With the launch of social-engineering.org I thought I would publish one of the tactics I have used in the past to gain trust with employees while on a social engineering engagements. I found this particular pretext makes the classic tech support attack significantly more successful, even while using a non-spoofed caller ID and a phone # from out of state.

It’s commonly agreed upon that anywhere from 60-90% of communication is non-verbal. You might think that this would make a phone based attack more difficult, I’m of the opinion that it makes it easier to abuse the imagination of the victim as they have less input to observe.

Just like phishing uses visual clues to build trust with the victim, it is possible to do the same using voice mail. Many companies have standard messages that employees are to use for their voice mail, simply mirroring those makes it appear like the victim has reached another employee. Here is how the attack is outlined.

1. Attacker calls to identify voice mail of victim organization.
2. Attacker sets up their voice mail to mimic target organization.
3. Attacker calls victim either just before or just after office hours. This is the key as this triggers the employee to call the attacker back.
4. Attacker ignores callback and directs it to voice mail for the victim. Victim hears the voice of the attacker, the branding that the attacker left for the victim.
5. Attacker calls victim back and proceeds with the classic tech support attack.

Theoretical Script:

Attacker (voicemail): “Hi, you have reached the voice mail of John Doe with nGenuity. We are currently experiencing a company wide security incident. Please leave your name and number and I will contact you back as soon as I can.”

Victim (voicemail): “Hi this is Joy Doe from nGenuity accounting. You can reach me at 555-1212″

Attacker (calling vicitim): “Hi Joy this is John Doe with nGenuity technical support. I’m sorry for getting back to you so late, we have had a lot of work to do to correct this mess. Your workstation is one of the last systems that I need to clean up to be done for the day. Unfortunately this threat has locked out our administrative access so I need your username and password to take care of this.”

Now if the user doesn’t want to provide their credentials simply direct them to a website you control, branded like the company and have them install some remote access software.

The point was that voice mail can be used to improve your branding as an attacker and build credibility where there is none or very little. The victim easily forgets that they were solicited because of the number of calls. Another fun tactic to build credibility is call center background noise clips and hold music. Make it sound like your actually at work.

One of my clients uses a large Business Solutions provider to manage payroll and benefits over the web. This provider requires that each user with access to their system has a personal certificate, as well as a userid and password in order to access their site. This is outstanding! Two-factor authentication is great!

Unfortunately, when you will reissue the certificate based solely on a phone call, to a caller-supplied email address, your two factor authentication doesn’t work so well. We recently migrated this client to a new domain. During this process, one user’s certificate was somehow corrupted. She could no longer access the website. After trying to re-import the certificate from a backup, we wound up calling support. The support staff was friendly and helpful, until they discovered that I was not an “approved contact”, at which point they told me the call could not proceed until they got authorization from an approved contact. Bravo! This company clearly pays attention to security. And with access to so many people’s PII, they should!

On a whim, I asked the support representative who was authorized to approve me, and to my dismay, he gave me three names. “Hold on a sec, I’ll get $approved_contact_1,” I said. I walked into the next office, got her, and returned. “Here’s $approved_contact_1,” I told him, and hit the speakerphone button. The rest of the dialog went like this:

SR: “Is this $approved_contact_1?”

AC1: “Yes.”

SR: “Is Aaron authorized to contact me regarding your account?”

AC1: “Yes.”

SR: “Ok, thanks for your time.”

My jaw dropped. He didn’t offer to call the number they had on file for the company and speak with one of the approved contacts. He didn’t ask the approved contact to answer any of her security questions. He didn’t do ANYTHING to verify that the call was legitimate, or that the approved contact was who I said she was.

At this point, we went through several troubleshooting steps, none of which addressed the problem. The support rep finally decided that the best way to fix this problem was to reissue the user’s personal certificate. Imagine my surprise when he asked me what email address I would like the certificate request sent to. Wondering if they could be this silly, I gave him one of my email addresses, one that clearly did not belong to any of the approved contacts, let alone the user who had a problem. Now imagine my astonishment when the certificate request shows up in my inbox. Surely they can’t be this cavalier with access to their site?!?

I went through the process as outlined in the certificate request email, and at some point was prompted for the user’s credentials. She had stepped out for lunch by then, so I couldn’t have her type in her password. I offered to call back when she was available, but this support rep was REALLY helpful, so he went ahead and reset the user’s password for me. Wait…What? I didn’t ask him to do that. So now I have the user’s personal certificate, the user’s userid (provided in the certificate request email), AND her password. Wow. It’s a good thing they use two-factor authentication…

The moral of the story:

Customer service is very important in today’s marketplace, and I hate to bag on a company for providing support that is too helpful, but seriously, you don’t go around providing access to sensitive resources without doing SOME kind of verification. Had I been an attacker, I would have the keys to the kingdom, and all the social security numbers and other information I could eat. If you’re going to be working with PII, please make sure your support staff knows how to deal with these types of situations.

Entrepreneurs love media attention for themselves and their business. Any chance to get on television or in a publication is quickly jumped upon. The July edition of the Tri-Cities Area Journal of Business features a new section that focuses on young entrepreneurs, asking questions such as “Toughest career obstacle or decision” and “[what are your] lifetime goals?” You might be thinking, “what does this have to do with security? It conveniently relates quite nicely to what I want to talk about; security questions and answers.

Security questions are those questions that you get asked when you want to reset your password, or maybe even to log into a web site. They are typically some simple question that possibly you (hopefully) may only know the answer to.

Some common questions are:

• What city were you born in?
• What is the name of a pet or the name of your first pet?
• Favorite Movie
• Favorite song / book
• … and many other variations.

The problem with security questions is the answers to them are quite often easily found out information. Take the Journal of Business young entrepreneurs section. It offers a wealth of information that might be used.

Answers are typically less complex than a typical password injecting additional weaknesses into the security of your account. Why force a secure password when you don’t force a secure security question? Why are we giving up this information to the sites we log into every day? Because they asked for it, that’s why. We want access to the site and want the ability to reset our password or whatever other functionality the site has tied to the question/answer.

The solution is quite easy. Do not provide the real information. Generate a random answer and document that the same way you would your password. I recommend Password Gorilla, but there are many password archive applications out there to help you manage this.

As an aside, those of you that are being interviewed for publications do your homework first before providing information to somebody that says they are a reporter or journalist. One great social engineering method is to pose as the press to gain information. People love to talk to the press.