O’Sullivan emphasized that even though he’s a tech reporter, he was still shocked by how much information Tobac was able to gather and what she was able to do with it. Rachel Tobac also created Pretexting Training Videos with Kevin Mitnick that are part of the KnowBe4 social engineering training modules.
“Without having my password, and without hacking into my email account, she was able to get my home address, my phone number and steal my hard-earned hotel points,” O’Sullivan writes. “In perhaps the cruelest act of all, she was even able to change my seat on my five-hour flight out of Vegas, moving me from a spacious exit aisle to a middle seat at the back by the restrooms.”
O’Sullivan explained that Tobac was able to do this solely using information he had posted publicly on Twitter and Instagram. She spoofed O’Sullivan’s phone number and, when necessary, she used a voice changer to make herself sound like a man. Tobac then called some of the companies O’Sullivan had tweeted about to trick them into giving her his information.
In one instance, for example, she posed as O’Sullivan’s wife and called a furniture company to make sure he had provided the correct home address. Since she didn’t have his real address, she gave the wrong one, and the furniture corrected her by reading out the address O’Sullivan had provided them with.
Tobac hacks companies with permission in order to show them where their weak spots are. Notably, she achieves all of this over the phone by interacting with humans, and no technical hacking is involved. Everyone can benefit from new-school security awareness training so that your employees don’t inadvertently give out information about your customers, and so that they can protect themselves even if someone manages to gather information about them.
CNN has the story: https://www.cnn.com/2019/10/18/tech/reporter-hack/index.html
You can see a preview of Rachel Tobac and Kevin Mitnick in the KnowBe4 ModStore: