With the launch of social-engineering.org I thought I would publish one of the tactics I have used in the past to gain trust with employees while on a social engineering engagements. I found this particular pretext makes the classic tech support attack significantly more successful, even while using a non-spoofed caller ID and a phone # from out of state.

It’s commonly agreed upon that anywhere from 60-90% of communication is non-verbal. You might think that this would make a phone based attack more difficult, I’m of the opinion that it makes it easier to abuse the imagination of the victim as they have less input to observe.

Just like phishing uses visual clues to build trust with the victim, it is possible to do the same using voice mail. Many companies have standard messages that employees are to use for their voice mail, simply mirroring those makes it appear like the victim has reached another employee. Here is how the attack is outlined.

1. Attacker calls to identify voice mail of victim organization.
2. Attacker sets up their voice mail to mimic target organization.
3. Attacker calls victim either just before or just after office hours. This is the key as this triggers the employee to call the attacker back.
4. Attacker ignores callback and directs it to voice mail for the victim. Victim hears the voice of the attacker, the branding that the attacker left for the victim.
5. Attacker calls victim back and proceeds with the classic tech support attack.

Theoretical Script:

Attacker (voicemail): “Hi, you have reached the voice mail of John Doe with nGenuity. We are currently experiencing a company wide security incident. Please leave your name and number and I will contact you back as soon as I can.”

Victim (voicemail): “Hi this is Joy Doe from nGenuity accounting. You can reach me at 555-1212″

Attacker (calling vicitim): “Hi Joy this is John Doe with nGenuity technical support. I’m sorry for getting back to you so late, we have had a lot of work to do to correct this mess. Your workstation is one of the last systems that I need to clean up to be done for the day. Unfortunately this threat has locked out our administrative access so I need your username and password to take care of this.”

Now if the user doesn’t want to provide their credentials simply direct them to a website you control, branded like the company and have them install some remote access software.

The point was that voice mail can be used to improve your branding as an attacker and build credibility where there is none or very little. The victim easily forgets that they were solicited because of the number of calls. Another fun tactic to build credibility is call center background noise clips and hold music. Make it sound like your actually at work.

One of my clients uses a large Business Solutions provider to manage payroll and benefits over the web. This provider requires that each user with access to their system has a personal certificate, as well as a userid and password in order to access their site. This is outstanding! Two-factor authentication is great!

Unfortunately, when you will reissue the certificate based solely on a phone call, to a caller-supplied email address, your two factor authentication doesn’t work so well. We recently migrated this client to a new domain. During this process, one user’s certificate was somehow corrupted. She could no longer access the website. After trying to re-import the certificate from a backup, we wound up calling support. The support staff was friendly and helpful, until they discovered that I was not an “approved contact”, at which point they told me the call could not proceed until they got authorization from an approved contact. Bravo! This company clearly pays attention to security. And with access to so many people’s PII, they should!

On a whim, I asked the support representative who was authorized to approve me, and to my dismay, he gave me three names. “Hold on a sec, I’ll get $approved_contact_1,” I said. I walked into the next office, got her, and returned. “Here’s $approved_contact_1,” I told him, and hit the speakerphone button. The rest of the dialog went like this:

SR: “Is this $approved_contact_1?”

AC1: “Yes.”

SR: “Is Aaron authorized to contact me regarding your account?”

AC1: “Yes.”

SR: “Ok, thanks for your time.”

My jaw dropped. He didn’t offer to call the number they had on file for the company and speak with one of the approved contacts. He didn’t ask the approved contact to answer any of her security questions. He didn’t do ANYTHING to verify that the call was legitimate, or that the approved contact was who I said she was.

At this point, we went through several troubleshooting steps, none of which addressed the problem. The support rep finally decided that the best way to fix this problem was to reissue the user’s personal certificate. Imagine my surprise when he asked me what email address I would like the certificate request sent to. Wondering if they could be this silly, I gave him one of my email addresses, one that clearly did not belong to any of the approved contacts, let alone the user who had a problem. Now imagine my astonishment when the certificate request shows up in my inbox. Surely they can’t be this cavalier with access to their site?!?

I went through the process as outlined in the certificate request email, and at some point was prompted for the user’s credentials. She had stepped out for lunch by then, so I couldn’t have her type in her password. I offered to call back when she was available, but this support rep was REALLY helpful, so he went ahead and reset the user’s password for me. Wait…What? I didn’t ask him to do that. So now I have the user’s personal certificate, the user’s userid (provided in the certificate request email), AND her password. Wow. It’s a good thing they use two-factor authentication…

The moral of the story:

Customer service is very important in today’s marketplace, and I hate to bag on a company for providing support that is too helpful, but seriously, you don’t go around providing access to sensitive resources without doing SOME kind of verification. Had I been an attacker, I would have the keys to the kingdom, and all the social security numbers and other information I could eat. If you’re going to be working with PII, please make sure your support staff knows how to deal with these types of situations.

So my wife manages a retail store. Some time ago they were the proud recipients of a new safe for storing important things, such as money. This left their old safe languishing on a shelf, never to be used again. There sat the safe, for many moons, until one day my wife’s regional manager asked her why they had an extra safe sitting on the shelf. My wife explained that the replacement safe was more than adequate for their safe-having needs, and furthermore, it had been so long since anyone had used the little safe on the shelf that nobody knew the combination anymore. “Get rid of it,” says the regional manager, “I don’t care what you do with it, but make it disappear.”

This is where I come in… I volunteered to take the safe off her hands for the very reasonable fee of $I’llcomegetit, which she happily accepted. “But Aaron,” you’re probably saying to yourself,”nobody knows the combo. This safe is useless unless you spend a bucket full of money to pay someone to open it!” At least that was the general consensus among my friends and family when I bragged to them that I had a safe I couldn’t open. But I have a secret. A good friend of mine is a locksmith. He has this really neat gadget called an autodialer. It’s basically a stepper motor hooked up to a microcontroller that cycles through all the possible combinations until it finds the right one. Easy-peasy, right? Wrong.

We hooked the autodialer up, found the drop point for my dial, and set it to run. My locksmith friends told me that it could take up to 48 hours for the autodialer to find the right combination, so I left it in the garage, dialing it’s little mechanical heart out. As it turns out, the alignment on this device has to be spot on, because the stepper motor detects when it can no longer turn the dial and assumes that it has found the combination. Then it stops trying. Due to the mechanics of hooking the dialer up, it’s very easy to get it slightly out of alignment, especially when the dial on your safe doesn’t turn completely true, as was the case with my safe. This results in a dialer than thinks it found the combination, when it hasn’t. To make a long story short(er), we didn’t have the dialer lined up properly. We didn’t have it lined up correctly the second or third times, either. The fourth time, I thought we had it, and it dialed for about 25 hours before it stopped. Still no combo.

Fast forward three days… I’ve reset the dialer numerous times. Each time it dials for longer stretches, but always stops short of finding the combination. Somewhere in the middle of all this, we decide to call the safe manufacturer to inquire about drill points for this model, just in case. While on the phone with their friendly and helpful support staff, we discover that this safe uses a right-hand dial lock, rather than the standard left-hand dial. Which means we’ve been dialing the wrong direction for two days. Crap. We reset the dialer for right-hand dialing, and let it run for almost two full days. Still no combo.

At this point, we make the decision to drill the safe. I’ve seen lots of movies where people drilled into a safe and manipulated the lock, how hard can it be, right? Turns out it’s pretty hard. Even if you have the right equipment. And a lot of time. I mean a LOT of time. The actual drilling of the safe wasn’t too bad. The Locksmith has a nifty rig that attaches to the safe and holds a drill bit in exactly the right spot. You hook a drill motor up to this apparatus, and run the bit in slowly, so as not to break it. This particular door is 7/16″ thick, and has a 1/4″ hardplate, which is high carbon steel, behind it. Then there’s the lock body. Once you drill the hole, you stick a borescope in, line up the wheels, and you’re off to the races. Easy-peasy, right? Wrong.

First, you have to know where to drill the hole for the particular lock on your safe. If you’re a locksmith, this isn’t so hard. I was surprised to discover that if you’re not a locksmith, it isn’t so hard either. As I mentioned earlier, we called the manufacturer to ask about drill points. On the initial call, we were told that we needed to provide several forms of proof that we were either a) the legitimate owners of the safe, or b) qualified locksmiths working for the legitimate owner of the safe. We gathered the necessary info while the dialer ran it’s last run, and when it failed, we called them back. We should have just called back, since the second person we spoke with didn’t bother to verify any of our information. Instead, he gave us the “try-out combination”, which is the default combination as shipped form the factory. All safes have try-out combinations, and you would be surprised to find out how many people never change this default combination. He also gave us the drill points for a borescope, and for the fence. Without verifying any information. So if we HAD stolen this safe, we would now have the default combination, as well as the drill points. The default combo didn’t work, so we decided to drill for the borescope method. Easy-pe…oh forget it, it’s not easy.

You see, looking through the borescope and trying to line the wheels up is like trying to tie your shoes while looking through a telescope. Everything is so close, it’s hard to tell what you’re looking at. You also don’t get a perfect look at both the wheels and the fence, so you have to keep shifting back and forth, all the while keeping the wheels lined up. This requires patience, a steady hand, and patience. To make a long story short(er) again, we did finally get the safe open.

It is entertaining to me that the safe manufacturer would give out information such as the try-out combo or the drill points without any verification that the person on the other end of the phone was legit. It goes to show that social engineering is an important aspect of your security. If an attacker can compromise your security by making an anonymous phone call, do you really have any security at all?