Social Engineering: Part II
Social Engineering: Part II
ghost | 5588 Reads | Social Engineering
Social engineers are all over. If you work at rather large corporation, then you will be or already have been a victim of a social engineer.
These con artists / expert swindlers / grifters will cover you with a blanket of attractiveness, trust, security, and friendship. While you are feeling comfortable about what the stranger has to offer, he is pumping you for information.
Surely, at your work you have some sort of code or maybe just lingo that only the employees know and use. You use the terms and codes all day, writing them on documents, punching them into phone calls, telling other employees, etc. How could it be important if so many people know it?People tend to judge a book by it's cover. A social engineer who speaks like an insider might be taken as an employee. If he asks for a code, there would be no reason to question him.
Let's take Hank for example. He works at a computer research lab called "Salligin Tech." Over at Salligin, they have a database of all employee records and what not.
*His phone rings at his desk
Hank: Salligin Tech, Hank speaking…
Lance: Hello, Hank. My name is Lance. I'm from Hierarchy Ltd. in Georgia. My company and yours are currently pondering on a merge. May I ask you a question?
Hank: Sure
Lance: My boss has spoken to the CEO over there at Salligin and they've combined our databases. What is the pass number when trying to edit information within the EMP DB?(yes, E M P D B. It was the lingo for Employee Database)
Hank: Hold on, let me check. –Pause– Hank: 99487
Lance: 9 9 4 8 7?
Hank: Yeah.
Lance: Thank you, Hank.
Hank: No problem.
Lance: Have a nice day.
Later that day, Lance used TELNET to connect to Salligin Tech's employee db and erased an employees entire table. This erased his AuthID, computer name, entry code, and all other things that the employee needed to have. Lance was a crooked private eye and was given the task to remove a certain client's foe's existence from the company he worked for. As you see, Hank willingly told the pass number with out a bit of doubt. Why should he have? A fellow employee of a company that was merging with his needed help. The stranger on the phone was so nice and sounded professional.
Let's examine one more social engineer attack…
David is a new employee at BestPurchase. As any newb would, David wanted to make a good impression and to delight his boss. Here's how it went–
*The phone at David's register rings
David: You've reached BestPurchase, this is David. How can I help you?
Brad: Hi David, my name is Brad. Is Natalia there? (Brad learned that Natalia was the manager– the Big Guy, er Big Girl. He also knew that she was on vacation)
David: No. I'm sorry. Natalia is out on vacation until August.
Brad: Oh. Darn. Would you happen to know anything about the "Sign-Up Tab" program Natalia launched before she left?
David: No, sir. This is my first day.
Brad: Oh, I see. Well it's basically this thing where workers write down a list of friends and family on a sheet and then those select few can come in and just sign the receipt and the worker will pay for it at the end of the month.
David: That's cool.
Brad: Yeah. So anyways, my name is written down on Natalias list. I'll be going into town to get a few things, would you be ready for me to show up and sign a receipt?
David: I don't know. How do I know that you're on Natalia's list?
Brad: Go fetch her list from her office if you don't believe me.
David: I'm not allowed in there.
Brad: You don't have to mess with anything. Just go fetch her list and get out.
David: No No… what was your name?
Brad: Brad King. Now am I going to have to call Natalia in Florida right now and tell her that I can't get my new laptop because you're holding me up?
David: sigh So I just give the receipt to Natalia when she gets back and she pays for it?
Brad: Right.
David: OK. I'll see you soon then.
Brad: Bye
A little later, "Brad" comes into BestPurchase, grabs his laptop, and goes up and down the aisles until he sees a man with the tag: David. David scans the item, prints out a receipt, "Brad" signs it, and walks out the door with the best laptop in there that he got for FREE. Once Natalia returns, David gets fired explaining it, and all they have for evidence is a receipt signed by a non-existent "Brad King."
You'll notice that David wasn't going to give in at the start. Brad had to pull two tricks on him. The first one was that Brad kept talking to David as if he was a dog. "FETCH her list","Just go FETCH it." We don't like to be talked to like that, so David did what "Brad" wanted him to do: not look for a list. Then "Brad" didn't really threaten David, but it came close. When Brad mentioned about how he's gonna have to call Natalia now and complain about the service. David got nervous. It was his first day, and having the top knotch get called because he wouldn't listen to a man was pretty scary. Finally, David was won over.
—XERO—
