January 25th, 2004 05:51 AM
Social Engineering Part I - Introduction
I'm writing some articles for my local user's group. Let me know what you guy's think.
What do you want to know today?
Social Engineering Part I – Introduction to the methods of the Blackhat
First of a four part series
It’s 3:37PM, and the telephone rings. The receptionist answers, and as requested, the call is transferred to the Comptrollers office. The caller doesn’t have to wait long, as the Comptroller is at her desk as usual, pounding away at the ten key.
“This is Mrs. Ashfellow, how may I help you?”
The caller quickly responds: “Hello, Mrs. Ashfellow. This is Bob Jacobson with the IT department at Corporate. We’re having some problems with some of the user accounts at several locations related to a recent virus outbreak and I was wondering if any of your users have noticed anything unusual.”
She ponders the question for a moment ant then responds, “Well, now that you mention it, I’ve been having problems when I try to access Great Plains on the server.”
Salivating, the caller says, “Have we upgraded your PC to Windows XP yet? I’m looking through the tracking software but don’t see an entry.”
She quickly responds: “No, I’m still running 2000.”
His heart quickens, as he realizes this is the moment. Now for the kill. “Mrs. Ashfellow, what is your logon name and password? Perhaps it’s a problem with the account.” The caller receives her answer, and after thanking and assuring her that he’ll fix the issue, quickly goes back to work. Packets fly from the cable modem like mosquitoes searching for a blood meal.
Mrs. Ashfellow and her company have just been the victims of social engineering.
Social Engineering is “the art and science of getting people to comply to your wishes”. More specifically, it is a tactic used by hackers to exploit the weakest link in you IT security: the end-user. As IT security professionals, it is imperative that we understand this type of threat and the tactics used in order to create countermeasures to defend against it.
The hacker, depending on the hacker’s level of skill, research, and persistence, can employ many different social engineering tactics. Most successful hackers treat the social engineering as a separate hack that is a cornerstone of their main focused effort. As with any attack, social engineering starts off at the basics – footprinting, or casing the establishment. This is usually the longest and most labor-intensive part of the attack. Information is gathered by means that usually do not reveal the hacker or the hacker’s intentions, such as whois queries, public records, etc.
After footprinting, the hacker then decides on which course of action might best achieve information that may lead to a system compromise. If the attacker has some kind of contact, he/she may attempt to gain information from an interpersonal relationship. If not, the hacker usually resorts to the use of technology to trick someone into divulging information.
There are several methods for accomplishing this, and some are more effective than others. For example, there is the direct approach of simply calling the telephone number of the target and asking whomever answers for their user name and password. This is the least likely to succeed with a security conscious user. A more popular method is for the hacker to impersonate a technical support employee, as was illustrated in the opening paragraphs of this article. Other methods include impersonating a senior management employee, such as a project manager or V.P., or a helpless user who calls IT for help. A new trend is the use of reverse social engineering. This is similar to reverse psychology, where the hacker calls and entices the target user into voluntarily divulge information by forcing the target user to be the one who asks the majority of the questions. For example, a hacker calling the IT department claiming to be a sales rep for Checkpoint Software or support operator for Microsoft. This works well is the system is first DoSed or infected with a Trojan or virus that causes problems on the network.
Another form of reverse social engineering is what I call the Website Roshambo. This is where the hacker emails a potential target with an enticing offer that links to a website that the hacker has set up. These sites usually offer a gimmick of some kind and require users to create a “free” account. This is very successful, as most users like to keep it simple, and will use the same user name and password on the site as they do to login to the network. The hackers know this and use it to kick your systems in the crotch!
That’s it for Part I. In Part II, I’ll go over some countermeasures and how to test them.
EDIT: Here's a good thread by striek that goes a little more in detail about types of social engineering attacks. It's a realy good read.
January 25th, 2004 02:19 PM
Social engineering is a lot harder now days than it was in the past. I know of one incident at my workplace (some Internet Service Provider) where a customer called forgot username/password didnt have (MMN) mothers maiden name, or last 4 digits of S.S (Social Security number) didnt have none of there account billing information and still managed to get the password changed. How did this person do it? Simple. Number 1. called and was acting like a very disgruntled customer (very irate, dickhead) saying stuff such as: "if you dont fix this right now I'm canceling my service," putting our ISP down, making fun of technical staff, etc... while the tech support specialist who was assiting this person "just started" (after 3 weeks of training courses) and the man demanded her supervisor. She didnt want to get into trouble so she just changed the password without obtaining any billing account information to verify this is the correct person. Sadly to say when she did this the whole converstion was being recorded by the QA (quality assurance team for the ISP I work for) who then walked over to her and escorted her out the building 15 minutes later. Now the story goes if you dont have the correct information your not social engineering anybody at the workplace.
January 25th, 2004 03:48 PM
You will have to do better than that
"Upgrade" to XP? que?
I guess you have never worked military/intelligence?
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
January 25th, 2004 04:15 PM
Actually, nihil, I'm an Intelligence Analyst (96B). I was just trying to paint a picture of a sucessful social engineering attack by a hacker against an end user who was not properly educated about security by the IT staff in a workplace where there are no information security/assurance policies in place. I'm going to cover that in the next installment.
Very observant, however! As far a Windows goes, I don't run sensitive info on anything but Win2K or NT4SP6a configured C2. Usually, I use a locked down Unix.
Thanks for the feedback. If you have any suggestions on how to make part II better, or anything that you want me to cover, let me know. What do you guys think of using some case studies as examples?
EDIT: My apologies to Remote Access....Didn't mean to steal the title of RA's thread. (yep, RA's banned, but it's the principal of the thing that counts) I did an AO search, but it didn't come up. I just noticed it in the "Similar Treads" listing.
January 25th, 2004 07:37 PM
Well, I think that social engineering is one of the most effective ways to gain informations, address and IP's, sometimes easly from none-educated users.
social engineering ain't dying breed.
Thanks for interesting tutorial, 576869746568617.
Don\'t Be So HumblE>>>>
You aRe N0T tHaT GreaT<<<<
January 25th, 2004 08:02 PM
Re: Social Engineering Part I - Introduction
This would not work. It's all in how you word it. You can't ask for the password and log on information like that, even management isn't usually that stupid. You have to word it better to make them cough it up.
Originally posted here by 576869746568617
His heart quickens, as he realizes this is the moment. Now for the kill. Mrs. Ashfellow, what is your logon name and password? Perhaps it's a problem with the account. The caller receives her answer, and after thanking and assuring her that hell fix the issue, quickly goes back to work. Packets fly from the cable modem like mosquitoes searching for a blood meal.
Well, I seem to be having a problem with your account on my computer here. Can you log out for me please sir? Then Log back in. Ok, what did you type? Hmm, that didn't show up let me check my system. Everything seems ok, what did you type in the password field? Ok that showed up fine. I'll fix this problem out for you, have a nice day.
That bit has done me well. Drunk's that call my house screaming at my familly that happen to have a high place job really regret it lol.
January 25th, 2004 08:55 PM
Now the story goes if you dont have the correct information your not social engineering anybody at the workplace.
This stuff is actually easier to get than it was when social enginerring was a new idea. A trash can in an apatrment complex mailroom will yield alot of information. Just hit the same complex once a week for a month or so. By nature human beings are repetitive. Thos that normally read mail at the can and toss it will continue to do so. So over the course of a month you can have an easy ten identities. So in a way social enginerring is a dead art. It has changed into identity theft.
January 26th, 2004 02:42 AM
I agree with you, gore. Most of the time (99.999%), you aren't giong to get any info if you just pop out and say "What's your user name and password?". However, I have had it work a few (and I do mean few) times. Thanks for the feedback, though. I guess I should have proofed it a little more, maybe I would have made it a little more complicated. Mind if I use that line in the re-write?
What can I say....Work in progress!
January 26th, 2004 03:31 AM
I disagree, Most users in a company don't have security on their mind. In my experence you can get passwords and other information by simply walking around and keeping your eyes open: companies with frequently changing passwords and even ones w/out tend to have workers with post-it notes of login information or workers happy to give information with the hope of IT assistance.
Social engineering is a lot harder now days than it was in the past
A mind full of questions has no room for answers
January 26th, 2004 05:35 AM
. In my experence you can get passwords and other information by simply walking around and keeping your eyes open
I strongly disagree with the above statement. You cant not simply walk around and obtain peoples passwords in a 'work enviroment' or any other 'enviroment' for that matter. People are very wise to this. Plus the people behind the PC's obviously know there stuff or they wouldnt be in that business. At my work I work for one of the biggest Internet service Providers in the USA will I say no. Am I aloud to say I dont know. The reason I say that (had to sign papers for secercy) my point is it's a lot harder to get peoples passwords than "walking around and keeping your eyes open" if your lucky and have fast eyes you might be able to get a sneak peak to see what there typing a character or two but thats about it. Like I said in my previous post the way that works 'from what I've seen is' acting like a disgruntled customer just keep it to A minium if you start cussing be prepared to have the phone hung up on you because the person on the other end will probably released the call. In my personal opionion you have to be smarter than the person on the other end of the phone to trick them.