the most part."  Inevitably, depending on how much information you need, at some point you will need to flex those skills.

The methods presented here will work best against a large corporate office building, such as an investment firm or research facility.

They can also work against smaller offices, such as real estate brokerages or banks, but I've seen higher success rates with larger firms.  Our goal is to gather as much contact information and personal data about as many employees as possible.  Essentially, we're going to try to create a dossier on every important person in the company.

Start by going to the company's website.

If they have more than one location, find the local phone number for the building you're interested in (not an 800 number).

Now and then a company may not publish this information on their site, giving just the phone number for the central location or a toll-free number.  Lucky for us, Google has a big mouth and, if that fails, call the number they give and just ask for the local phone number to the building you want.

They will probably give it to you.

Sometimes, the main phone number will end in 00 or 000, e.g. 212-555-1000.

Usually, if the company is large enough, they'll lease a sizable chunk of the block of line numbers (the last four digits).

Before the next time-consuming step, save yourself a little time and look around the website for personnel with their direct numbers or extensions listed.  If someone has extension 455, most likely their direct line is 212-555-1455, because of the way Direct Inward Dialing (DID) works.

Be prepared to spend quite a bit of time on the next step.

Wait until after hours.  I'd wait until after 10 pm, in case people are at the office late.  Then call each number in that block until you're no longer calling numbers within the company.

Most numbers will have a voicemail at the other end with the respective employee's name and possibly position in the company.  Some numbers may be fax machines or something else, so just keep a note of them.

Be creative or old-school.

Use an autodialer program or write one yourself.  Keep in mind, if the company does not use this system you may end up annoying some hapless civilians late at night.  So be ready for that.

By the end of the night you should have a list of most of the employees and officers in the company and their direct lines.

But don't stop there, our dossier is just getting started.

The previous section demonstrated how customer service and the way a company strives to present itself to customers may present a security vulnerability.  This section will show how the way individuals present themselves to the world, to their friends, to media, and whomever else may prove to be detrimental to their own personal privacy.

Do a Yandex/Google search on all the names.  Things to look for include MySpace and Facebook pages, news or industry articles written about them, bios which may indicate the town they live in or other pertinent information, papers written by them, professional resumes, the college and high school they went to (you can gauge how old they are by graduation dates, too), volunteer organizations they work for, and other business ventures.

You may be surprised at how much information you can find.  You should also look for an email address, if you couldn't find one on the company website.

There is usually a formula for a company's email addresses though.  If you find one person's email address, it is easy to deduce the formula for the rest of them.

For instance, if you find jsmith@hackerzinc.com, you'll usually be safe in assuming the rest of the email addresses will be first initial and last name at hackerzinc.com.

Next, head over to Whitepages and look up each name.

Remember, not everyone lives in the same town where they work, especially in large, well-paying corporations.  Hopefully, your previous searches turned up some indication of at least the town they live in.

If not, no worries, here's a simple way to narrow it down.  Look at a map of the region.  Take New York City as an example.

Find the Whitepages listings for NYC, then start branching out from there.

For instance many people commute to NYC from North Jersey, White Plains, Long Island, and Connecticut.  Use common sense; if you're looking up the CEO of a top investment firm and you turn up an address in the projects, it's probably not him.

If you get more than one instance of a name, you'll have to call and do some social engineering.  Calling a home phone number asking something as simple as, "Can I speak to John Smith of Hackerz, Inc?" usually works well because you'll at least get some indication on whether or not it's the right John Smith.

The worst thing you can do is inadvertently target the wrong person due to a mix-up with names.  So now you can match each person with a home phone number and address.

The next and final step in this article is the social step.

This is just one example of social engineering that has worked for me.  Everyone is different, so fine tune this for your own personality or to get other information.

If you sound like you're 12-years-old, this specific method may not work for you.

Around 5 pm, call the subject's home phone number.  Hopefully their spouse will answer.  Ask for your subject (hopefully he's not home yet).

Their spouse will (hopefully) inform you that he or she is not there.  Explain that you were supposed to call him or her about something important regarding work, but you just missed him or her at the office.

Further, you're very upset because your boss is leaving at 5:30 and needs the information now!  The sympathetic spouse (all sexism aside, this usually works better on women) will hopefully then offer your subject's cell phone number.

In the end, you should have a bare minimum of name, direct work phone number, home phone number, home address, and maybe cell phone number for most of the employees of the company.

Hopefully you had some good luck with your searches and got much more information as well.

This article should have given you some insight on how much research often goes into a well-planned attack and how, if the attacker is good, you won't even know you're being targeted until it's too late.

So much information is readily available on the Internet these days and people are looking at it.

This should also act as a warning: no matter how impenetrable your network is, or how well you and your coworkers have been trained against social engineering, finding alternative methods of gathering data is all too easy in the information age.

Be careful what you put out in public and be careful next time you consider giving out seemingly innocent information to a spouse's desperate coworker.

It's also a good idea to do searches on yourself from time to time so that you know what information anyone else could have about you.

Have fun.