Case Study: The Mysterious Social Engineering

Introduction

Social engineering, the practice of conning people into sharing sensitive information, be it in everyday person-to-person interaction, or via cyber interconnectivity, is a real security threat that has evolved in sophistication and broadened in scope over the decade we have been both writing about it and training people how to thwart it. Unfortunately, in most organizations, countermeasures against social engineering have not kept pace, and thus the adversaries to the enterprise continue to stretch their lead and put in danger the intellectual properties of those ill-prepared corporations.

Most organizations acknowledge it as a problem, but treat it as a nuisance rather than a very serious issue. Accordingly, most organizations do not invest any, let alone, enough in the one real countermeasure—effective and empowering security awareness and education for all employees as well as extra training for those in sensitive positions or positions of extreme trust (e.g., executives, executive assistants, human resources staff, and help desk personnel). We want to stress “effective” and “empowering,” because as we noted in the previous chapter (Case Study: A Bold New Approach to Awareness and Education, And How It Met An Ignoble Fate), just having a program is not enough. To be effective it has to be compelling and show your employees, in meaningful ways, that they have a stake in security and that the enterprise security depends upon their efforts. It also has to empower these employees instead of simply scare them or leave them with the sensation that they are being talked down to by the “security people.”

And as these three news stories on a scandal that erupted at Hewlett-Packard in the fall of 2006 illustrates, it is not only hackers or competitors, but also your organization’s executives and investigators in their hire that have to be considered as potential risks if not direct threats, literally originating from the inside of the organization:

Investigators hired by Hewlett-Packard to fi nd a media leak used sensitive information to access phone-company computers and get the calling records of nine reporters without authorization.… The revelations came a day after complaints by a former member of HP’s board of directors forced the company to fi le a statement with the U.S. Securities and Exchange Commission (SEC), acknowledging that investigators hired by the board had fraudulently accessed the private telephone records of board members and reporters. The private investigators fraudulently used the identities of the victims to get the necessary login credentials to access online telephone records without authorization, according to media reports.… (HP-funded hacking included reporters’ data, Security Focus, 9-8-06).

Not only did investigators impersonate board members, employees and journalists to obtain their phone records, but according to multiple reports, they also put an HP director and a reporter for CNet

www.syngress.com

Case Study: The Mysterious Social Engineering Attacks on Entity Y • Chapter 9 129

Networks Inc under surveillance. They sent monitoring spyware in an e-mail to that reporter by concocting a phony story tip. They even snooped on the phone records of former CEO and

Chairwoman Carly Fiorina, who had launched the quest to identify media sources in the fi rst place. And in a twist that might seem preposterous if it happened in a movie, The New York Times reported that HP consultants considered hiring spies to pose as clerical or custodial workers at CNet and The Wall Street Journal. (Hewlett-Packard scandal gets wider and weirder, The Age, 9-21-06).

The news has once again highlighted a growing problem plaguing the telecommunications industry called “pretexting,” a scam where unauthorized individuals pretend to be someone they’re not to obtain personal information. Private investigators and con artists have been using this technique for years not just to obtain phone records, but also to get access to bank records, credit card information and other sensitive information. The telecommunications industry came under fi re nine months ago when news reports pointed to Web sites where customer records could be openly purchased. The news prompted several phone companies, including Cingular Wireless, Sprint, T-Mobile and Verizon Wireless, to sue brokers selling customers’ phone records.…

(Security breaches are wake-up calls to phone companies, CNET News.com 9-11-06).

Fundamentals of

Social Engineering Attacks

There are two types of social engineering: technology-based deception and human-based deception. In both cases, the perpetrator relies on the natural human tendency to trust, as the means by which they manipulate the individual into engaging in a demonstrable activity, which may otherwise not be in the normal course of events for that individual. The perpetrators are always well prepared, and engage in preliminary data collection to support their “engagement” with the individual whom they wish to manipulate into a desired action or actions.

Let’s start with a classic example of human-based deception.

Throughout the 1990s—the formative years of the Internet and information security—hackers had taken on an almost mystical aura. To satisfy the appetite composed mostly of curiosity, which could easily evolve into fear, an important community event was the “Meet The Enemy.” This event was a teleconference between hackers dialing in and an assembly of information security professionals on-site. In the years before Jeff Moss’s Defcon and Black Hat conferences came to dominate the space, “Meet the Enemy,” moderated by the great Ray Kaplan and hosted by the Computer Security Institute, offered the only public forum for real dialogue between the black hats and the white hats (and yes, the gray hats too).

www.syngress.com

130 Chapter 9 • Case Study: The Mysterious Social Engineering Attacks on Entity Y

On one legendary evening, one of the hackers who had called gave a live demonstration to substantiate his boasts about his social engineering prowess:

He dialed up a phone company, got transferred around, and reached the company’s Help Desk.

Hacker: “Who’s the supervisor on duty tonight?“ “Oh. It’s Betty.“

Hacker: “Let me talk to Betty.” (He’s transferred to Betty’s extension)

Hacker: “Hey Betty, having a bad day?” “No, why?”

Hacker: “Your systems are down.”

“My systems aren’t down, we’re running fi ne.”

Hacker: “All of my monitors here are showing that you are completely offl ine. Something is really wrong.”

“We didn’t even show a blip, we show no change.”

Hacker: “Sign off again.” She did.

Hacker: “Betty, I am going to have to sign-on as you here to fi gure out what is happening with your ID. Let me have your user ID and password.”

At this point, this senior supervisor at a Help Desk for a major telecommunications company told the hacker her user ID and password.

Hacker: “I’m signed on as you now and I can’t see the difference. Shoot, I know what it is. Let me sign off. Now sign yourself back on again.”

She did.

Hacker: “I know what it is. You’re on day-old fi les. You think you’re on-line but your not. You’re on day-old fi les. Do me a favor, what changes all the time? The PIN code. Pull the PIN code fi le, just read me off the fi rst ten PIN codes you’ve got there and I will compare them.”

As she started to read off the fi rst pin code, the hacker hung up on her. Turning back, virtually to the audience of information security professionals, which included some stunned personnel from the telecommunications company he had just attacked, he bellowed out “I told you I could…”

Of course, human-based social engineering isn’t just attempted over the telephone; it can be accomplished via e-mail, online chat, or any other communications medium. In the above example, the goal was obtaining a userid/password, pin codes, and other means to access an enterprise’s infrastructure. Once in the infrastructure, recognized by the information systems as a trusted-insider, the enterprise’s intellectual property is put at risk.

www.syngress.com

Case Study: The Mysterious Social Engineering Attacks on Entity Y • Chapter 9 131 The many ways social engineering attacks have evolved over the years has been

the development of technology-based approaches (e.g., using e-mail messages or Web sites that masquerade as some communications from or sites belonging to vendors, service providers, or clients known to your users).

In one illustrative case, Yahoo users received e-mails from an individual falsely identifying himself as a Yahoo employee. The e-mail informed the Yahoo users that they had won a fast modem from Yahoo. To receive their free gift, the recipients simply had to provide their name, address, telephone number, and credit card number, in order to cover the cost of shipping. Before Yahoo detected the con and sent out a bulletin to its users, numerous people had fallen for it. This was the earliest form of what is now known as “phishing.”

Social engineering, whether human-based or technology-based, is used to gain user or administrator passwords to break into networks. It is also widely used to collect personal information for identity theft (e.g., “phishing”) as well as for tricking users into clicking on booby-trapped e-mail attachments with malicious payloads (e.g., the “I Love You” worm).

How much identify theft could have been thwarted if even just the largest

employers had instituted effective and empowering awareness and education programs that explain what social engineering is and how to thwart it for their work forces? How many hundreds of millions of dollars in fraud losses could have been avoided? How much anguish in people’s personal lives? How much intellectual property that had been properly secured, would not have been unsecured and revealed.

But social engineering isn’t just used by hackers to gain network access or fraudsters to commit identity theft.

It would be folly to simply focus your defensive efforts on thwarting the conversations that happen via technological communications mediums. Person-to-person interaction can be extraordinarily damaging. When an adversary obtains the userid/passwords they are perhaps able to gain entry to your enterprise, but they are oftentimes discovered shortly thereafter due to their lack of knowledge in moving about the infrastructure and inadvertently setting off alarms and alerts, which enables the enterprise to lockdown and inspect. But what of the adversary, who successfully obtains the userid/passwords and then sits on them, invests the time to then collect the necessary data to knowledgably transit the enterprise’s infrastructure in an unalarming fashion.

This theorem begs the question, how? Through painstakingly observation and interaction with your employees, much can be accomplished without suborning an employee’s loyalty to the enterprise. Some examples:

www.syngress.com

132 Chapter 9 • Case Study: The Mysterious Social Engineering Attacks on Entity Y

■ Restaurants in proximity to the enterprise building: team meetings, after-work libations, visiting employees dining, all of which provide opportunity for the skillful to listen and learn. If it was only listening, when the artful adversary engages your employees in conversation, the elicitation begins. Scientists, engineers, and developers, individuals who are more skillful in their respective technology than in social discourse, are prime targets, as like most of the populace of the world they too are pleased when listened to and heard. The innocent employee guided through the conversation by a malevolent interlocutor can and unfortunately often will provide more information than they should.

■ Monitoring of “roommate wanted” advertisements. In the initial minute of conversation the adversary can determine if the population of the abode with the vacancy comprises personnel from within the enterprise of interest. If yes, they pursue; if not they move on to the next advertisement. What happens with a “yes?” The adversary’s cohabitation with the employee provides unlimited opportunity to view your employee’s remote work habits and interactions. When the bond of trust is established, the conversations and comparisons of respective technologies can and will occur.

■ Monitoring of the Public Relations announcements detailing wins, new technologies, new hires, and so forth, may provide the adversary with leads to individuals or simply locations where the adversary may be able to engage some elementary surveillance to determine where employees can be engaged. These are just a few of the many avenues available to observe, elicit, and listen about how the enterprise operates and put together a more expansive brief, to enable the exploitation of the illicitly obtained userid/password.

The human-to-human aspect, unfortunately, doesn’t end there. What of the employee who has been suborned? A willing and collaborative employee can boost, exponentially, the success ratio of the determined adversary in as much as they are on the other side of the technological barriers; they are knowledgeable of the infrastructure and the navigation procedures. Perhaps more importantly, once armed with the adversary’s needs they can utilize their access to dig and sift through the various nooks and crannies of the enterprise.

In an earlier chapter, we spoke of how the individual is one of the nexus of the entrée to your enterprise, whether or not you wish to acknowledge such. We reiterate this point and emphasize this point, and urge you to involve yourself and empower your managers to involve themselves in investing and knowing in the work-life

www.syngress.com

Case Study: The Mysterious Social Engineering Attacks on Entity Y • Chapter 9 133 balance of your employee base, train in the art of listening and inquiry so as to better increase the odds that your employees know how to react and act when confronted with that unscrupulous adversary, offering inducements and attractive alternatives in the hopes of inducing them to break their trust with your enterprise.

Please realize that there are no shortages of unscrupulous organizations willing to break all the rules to gain competitive advantage over their competitors in the marketplace. And that motivation constitutes the greater threat, as both the Hewlett-Packard scandal and the following case study show.

The Mysterious Social

Engineering Attacks on Entity Y

Someone called an offi ce in a major northern European city, assuming the identity of an actual employee of Entity Y, and tried to elicit employee contact list information for an offi ce in another northern European city. But the request was turned down.

NOTE

As we wrote about Entity X, just consider “Entity Y” an appellation ascribed to an aggregate of enlightening events and insightful experiences gained in our work with some of the global giants. And remember, as in the disclaimer often stated at the beginning of novels or movies, any resemblance to any actual person or organization is purely coincidental.

Several days later, a caller, using the same false identity, obtained the coveted contact list from an Entity Y offi ce in Eastern Europe, from an employee who believed they were speaking to the identifi ed employee.

A month later, an unsuccessful attempt is made to elicit client lists from an Entity Y employee in the Western USA.

Three days later, impersonating an employee from the UK and claiming a laptop malfunction, someone called an Entity Y offi ce in Canada and requested complete contact information for the same Northern European offi ce targeted in the initial attack.

The caller claimed to be working on an engagement with an actual client of Entity Y and requested that the information he needed be e-mailed to a private e-mail account. One of the fi rst tangible clues.

www.syngress.com

134 Chapter 9 • Case Study: The Mysterious Social Engineering Attacks on Entity Y

The next day, someone impersonating an Entity Y employee from the UK called an Entity Y offi ce on the Mediterranean. He claimed his laptop was malfunctioning and requested complete contact information for same Northern European offi ce as well as one other in the Northern European region.

Two days later, in the Balkans, a second Entity Y employee succumbs to the elicitation and provides the caller with an Excel spreadsheet with the requested information. Again, from an employee who believed they were speaking to a colleague.

The next day, the attacker calls back and requests further information. But this second solicitation is rebuffed, as the employee has refl ected on the totality of the provision of the spreadsheet.

The next day, someone, again impersonating an Entity Y employee, called the Northern European offi ce directly, saying she was on assignment in Central Europe and requested the client list. The request was refused.

The next day, an Andean offi ce received a telephone request for information on personnel in an offi ce in a major North American city. This elicitation was successful.

In the ensuing weeks, similar calls eliciting confi dential information were received in numerous Entity Y offi ces in Africa, the Balkans, the Baltic, North America, and Asia Pacifi c. There were over 30 documented incidents, targeting dozens of offi ces on six continents. Several of them were successful. All of the callers impersonated Entity Y employees, all of the callers claimed their laptops were malfunctioning, and all of the callers sought specifi c, targeted information about various groups and individuals within Entity Y and its clients.

Who were the attackers? What were they really looking for? What was their ultimate objective?

The counterintelligence component of Entity Y’s global security team launched an investigation. The investigation showed that the adversary targeting Entity Y on a global basis, had done their homework and covered their trails. The telephone numbers used to call into Entity Y were non-traceable. The e-mail addresses provided, ostensibly as a personal e-mail address of a colleague, were found to be throw-away Web-based e-mail accounts. The callers were both male and female, with South African and/or British accents.

The investigation did not identify the adversary and the leads developed were insuffi cient to warrant and justify bringing in law enforcement entities, as all that Entity Y really had were individuals calling into their enterprise, identifying themselves as an employee, and requesting the provision of information. What would law enforcement suggest? Perhaps, make Entity Y personnel more aware of elicitation and manipulation techniques that come at Entity Y via the telephone.

www.syngress.com

Case Study: The Mysterious Social Engineering Attacks on Entity Y • Chapter 9 135 So let us focus on the countermeasures that the global security team recommended