Social engineering used to be virtually unknown in the IT community – except, that is, amongst its practitioners. The recent wave of phishing scams (spoofed e-mails designed to harvest your credit card details) has raised awareness, as has the publication of books such as Kevin Mitnick’s “The Art of Deception”. However, most people go about their daily business without a paranoid thought in their heads, blissfully ignorant of how easy it is to steal information just by fooling people.
Here’s a typical example from our real-world experiences as ethical hackers. Firstly we buy a “pay as you go” mobile phone in our local high street. Then we call the switchboard number of our target organisation, which is freely available on the web of course. We ask for the names and e-mail addresses of the IT project leaders for the areas we are interested in – mostly to do with payroll and payment systems. Apart from asking whether we are a recruitment company, there are no checks and the receptionist is happy to give us this information over the phone.
Next we study the firm’s web site and create a spoof web page in the same style as the corporate site, even using the same images and logos by embedding the real image paths in our code. This spoof page is ostensibly a questionnaire on information security policy, based around BS 7799 (now ISO 27001 – the standard for information security management), with a few simple questions on how you choose your password, whether or not you would write it down, and so on.
Then we individually e-mail each of our target project managers, using a spoof source e-mail address, and claiming to be the firm’s information security manager, requesting them to complete a short questionnaire and giving them the web link. Most people would be suspicious about these fairly obvious questions, except for the fact that they see a legitimate-looking web page and the request appears to come from their own information security manager.
Even better, when they click on the link the first thing they are asked to do is identify themselves with their username and password. This of course, is the scam, since the rest of the questionnaire is irrelevant to us (although perhaps interesting) since all we want is their network credentials.
Using this method we rapidly harvest some valuable network credentials with no risk to us whatsoever and without ever going anywhere near the target organisation. When the scam is subsequently exposed by a more alert individual and all the passwords have been changed, it’s too late since we have already used the credentials to log in remotely to their extranet and set up our own “back door” account.
Another technique which involves little or no risk of exposure, and gives almost instant access to the network, goes like this. The first stage is very similar to the previous scam. Again we use our “pay as you go” mobile phone and call the switchboard number of our target organisation. This time we ask for the names, job titles and direct dial numbers of the senior IT staff. Having compiled our list, one of my colleagues calls the firm’s help desk claiming to be one of the senior people.
He explains that his is working at home, using his corporate laptop but has screwed up his remote login and forgotten his password. He tells the help desk operator that he has to go out to collect his son from the nursery, so could they please reset his account and text him the new password. Of course, he gives them the number of his new, untraceable mobile phone. Within 15 minutes they text him not only the password but also the account name for good measure. It’s a very fast “game over” indeed as we log in remotely, using this senior person’s privileged account and grab all the information we want.
If reception staff were forbidden to give out information about members of staff and helpdesk personnel were given clear guidelines about how to validate requests for password resets, then the type of telephone social engineering I describe in No. 1 - Helpful Staff would fail immediately.
Peter Wood, Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.