Thinking Like a Social Engineer: Having a few hundred megabytes of data and pictures is great, but when you start reviewing it, how do you train yourself to review and then think of the data in a way that has maximum impact?
Of course you could just open a browser and type in long-winded random searches that may lead to some form of information, some of that which may even be useful. If you are hungry you probably don’t just run to the kitchen and start to throw whatever ingredients you see into a bowl and start digging in, Planning, preparation, and thought all cause the meal to be good. Similar to a real meal, a social engineer needs to plan, prepare, and think about what information he will try to obtain and how he will obtain it.
When it comes to this vital step of the information gathering many people will have to change the way they think. You have to approach the world of information in front of you with a different opinion and mindset than what you normally may have. You have to learn in question everything, and, when you see a piece of information, learn to think of it as a social engineer would. The way you ask questions of the web or other sources must change. The way you view the answers that come back must also change. Overhearing conversation, reading that seems like a meaningless forum post, seeing a bag of trash—you should assimilate this information in a different way than you did before. My mentor Mati gets excited when he sees a program crash. Why? Because he is a penetration tester and exploiter writer, a crash is the first step to finding vulnerability in software, so instead of being irritated at losing the data he gets excited at the crash. A social engineer must approach information in much the same way. When finding a target that utilizes many different social media sites, look for the links between them and the information can create a whole profile.
As an example, one time I rented a car to drive a few states away for business, My companion and I loaded all of our luggage in the trunk; as we were entering the car we notices a small bag of trash in the back seat. The other person said something like, “Service today just stinks. You figure for what you pay they would at least clean out the car.”
True, you would expect that, but I stopped that bag from just being chucked into the nearest can, and I said, “Let me just look at the really quick.” As I opened the bag and pushed aside the Taco Bell wrappers, what was lying in plain sight was a shock to me—half of a ripped—up check. I quickly dumped out the bag and found a bank receipt and the other half of the check. The check was written out for a couple thousand dollars, then just ripped up—not into tiny little pieces, but just into four large chunks, then thrown into a small bag with a Taco Bell wrapper. Taping it back together revealed this person’s name, company name, address, phone number, bank account number, and bank routing number. Together with the bank receipt I now had the balance of his account. Thankfully for him I am not a malicious person because only a more steps are needed to commit identity theft.
This story personifies how people view their valuable information. This guy rented the car before me and then because he threw the check away he felt it was gone, disposed of safely. Or so he thought; but this is not an isolated case. At this URL you can find a recent story about very valuable things people just threw away or sold for next to nothing at a garage sale: www.social-engineer.org/wiki/archives/BlogPosts/LookWhatIFound.html.
>> A painting that a museum bought for $1.2 million.
>> 1937 Bugatti Type 57S Atalante with a mere 24,000 miles sold for $3 million
>> A copy of the Declaration of Independence
If people throw away a painting with a hidden copy of the Declaration of Independence in it, then throwing away bills, medical records, old invoices, or credit card statements probably isn’t such a huge deal.
How you interact with people in public can have devastating effects. In the following scenario I was asked to audit a company and before I could proceed I needed to gather some data. Take a look at how simple, seemingly meaningless information can lead to a breach.
Simply following one of the higher ups of the target company for a day or two showed me that he stopped for coffee every morning at the same time, Since I was aware of his 7:20 a.m coffee stop at the local coffee shop I could plan a “meeting.” He would sit for 30-35 minutes, read the paper, and drink a medium café latte. I enter the shop about 3-5 minutes after he sits down. I order the same drink as him and sit down next to him in the shop. I look over as he places on section of the paper down and ask whether I can read the paper he is done with. Having already picked up a paper on the way I knew that page three contained an article about a recent murder in the area. After acting as if I just read it, I say out loud, “Even in these small towns things are scary nowadays. You live around here?”
Now at this point the target can blow me off, or if I played my cards right, my body language, vocal tone, and appearance will put him at ease. He says, “Yeah, I moved in a few years back for a job, I like small towns, but you hear this more and more.” I continue, “I am jut traveling through the area. I sell high-end business consulting services to large companies and always enjoy the traveling through the smaller towns but I seem to hear more and more of these stores even in the rural areas.” Then in a very joking tone I say, “You don’t happen to be a bigwig in a large company that needs some consulting do you?”
He laughs it off and then as if I just challenged him to prove his worth says, “Well I am a VP of the finance at XYZ Corp. Here locally, But I don’t handle that department.”
“Hey, look, I am not trying to sell you something, just enjoy the coffee, but if you think I can stop by and leave you some information tomorrow on Wednesday?”
This is where the storey gets interested, as he says, “Well I would but I am heading out for a much-needed vacation on Wednesday. But why don’t you mail it to me and I will call you.” He then hands me a card.
“Going somewhere warm and sunny, I hope?” I ask this knowing that I am probably getting close to my point where I need to cut if off.
“Taking the wife on a cruise south. “I can tell he doesn’t want to tell me where, which is fine, so we shake hands and part ways.
Now could he have been blowing me off? Probably, but I have some valuable information:
>> His direct number
>> When he is leaving for vacation
>> What type of vacation?
>> That he is local
>> The name of his company
>> His title in his company
>> That he recently relocated
Of course, some of this information I already had from previous information gathering, but I was able to add substantial amount to it after this meeting. Now to launch the next part of the attack, I call his direct line the day after he is supposed to be gone and ask for him, only to be told by his receptionist, “Sorry, Mr. Smith is on vacation—can I take a message?”
Excellent, The information is verified and now all I need to do is launch the final phase, which means dressing up in a suit and taking by $9 business cards to his office. I enter, sign in, and tell the receptionist I have an appointment with Mr. Smith at 10:00 a.m. to which she replies, “he is on vacation, are you sure it is today?” I show true surprise: “Wait, his cruise was this week? I thought he left next week.”
Now this statement is vital—why?
I want the appointment to be believable and I want the receptionist to trust me by proxy. By stating I know about this cruise this must mean Mr. Smith and I have had intimate conversation—enough so that I know his itinerary. But my helplessness elicits pity and right away the secretary comes to my aid. “Oh, honey, I am sorry, do you want me to call his assistant?”
“Ah, no.” I reply. “I really wanted to leave some information with him. How about this—I will just leave it with you and you can give it to him when he gets back? I am terribly embarrassed; maybe you can avoid even telling him I did this?”
“My lips are sealed.”
“Thank you. Look I am going to crawl out of there, but fore I do can I just use your bathroom?” I know that I normally would not be buzzed in, but I hope the combination of my rapport, my helplessness, and their pity will lead to success—and it does.
While in the bathroom, I place an envelope in one stall. On the cover of the envelope I put a sticker that says PRIVATE. Inside the “Private” envelope is a USB key with a malicious payload on it. I do this in one stall and also in the hallway by a break room to increase my chances and hope that the person that finds one of them is curious enough to insert it into their computer.
Sure enough, this method seems to always work. The scary thing is that this attack probably wouldn’t work if it weren’t for a useless little conversation in a coffee shop.
The point is not only about how small data can still lead to a breach, but also how you collect this data. The sources that you can use to collect data are important to understand and test until you are proficient with each method and each source of collection. There are many different types of sources for collecting data. A good social engineer must be prepared to spend some time learning the strengths and weaknesses of each as well as the best way to utilize each source. Thus the topic of the next section.