Social engineering may be done through the mail or through other forms of written contact with users of a system. For example, the survey method can be altered such that the human ele-ment is eliminated. If you don't want to wait around in a lobby all day, just leave out stacks of the forms with either a drop-box or an
address to mail them to. Expect minimal response.
Other written ruses take the form of adver-tisements. Put up a notice in a computer room, saying that paid volunteers are needed for a special project. "Become a System Manager' Great Experience!" Have interested folks mail you a post card with their name, address, de-sired password, and possibly the machines they
currently have access to on the net. While mak-ing the ads you'll say to yourself, "Sheesh! This is so obvious!" But you won't believe how many people fall for it. Have them address the post-cards to something like "X University, Computer Science Department, Roger Hamm's Office" fol-lowed by your address. If your
address is thirty miles away from the university, forget about it.
Two Manhattan hackers tried this stunt. They noticed there was a blank space at the bot-tom of a particular magazine advertisement for one of the popular pay-forplay information sys-tems. They went to local area libraries and bor-rowed all magazines they could find that had this ad in it. Using a "sideways printing" utility,
they fed the pages into their printer, which printed out, "Manhattan Area Residents, Call [phone number] For Free Six Month Member-ship." Then they returned the magazines to the library.
When people called them up, they would begin by playing a corny recorded message: "Welcome to X-Net's Free Six Month Member-ship Program! Listen to all these great things you can do with X-Net ... !" When that was done, one of the hackers would come on and ask the caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed to X-Net in the past?" "What other fee-based bulletin boards, or other computer networks do you belong to?" "When you call up X-Net, what would you like your sign-in name to be?" "And your secret password?" "Are you sure you're going to remember that password? Perhaps you'd like to choose something else?"
In this way, they ended up with a dozen names, computers they visited, and one or two passwords to try out. You won't get as big a response if you don't live in a big city, but it's worth a shot. Advertising can also be done by slipping a printed card into the magazine, or by advertising on BBSs.
A similar ruse is to advertise your phone number as a local call switcher, especially in places where there isn't already a Telenet or Tymnet link. When users log on they will see what appears to be the usual opening screen, but is in reality a simulation which you programmed. From hacking, you should be familiar with
which networks have which addresses, so your program can simulate appropriate login screens for each of them that a caller might try. (Otherwise, respond with a message like, "Line is busy" or "Connection can not be established." Look at actual call switchers, to see not only what messages are displayed, but to get the timing down right.)
After "connecting" to a computer or network, the program continues its simulation, collects the user's name and password, then aborts due to erratic line noise or some other ghastly prob-lem. If the user tries calling back immediately, a message can be put up that warns certain transmission routes are undergoing mainte-nance, or similar baloney.
