๐ŸŽญ Social Engineering Scripts That Stole $100M+ From Vegas Casinos

:spider: The 1% Social Engineering Toolkit

The stuff that actually works. Not the GitHub list you bookmarked and forgot.

:world_map: One-Line Flow: How teenagers stole hundreds of millions using phone calls, fake emails, and cloned badges โ€” every technique, tool, and script they used, broken down.


Why This Exists

74% of breaches involve a human getting played. Not hacked. Played.

The Awesome Social Engineering repo? Thatโ€™s the tutorial level. This is the game.


:performing_arts: Scattered Spider Changed Everything

A bunch of teenagers stole hundreds of millions from Fortune 500s using phone calls and fake IT tickets.

No zero-days. No nation-state backing. Just social engineering so good itโ€™s embarrassing.

The body count:

  • MGM + Caesars (2023) โ†’ $100M+ impact
  • 165+ Snowflake customers including AT&T, Ticketmaster (2024)
  • Marks & Spencer, Co-op, Harrods (2025) โ†’ ยฃ300M+ losses
๐ŸŽฏ Their Exact Playbook (CISA AA23-320A)

Full advisory: cisa.gov/news-events/cybersecurity-advisories/aa23-320a

How they get in:

Move What It Actually Looks Like
Help Desk Social Engineering Call IT, claim youโ€™re locked out, get MFA reset
MFA Fatigue Spam push notifications until victim rage-accepts
SIM Swap Pay carrier insider $500-$5K to port victimโ€™s number
Voice Clone AI-generate CEOโ€™s voice from earnings call audio
Evilginx Phishing Real-time session hijack, MFA means nothing

The script that works:

โ€œHi, this is [Name] from [Department]. Iโ€™m locked out and have a critical deadline. My manager [Managerโ€™s Name] is in a meeting. I just need my MFA reset โ€” my phoneโ€™s acting up so Iโ€™m calling from a different number.โ€

They call end-of-day. Staff are tired. Nobody verifies.

After compromise:

  • Join the companyโ€™s incident response calls to watch them hunt
  • Use legitimate tools (TeamViewer, Ngrok) so EDR sleeps
  • Create fake LinkedIn profiles for cover

MITRE ATT&CK profile: attack.mitre.org/groups/G1015


:money_with_wings: BEC: The $16.6 Billion Quiet Heist

Business Email Compromise makes more money than ransomware. Nobody talks about it because thereโ€™s no flashy ransom note.

2024 stats:

  • Average loss per incident: $129,000
  • AI-generated BEC emails: ~40%
  • Year-over-year increase since ChatGPT: +1,760%

FBI IC3 page: fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

๐Ÿ”ช The BEC Kill Chain
RECONNAISSANCE
โ””โ”€ LinkedIn, SEC filings, press releases
โ””โ”€ Map who approves payments, who travels when

CREDENTIAL THEFT
โ””โ”€ Phish the executive or their assistant
โ””โ”€ Buy creds from stealer log markets

MAILBOX TAKEOVER
โ””โ”€ Set up forwarding rules (silent copy of everything)
โ””โ”€ Learn their writing style, signature, emoji habits
โ””โ”€ Wait for a big pending payment

STRIKE
โ””โ”€ CFO is traveling? Perfect.
โ””โ”€ "Urgent wire needed for confidential acquisition"
โ””โ”€ "Don't discuss until announced"

CASH OUT
โ””โ”€ Mule accounts โ†’ crypto โ†’ gone in hours

Real example: Orion (Luxembourg chemical company) lost $60 million in August 2024. One employee. Fraudulent wire instructions. Thatโ€™s it.


:mobile_phone: SIM Swap: Your Phone Number Is a Liability

FBI IC3: $68 million stolen in 2021 alone. 5x the previous three years combined.

Jack Dorsey got SIM swapped. The SECโ€™s Twitter account got SIM swapped. Youโ€™re not special.

FBI PSA: ic3.gov/PSA/2022/PSA220208

๐Ÿ“ž How It Works
1. OSINT the target (social media = security question answers)
2. Call carrier: "Lost my phone, need new SIM"
3. Pass verification with gathered PII
4. OR: Pay carrier insider ($500-$5,000 per swap)
5. Victim's phone dies. Attacker gets all SMS.
6. Trigger password resets. Intercept 2FA codes.
7. Drain everything.

The insider problem is real. Threat actors openly discuss having contacts at every major US/Canada carrier. This isnโ€™t speculation โ€” itโ€™s in their negotiations.

Deep dive: Group-IB SIM Swap Research


:microphone: Voice Cloning: 5 Seconds Is All They Need

The Arup deepfake video call cost $25-39 million. CFO + colleagues. All fake. All AI.

๐Ÿ”Š The Open-Source Pipeline
Tool Audio Needed Quality Link
Chatterbox 5-10 sec Beats ElevenLabs in blind tests GitHub
GPT-SoVITS 5 sec Excellent with fine-tuning GitHub
Tortoise TTS 3 min Highest fidelity, slow GitHub
RVC Variable Enhancement layer GitHub
XTTS v2 6 sec 16 languages Coqui AI

Where they get voice samples:

  • Earnings calls
  • YouTube interviews
  • Conference talks
  • Podcasts
  • That one LinkedIn video you posted

Googleโ€™s own red team cloned a clientโ€™s voice, called their employee, said โ€œHey boss, whatโ€™s up?โ€ โ€” employee downloaded the payload. Exercise complete.


:identification_card: Badge Cloning: Physical Access in 3 Seconds

Most corporate RFID systems are misconfigured. Legacy support enabled. Default keys unchanged.

๐Ÿ”ง The Hardware
Device Price Use Case Link
Proxmark3 RDV4 ~$400 Everything. Gold standard. proxmark.com
Flipper Zero ~$200 Portable, user-friendly flipperzero.one
Chameleon Ultra ~$150 Excellent emulation GitHub

Elevator proximity clone:

  1. Stand close to target
  2. Proxmark in bag, antenna facing them
  3. 2-3 seconds. Done.
  4. Clone to blank card

The pretext:

โ€œHi, building security. Weโ€™re upgrading card readers this week โ€” need to scan your badge to check compatibility. Takes one second.โ€

iClass downgrade attack docs: github.com/RfidResearchGroup/proxmark3/blob/master/doc/hid_downgrade.md

Long-range gooseneck reader build: github.com/sh0ckSec/RFID-Gooseneck

ESP-RFID-Tool: github.com/rfidtool/ESP-RFID-Tool


:mobile_phone_with_arrow: Smishing Infrastructure: 194,000 Domains and Counting

The Smishing Triad registered 194,000+ phishing domains since January 2024.

29% active less than 2 days. 71% gone within a week. Registered in Hong Kong. Hosted on US cloud. Targeting 121+ countries.

Full report: unit42.paloaltonetworks.com/global-smishing-campaign

๐Ÿ“ก The Supply Chain
Role Job
Data Brokers Sell phone number lists
Domain Sellers Register disposable domains
Kit Developers Build phishing pages + dashboards
SMS Spammers Bulk delivery via SIM boxes
Blocklist Scanners Rotate domains before theyโ€™re flagged

Underground service: Oak Tel / Carrie SMS

  • Supports spoofing major US bank Sender IDs (Chase, BofA, Wells Fargo)
  • ~$8 per 1,000 messages
  • Operated via Telegram

Resecurity analysis: resecurity.com/blog/article/smishing-triad-is-now-targeting-toll-payment-services


:convenience_store: Initial Access Brokers: The Ransomware Supply Chain

IABs break into networks and sell access to ransomware crews. Itโ€™s eBay for corporate backdoors.

๐Ÿ’ฐ The Market

Pricing (2023-2024):

Access Type Price Range
RDP $500-$5,000
VPN $1,000-$10,000
Domain Admin $10,000-$50,000+

Where: Exploit, XSS, RAMP forums

The pipeline:

IAB gains access โ†’ Lists on forum โ†’ RaaS affiliate buys โ†’ Ransomware deployed โ†’ Payment split (70-80% affiliate / 20-30% RaaS)

36% of listings target US companies. Finance and retail get hit hardest.

Deep dives:


:brain: Psychological Manipulation: Beyond Cialdini

Everyone knows the 6 principles. Hereโ€™s what actually gets exploited in phishing:

๐ŸŽฏ The 10 Cognitive Biases That Work
Bias How Itโ€™s Weaponized
Curiosity โ€œYour package has arrivedโ€
Authority Impersonate IT, executives, legal
Urgency โ€œ24 hours to respondโ€
Negativity Threats, warnings, fear
Conformity โ€œYour colleagues already completed thisโ€
Zero-Risk โ€œVerify now to protect your accountโ€

The 4-Stage Hijack:

  1. Attention Capture โ†’ Urgency + curiosity โ†’ System 1 engaged
  2. Trust Construction โ†’ Logos, titles, familiar domains
  3. Critical Bypass โ†’ Emotion overrides analysis
  4. Action โ†’ Click before thinking

Academic source: Cognitive Biases in Phishing Emails (PDF)


:hammer_and_wrench: The Toolchain

โš”๏ธ Phishing Stack
Tool Purpose Link
Evilginx3 Reverse proxy, captures session cookies, bypasses MFA github.com/kgretzky/evilginx2
Gophish Campaign management + tracking getgophish.com
evilgophish Evilginx + Gophish combined github.com/fin3ss3g0d/evilgophish
Modlishka Alternative reverse proxy github.com/drk1wi/Modlishka
Muraena Transparent reverse proxy github.com/muraena/muraena
SET Social-Engineer Toolkit github.com/trustedsec/social-engineer-toolkit
Zphisher Quick phishing site generation github.com/htr-tech/zphisher
SocialFish Mobile-friendly phishing github.com/UndeadSec/SocialFish

Phishlets: github.com/An0nUD4Y/Evilginx2-Phishlets

Pretext templates: github.com/L4bF0x/PhishingPretexts

๐Ÿ” OSINT Stack
Tool Use Link
SpiderFoot 200+ modules, automated recon github.com/smicallef/spiderfoot
Maltego Graph-based link analysis maltego.com
Sherlock Username across 300+ sites github.com/sherlock-project/sherlock
theHarvester Email/subdomain enumeration github.com/laramies/theHarvester
Recon-ng Modular framework github.com/lanmaster53/recon-ng
GHunt Google account intel github.com/mxrch/GHunt
Holehe Email-to-account matching github.com/megadose/holehe

Google dorks that work:

site:target.com filetype:pdf
"target company" filetype:xls "password"
site:linkedin.com "target company" "IT manager"
site:target.com ext:sql | ext:bak | ext:log
๐Ÿ“ž VoIP/Caller ID Spoofing

DIY setup:

  1. Install Asterisk on VPS
  2. Register with VoIP provider (Skyetel, Telnyx)
  3. Get DID (~$0.50/month)
  4. Configure custom Caller ID in dialplan
  5. Spoof away

Tools:

  • Viproy (Metasploit VoIP toolkit)
  • inviteflood (Kali Linux)
  • SIPVicious

Guides:

Spoofing itself isnโ€™t illegal (US). Misrepresenting identity for fraud is.


:books: FBI Elicitation Techniques

The 20 techniques. The ones that actually matter:

Technique How It Works
Assumed Knowledge Pretend you already know; they fill gaps
Deliberate False Statement Say something wrong; they correct you
Flattery Compliment expertise; they elaborate
Silence Let the uncomfortable pause do the work
Bracketing Estimate high/low; they correct to real number
Quid Pro Quo Share first; reciprocity triggers

Chain them: Flattery โ†’ Assumed Knowledge โ†’ Silence โ†’ Feigned Ignorance

Vishing best practices: social-engineer.org


:circus_tent: DEF CON SECTF

Since DEF CON 18. Contestants vish real Fortune 500 companies from a soundproof booth. Live audience watches.

Flags: OS versions, browser types, VPN vendors, org charts, cafeteria vendor names.

Winner gets: Black badge (lifetime DEF CON entry).

Communities:

  • se.community (SECVC Discord)
  • BREAKDEV Discord (Evilginx)

SE Village: sevillage.org


:package: Red Team Resource Repos

Repository Content
Red-Teaming-Toolkit Comprehensive tool list
Awesome-Red-Teaming Books, courses, resources
red-team-scripts Scripts and automation
awesome-phishing Phishing-specific collection
Awesome-Cybersecurity-Handbooks Cheatsheets

:open_book: Glossary

Term Meaning
PhaaS Phishing-as-a-Service
IAB Initial Access Broker
MFA Fatigue Push bomb until they accept
Phishlet Evilginx config file
Stealer Logs Creds from infostealer malware
Blitz Price Buy-now price vs auction
VEC Vendor Email Compromise
PACS Physical Access Control System
SID Sender ID (SMS spoofing)

:paperclip: Sources


:warning: For authorized security testing only. Social engineering without explicit authorization is illegal. Know your laws. Get permission. Document everything.


6 Likes