In the world of social networking, I have been blessed by making a lot of friends, and some of them are not CCIEs! Fadi (16 years old) as I know him on Facebook, is one of that new phenomenon of young hackers that are crawling all over the internet like industrious ants. These youngsters, as a force leave no stone unturned. Really they donâ€™t ignore an opportunity for one-upmanship. So I asked my friend Fadi who goes by the handle of â€śG0dfatherâ€ť, to share some insight into social engineering attacks. In his word:
Introduction to Social Engineering Attacks:
1. I am writing this paper to try and shine a light on an art that has been used for years, but now days, has taken new form, the art of deception, social engineering. Social engineering, if used correctly, can go from a few simple favors to international espionage. It can also be the most effective kind of "hacking" you can do, and the only thing required is the knowledge and understanding of the human mind, people skills, and a bit of cleverness to achieve almost any job at task.
2. What is social engineering? Social engineering is basically making people do what you need or want them to do or making them give you certain information that you need or want.
Say you want a password to your friendâ€™s computer. Would it be easier to keylog it or get it some other way as such, or to talk it out of him? Probably the second option. Consider this scenario:
Dan: Hi Matt.
Matt: Whatâ€™s up Dan?
Dan: Not much, just trying to play this game.
Matt: What game?
Dan: Hutt 3D.
Matt: Ah, I heard that game rocks.
Dan: I could sign you up for it.
Matt: Really? That'd be awesome.
Dan: Ya, no problem. I have to go soon though.
Dan: I'll try to set some of it up before I go. What do you want your password to be?
Matt: Hmm.. try teehee, I use it for everything else anyways.
Dan: Sounds great, Iâ€™ll send you the rest of the information later, see ya!
Matt: Thanks Dan, bye.
In a quick conversation, because of the pressure of picking a quick and easy password, Matt has successfully gave Dan access to probably all his other accounts, including email, just by not thinking of picking a good password instead of one he uses for most all else.
The social engineering part was good on Dan's part, hence he gave Matt the pressure feeling because he had to "go soon" and therefore *didn't* have time to talk with Matt completely about the game or the setup information. Matt decided to make it easy so he could play his new game as soon as possible and give Dan a vital key to Matt's everyday internet accounts.
When people feel a sign of a rush or feel that they will miss out on a good opportunity if they don't hurry and provide information, causing them not to think as much as they should.
Now that situation was made possible because there was a certain kind of 'trust' between Dan and Matt. If the situation was a little different, and Matt was talking to someone he didn't know very well, the situation might still be possible, but it would either take some smoother talking from the attacker or some stupidity on part the victim.
Trust is a big factor in social engineering. If someone doesn't feel that they trust you, they probably would be as likely to comfortably go along with whatever you are planning. If they do trust you, according to how much trust is involved and the mentality of the victim, itâ€™s possible to pull off almost anything.
3. Internet social engineering is pretty common now days, and lots of people, companies, and even sometimes ISP's fall under the control of a social engineer.
Hereâ€™s an example situation of an attacker trying to get access to the victim's website.
attacker: hi, how are you?
victim: pretty good, you?
attacker: I seen you take care of somesite.com?
victim: ya, thatâ€™s my site
attacker: wow, I love the graphics
attacker: content is nice as well
victim: why thank you :)
attacker: you wouldn't happen to have some extra web space would you?
attacker: you see, me and a couple friends need somewhere to upload some pictures and mp3s
attacker: think you could help us out?
victim: hm.. I donâ€™t really know how
attacker: oh, well itâ€™s pretty easy
attacker: if you want me to, ill set it up, i just need the login info please
victim: ok, just make yourself some space somewhere and please don't mess with any of mine
attacker: of course not ;)
victim: username is somesite, password is whitesoxs
attacker: thanks, we really appreciate it :)
victim: no problem
Now letâ€™s analyze that situation...
First, the attacker comes off being really nice and polite, complementing the owner of the site for its graphics and content.
Then, he gently asks for some web space on the account that hosts the victimâ€™s website.
The victim seems not to know a lot about computers or authentication, and has a good feeling that nothing bad would happen, hence the attacker's good attitude and niceness.
After that, the victim easily hands over the login information, the username and password, giving the attacker full access to the victims website.
"Why?" you ask. Social Engineering.
Now there are other situations like gaining trust of a period of time, days, weeks, or yes, even months. Even social engineers can be social engineered, it just mainly takes time and research.
Us Humans have a want pattern. If we think someone will give us something, has the ability to make us 'famous', or will get us somewhere, we tend to ease up and be 'too friendly'.
For example, who would you trust more with your car, your best friend, or an acquaintance? Your best friend of course, unless you know he cannot drive or is very reckless.
Trust, as I said before, is a key factor in social engineering. If someone doesn't trust you, they probably won't let you take advantage of them.
4. Telephone social engineering is also a danger as well. Caller ID, as proved in "The Art of Deception" cannot be used as a fool-proof way of identifying a caller, since it can be spoofed without much trouble.
Check out this situation out.
victim: Hello, welcome to CompNet Technical Support. Tom Hoff speaking, how may I help you?
attacker: Hi, is this Jeff Bridge from Accounting.
victim: Hi Jeff, how are you doing today?
attacker: Well, not too good. I lost my password yesterday and I haven't been able to access the
server. My boss has been on my case since last night and i'm not sure if I can get the pay checks out by Friday.
victim: Oh.. that doesn't sounds too good.
attacker: Could you do me a favor and reset my password for me so I can get back to work?
victim: Sure, whats you ID number?
At this point the attacker looks on the company's website for a listing of the employees. He lucks up and finds a text file with their names and ID numbers.
attacker: 332 I think
victim: Ya, thatâ€™s it, 332
victim: Hold on just a second and Iâ€™ll reset the password
victim: New password: changeme
victim: You need to change it to whatever you want as soon as you access the server.
attacker: The username is still jbridge, right?
victim: Yep, thatâ€™s what it says here.
attacker: Thank you! By the way, I have a friend down here from Development that needs to know what the new server is for his team.
victim: New server? As far as I know itâ€™s always been dev.compnet.com.
attacker: Hmm.. Maybe it was just down last night, we'll try it again later.
victim: Oh ok
attacker: Well, I have to go, thanks so much for your help again.
victim: It was no problem
Now.. What just happened here?
Attacker, impersonating "Jeff Bridge" from accounting, has just successfully done the following:
Got information to access the server that has access to the payroll system.
Got access to a machine and is probably not secure and attacker may move his privileges to root.
Got the name of the server that the company development team uses so attacker can plan future attacks on the company and may gain access such as to steal source code or other information for the company's new or old product line, or other confidental information.
And the most important thing: Has gained some trust from the victim that can be used in other attacks planned for getting information or getting something done.
He also was able to gain a vital piece of information to get the password he needed, "Jeff Bridge's company ID number, which was publically on the company's website, which isn't too smart.
5. In-person social engineering, although to some people not appearing too smart, will have great effectiveness on the victim, and sometimes even more effectiveness than the other ways, because the victim can actually see the person they are talking to, making the trust factor grow and sometimes making them easier to manipulate.
Take this situation into consideration.
A man in a nice suit, tie, fancy hair, walking elegantly up to the ISP technical support center. He says he's in a hurry, and needs to get his username and password he lost while he was at a business meeting. He needs them ASAP because he's working on a project on his laptop and it can't wait.
The lady at the counter says she don't think she's allowed to do that.
The attacker politely complements your loyalty and asks her to join him for lunch at a fancy restaurant the next day. He says he thinks sheâ€™s got real talent and offers her a job at his 'firm'.
She feels flattered and thinks she must help the guy out since he was been so nice to her. She carefully looks up the username and password for the account name he gives her and hands it to him on a piece of paper, whispering not to tell anyone because she might get in trouble.
The attacker just successfully got the username and password of any account on the ISP, just by using some smooth words and dressing like a professional.
You see how easy it can be? It happens every day, 90% of the time people don't even realize it.
6. My conclusion in writing this paper is to explain how to successfully get anything you want from a person by 'just asking for it'. Now that you have read it, hopefully you will be more educated in the field and will know how to protect yourself or maybe even your company from most social engineering attacks, if not most all. Online, on the phone, on the street, all places where the possible social engineer preys. Will you be his next victim?
Name:Fadi Rakha Age:16 From Where: Lebanse
Bio: I have been a hacker from 5 years old today I am an expert or a pro hacker as you can say
I am called The GodFather I am a master of all kinds of hacking techniques