The Telephone Attack Vector
Richard Ackroyd, Senior Security Engineer, RandomStorm Limited
Telephone social engineering attacks can be used to gather information about the target company or even trick users into performing actions that lead to a full breach of their security. It is a popular attack vector as there is little risk of being identified and caught. This chapter provides a practical approach to planning the calls that will achieve the assessment objectives, but more importantly, identify the actual vulnerabilities in the target’s policies and procedures.
Keywords
Telephone attack; Caller ID spoofing; phone system hacks
Introduction
People would be forgiven for thinking that phone scams would have died off given the explosive uptake of the Internet, but they haven’t. There are still cases in the news media on a very regular basis, although maybe not so much as e-mail scams.
The fact of the matter is that we have had “The Internet is an evil place” messages pushed upon us since its inception, which has no doubt led to most people being all the more wary of the people on it. This could go some way to explaining why phone attacks are still popular in certain scenarios. Although it certainly has not had the desired effect.
Another reason could be down to how effective a well-oiled phone attack can be. If the pretext is solid, and the person on the other end of the phone sounds vaguely human, some people will take them at their word, whoever they may be.
There are cases where it is not surprising that people are still falling for these calls. For example, banks are renowned for making some extremely tiresome calls to their customers on a fairly regular basis. This is how they go:
| Bank | “Hello, is that Mr Ackroyd?—It’s the XYZ Bank Fraud department” |
| Me | “Speaking” |
| Bank | “Mr Ackroyd, we have seen some unusual activity on your account and want to verify that it is correct” |
| Me | “ok” |
| Bank | “Can you give me the first line of your address, your postcode, and your Date of Birth please” |
| Me | “Hmmm… nope” |
| Bank | “But we need the details or we can’t give you any information….” |
| Me | “Bye then” |
What hope is there in ensuring that people are educated not to give away sensitive data, when there are actual fraud departments ringing up, from a withheld number no less, and asking for sensitive information? Remember those e-mails from the banks “We will never ask for sensitive information by e-mail.” What’s the difference here? Why is it acceptable to do it over the phone, but not by e-mail? Is the prevalence of the attack type a good enough reason to just risk it? It is highly unlikely, and the thousands of people who get hit by these scams every year will no doubt concur.
Despite the fraud department being repeatedly told the same thing, that them asking for this information is making the situation worse, and opening their customers up to scammers. They haven’t changed it yet!
All those educational campaigns and the articles in the news media suddenly count for nothing because the people who should know better don’t. It’s a sad state of affairs.
The fact of the matter is that paranoia needs to be taught. People should be encouraged to question a person for some form of identification, and if they cannot prove themselves, hang up. It’s okay to refuse to speak to them. If it truly is an important matter, there will be further communications. You can always seek out known legitimate contact details and call them back.
Another reason for the prevalence of phone attacks is that there are a lot of potential scenarios and reasons for calling somebody. The bank example is just one idea that could be applied to a social engineering engagement with little effort.
Without further delay, here is a look at the world of telephone attacks, and how these can be used in engagements.
Real-world examples
Kevin Mitnick
Probably the most famous social engineer of all time, as already mentioned in Chapter 1. Kevin Mitnick’s career consisted of some of the craziest phone scams. He was “The world’s most wanted hacker” during the 1990s. Mitnick, interestingly, claims to have written the first ever phishing program. It was a fake login simulator that gathered user credentials!—An interesting contrast to the credential harvesting section in Chapter 9.
In terms of phone hacking, what sort of information was Mitnick able to acquire? Employee numbers, addresses, credit card numbers, phone numbers, passwords—the whole 9 yards. If you are interested in reading more about Mitnick’s exploits, take a look at “The Art of Deception” ISBN-10: 076454280X. It is a truly fascinating read, even for people who aren’t interested in the field of information security. Some of his scams highlight an interesting point when it comes to phone attacks. Small details can move mountains. Making multiple calls to multiple people and gathering tiny snippets of information is exactly what this game is all about, assuming there is time! Knowing the internal lingo of a business, or dropping a name in here and there lends credibility to any attack. The value of these details is greater than the sum of their parts.
Card cancelation scams
This is a phone scam doing the rounds in the United Kingdom at the moment. It relies upon the target panicking in the event that money could be withdrawn without their permissions.
Basically, the scam starts with a call from a retail outlet, in one real-world example it was the Apple store in London. The scammer, posing as the Apple store staff member, informs the victim that somebody is currently in the store, trying to spend a large sum of money using what appears to be one of her cards. The victim checks to see if her cards are all present and finds that they are. The Apple store employee tells the victim that their card must have been cloned and that they should call their bank to have the cards canceled. At this point, the employee says the card cloner is running out of the store and puts the phone down, but doesn’t hang up. This keeps the call active, even if the victim hangs up at their end.
At this point, the victim attempts to call their bank, but in their panic they do not realize that there was no dial tone. The attacker has remained on the line the entire time. When the victim asks, “Hi, is that Barclays Bank?,” the attacker answers yes and asks how they can help.
The victim explains the fraud, and the helpful bank employee proceeds to tell her that under a new security scheme, she can cancel all cards assigned to her in one go, even those that do not belong to this particular bank. At this point, the attacker is playing on the victim’s fears. The victim literally can’t wait to get this issue resolve, so agrees to cancel all cards. She is next asked to dial her pin numbers into the telephone, all of which are recorded by the attacker.
The victim is asked to confirm her full address and the scammer informs her that a secure courier will be dispatched, same day, to collect the canceled cards and ensure they are disposed of properly. If the victim shows any resistance or claims she will cut them up herself, the attacker presses by saying that new cards cannot be issued until the old ones are collected. This is to ensure that they are not subject to further scams if they are recovered, such as identity fraud.
The attacker gives the victim a code number and is told to ask the courier for it when they arrive. If they do not provide the correct number, they are to call the police. Obviously, the “courier” is part of the scammers’ team and presents the correct number to the victim. The victim’s hands over an envelope full of fully active credit cards to which the attacker has the PIN numbers.
While this scam may not fool some, it does work. The scam earns some criminals in excess of £50,000 a day! These are experienced teams of scammers who do this day in, day out. They will sound natural on the phone and be totally believable. Praying on the fears of individuals can induce responses that may not be seen under ordinary circumstances. This is a valid technique when it comes to social engineering, as was covered in Chapter 3.
Money is always a good motivator when it comes to manipulation. People often don’t have the ability to apply rationale to a situation when it boils down to all of their accounts being emptied of their life savings.
More information relating to this scam can be found on the BBC News web site http://www.bbc.co.uk/news/business-22513041.
Environmental sounds
Before making a call to the selected target, careful consideration should be made regarding the pretext to be used. What sort of environment would they typically be making the call from? A traveling salesperson would likely make the call from a moving car or a help desk operator from a busy call center. It is often necessary to imitate these background noises to ensure that any ruse is believable. How can this be achieved? Well, wherever possible why not opt for the real thing? If it’s to make a call sound like its coming from a car, then make it from the car, just be sure it’s done safely and legally!
Wherever it isn’t possible to get the real thing, there needs to be a creative approach. This can often mean recruiting people around you to play a part in the scenario. It can also mean downloading audio tracks and playing them in the background. Just be careful on this front, if that sound file ends midway through the call, be ready to think on your feet. For example, “yeah, it is really busy over here so I moved into a quiet room” and hope this works. It’s better to ensure that the sound props have been thoroughly checked in advance of the call.
For some ambient noises to play, why not check out http://www.freesound.org. All sounds uploaded here are provided under the Creative Commons license. There are plenty of different background tracks to fit any scenario. Ambient office sounds, Arcades, Car sounds, the works.
Again though, remember to check the files from start to finish before using them in an engagement. Any mistake could be costly and embarrassing!
The issues with caller ID
Caller ID is the functionality that displays the phone number of the caller on-screen. It can also, in some systems, show the name if a contact has been added to the database.
Surely this could be a really useful defense against malicious callers, but is it? Are there any weaknesses in the system that can be abused for a social engineers gain? Is it a good idea to use Caller ID as an authentication measure?
The general opinion is that using Caller ID alone as an authentication method is not a good idea at all. Here are some of the reasons why.
Caller ID spoofing
In some parts of the world, it is possible to spoof the source of text messages and phone calls. These services are not commonplace in the United Kingdom, but are certainly available in the United States. Services such as “spoofcard” offer this functionality at a small cost.
There have been similar services in the United Kingdom, such as “Spookcall.” However, the site was shut down after being live for a grand total of 5 days. OFCOM took a dim view of the services offered and with good reason. It is always worth proceeding cautiously with anything of this nature. Just because a service or solution isn’t available publicly, doesn’t mean it isn’t available to malicious individuals via alternate means.
Phone system hacks
We live in an age, where massive multinational organizations are being compromised on what feels like a regular basis. Organizations can be split into two groups: those that know they have been hacked and those that don’t. Ok, so that’s probably ever so slightly dramatic, but it’s an interesting principal. If RSA or Sony can be hacked, do organizations truly believe that they can’t? Phone system hacks are still commonplace, even today. The vast majority of these hacks are used in scams to incur premium rate billing to an offshore number owned by the hackers. This can often account for tens of thousands of pounds over a relatively short space of time. If this is the case, then surely it is also possible to use these hacks to call people with an internal number. It might seem far-fetched, but it does happen.
Is the contact database up to date?
If a call comes in claiming to be from an employee, how can this be verified? Looking at the Caller ID, and then matching the number to an internal contact for starters. Better yet, the phone system does it automatically and the name of the employee shows alongside the number. What happens when a call comes in from a number that cannot be matched? What if the person is a new employee? What if the employee claims they have lost their phone, damaged it or had it stolen? Will the policies and procedures stand up to such scenarios? How long does it take for a new employee to be given a phone? If it is deemed commonplace for this to take weeks, then why should the call handlers note anything suspicious when an unknown caller makes contact?
The chances are that any contact database will constantly be lagging behind what is actually in place, and every one of the call handlers will know this.
Transferring caller ID
An interesting point to note is that not all phone systems will pass through a caller ID when a call is transferred. On some older systems, whoever transferred the call will show up on the caller ID output. For this reason, it is always worth trying to establish the number of a switchboard or reception that can pass the call through to the target. Unfortunately, it is impossible to know what actually did show up unless you can gain information about the phone system during your reconnaissance phase and research its documentation. The intention behind getting an internal user to pass the call through with their ID is to exploit the chain of authentication. This is where the user thinks “Jane passed that call through and told me it is bob, so it must be bob.” You have assumed that another person has authenticated the caller, and it is more likely that they have not!
How to figure out if your caller ID shows up
What about a scenario for figuring out if the target has Caller ID at all? Or what number shows up if the call is passed through to another employee? After calling in and being transferred to somebody, try this:
| Me: | “Hi, its Bob from HR, could you do me a quick favor please?” |
| Them: | “Sure, what can I do for you?” |
| Me: | “They are changing my business mobile number over due to nuisance calls, can you tell me what comes up on your screen? I want to know if it has been swapped yet” |
| Them: | “Sure, its 555-444-333-222” |
| Me: | “That’s great, thanks!” |
This is a nice simple example of extracting what appears to be entirely nonsensitive information from a target. As far as the victim is concerned, all they are reading back is your number, all very harmless, but it identifies if the caller ID works properly, or at all, when calls are transferred internally.
Summing it up
Caller ID is definitely not something that can be entirely relied upon. There needs to be at least another factor of authentication built into the system. A word of warning though, don’t pick something that people may have given away freely for years. That information can’t be clawed back. Pick something unique to each employee that is private enough to not be common knowledge, but open enough so that it can be used by the call handlers.
Building on the e-mail attack
A great deal of useful information was gathered during the e-mail attack vector, much of which can be applied during a phone attack phase.
For starters, there will no doubt have been several internal extension numbers acquired, which can be used from outside of the office. The extension number typically makes up the last three or four digits of the externally available phone number. This is assuming that the entire phone number wasn’t in the signature too, which it almost always will be.
Who is out of the office, and how long for is also known. This information just by itself is a priceless piece of intelligence that is regularly used to great advantage.
The out-of-office response may well contain the contact details of other individuals working within the same team who can be contacted, in their absence. These people will likely provide assistance without thinking twice. They are unlikely to want to confirm any details with a colleague who is away on vacation.
Here is an example call that can exploit this intelligence. This example will build upon the scenarios noted in the section “Out-of-office responses” in Chapter 9.
Please contact Sarah in my absence
It is always useful to any social engineer when an out-of-office response comes back with another contact and their phone number. Chances are this individual may not have even been told that they would be the recipient of any calls for the absent employee. A great next step would be to check out the target’s Facebook profile and see if information on where they have gone can be found, insider information of this type will help build the reassurance of knowing the absent employee.
How would a call like this pan out?
| Me: | “Hi Sarah, It’s Bill Robson from zxycorp, I was talking to Rob last week about the audit we have been working on. He told me that you were the person to speak to in his absence?” |
| Sarah: | “Hi Bill, yes, it seems that I have the honor of dealing with Rob’s work for the next couple of weeks!” |
| Me: | “I guess it’s ok for some, jetting out to the Caribbean while the rest of us stay here and slave away! Anyway, Rob said you would be able to help me get access to some documentation that was on his computer. He didn’t want to e-mail sensitive audit data as it is against company policy” |
| Sarah: | “Yeah, they won’t let us send anything these days, it’s crazy” |
| Me: | “Tell me about it, I have to travel all over the place to collect this information. It’s like the old days all over again. Anyway, I can come over at any time this week to collect the information. Rob said you should be able to log into his computer and I’ll bring an encrypted USB stick along so that we can take the data securely, you got any time free this week?” |
| Sarah: | “How about Thursday at 2pm?” |
| Me: | “Great, I’ll ask for you at reception, good to speak to you” |
On arrival, the consultant needs to be well prepared. For starters, look the part. This means turning up at an earlier date and observing corporate dress code. Know what files are being sought, even if they don’t exist, this adds plausibility to the scenario. With luck, the engineer will be left alone to search for the files, at which point they can have a field day. At the very least, there could have been the opportunity of shoulder surfing Sarah, as she logged on. At most, there could be the chance to leave a persistent back door in place, for further attacks. Always attempt to try to leave, unescorted, when finished, as further objectives may be achieved. Chances are, the consultant will also have a visitor’s badge at this point anyway, so may go completely unchallenged.
Who ya gonna call?
Choosing whom to make a call to is a skill set in and of itself, especially when it can take a handful of calls to eventually speak to them.
Any number that is published on a corporate web site is likely to be a generic number that ends up at a receptionist, main switchboard, or even a help desk. Are these really the people we want to speak with? There are pros and cons here. On the positive side, each of these departments employ people whose sole reason for being on the end of that phone is to help people. The flip side of the coin is that they are very likely to be well versed in dealing with calls in a uniform and scripted manner and are unlikely to deviate from the standard. Consequently, what it boils down to is: can the necessary information be gleaned elsewhere?
In many cases it would be more beneficial to do further research and find somebody that is less well versed in dealing with inbound calls and try to get routed through to them. It is more likely that they will want to get the caller out of their hair as quickly as possible and as such are more likely to give out something they shouldn’t. On top of this, they are less likely to have been educated to know what should and should not be given out over the phone. Another point to note is that call handlers may well have been trained and given the resource to authenticate an external call, whereas other members of staff will not. The vulnerability trying to be identified here, is a lack of training for non call handlers. The fix would be simple, make all non call handlers pass external calls back to the switchboard or help desk.
We once exploited a similar scenario, albeit with a massive helping of dumb luck, which is what led me down this path on further engagements.
The objective was to gain physical access to a sizeable regional office.
What was needed was the name and contact details of a person at the regional office that could authorize the passes and sponsor the visit. To avoid raising an alarm, calling the regional office itself was avoided. Therefore, the logical approach was to contact the HQ switchboard. The number of the switchboard had been acquired during an earlier reconnaissance exercise. The preferred choice was to impersonate a member of staff from the HQ site; this is how the first call went.
| Them: | “Hi xyzcorp, this is Sarah, how can I help?” |
| Us: | “Hi, it’s Bob from HR, could you help me with a couple of questions?” |
| Them: | “Sure Bob, what can I do for you?” |
| Us: | “I’m on my way up to the Leeds office with a couple of colleagues to conduct a training session, but I forgot to e-mail ahead and let Security know I’m coming, and I know how sensitive they are about this stuff. Could you let me know who I need to call to arrange the access?” |
| Them: | “I’m sorry Bob, I don’t have that information to hand” |
| Us: | “Oh…I guess I should have been better prepared! Could you give me the number of reception instead?” |
| Them: | “No problem, let me bring that up….it’s 555.666.111” |
| Us: | “Thank you for your time Sarah, do you know who will be on reception at Leeds today?” |
| Them: | “The contact sheet says Sue” |
| Us: | “Thanks again Sarah, bye” |
This was an actual call, albeit heavily edited and sanitized to protect the innocent. It was made by a colleague from within their car. There is one good point to make on this front, always have something waiting in the wings for when a piece of information is refused. It might just be that the staff member doesn’t know the answer, in which case your backup would be “Could you find out who would know?” At this point, they may disclose another name and contact number. Then the subsequent call can include the name dropping of Sarah—“Hi, I was just speaking to Sarah and she said you would be able to….” The frequent assumption is that Sarah has verified the caller. Again, this technique is abusing the chain of authentication.
The next call was to the regional office itself, and this is where the noncall handler exploitation comes into things. When the call was made, Sue was away on an errand, and the person who was standing in wasn’t really up on the protocol for visitors.
| Them: | “Good afternoon xyzcorp Leeds, how can I help?” |
| Us: | “Hi, is that Sue?” (Name drop) |
| Them: | “Hi, It’s Kate, I’m afraid Sue is out for a little while, can I help at all?” |
| Us: | “I’m certain that you can Kate. We were speaking with Sarah at the Reading Office, and she said that Sue would arrange some passes for us and let us know where the meeting rooms are. We are due to deliver some staff awareness training today” |
| Them: | “I can’t see any information relating to that, and there is nothing in the visitor notes for today” |
| Us: | “I think there may have been some crossed wires at our end! Sorry about that. We will be due in about 15 minutes, will Sue be back? She will be able to take care of this” |
| Them: | “She won’t be back for a few hours at least” |
| Us: | “Oh, that’s ok then, I’ll just ask for you when we arrive and we can sort out the passes then” |
| Them | “Ok, I’ll see you soon” |
In truth, there was some hesitation toward the end of the conversation, but having turned up in suits and looking the part, she was pressured into dealing with the “visitors” and assigning some passes. Only armed with some hastily made corporate badges in badge holders, which had been printed on an inkjet printer, and the confidence to convince others of their legitimacy.
Sometimes it can be a good tactic to be very close by so the situation can be dropped right onto their toes to see how they react. In a lot of cases, the reaction will be panic. If it is known that the person likely to be dealing with you is inexperienced or not well trained, pressure should be applied to see what happens as a result.
In Chapter 9, the concept of active intelligence gathering using e-mails was discussed, to recover pieces of intelligence that could help us later in our assessment.
This concept is also entirely applicable to telephones too, although it is slightly more risky. This is mainly down to the increased pressure placed on a phone call compared to an e-mail address. There is a need to be well rehearsed and confident in the story before ever beginning to make the calls. Try to avoid to raising suspicions and negatively affect further work due to lack of preparation.
In the E-mail Chapter 9, the topic of sending almost throwaway e-mails was covered—the types that don’t raise suspicions and that are seen by businesses on a day-to-day basis. The same principal is largely going to be applied to the calls we make while gathering information.
Job enquiries
Most businesses will receive job vacancy enquiries on a regular basis, but can a call of this nature help us in our engagement? Can a seemingly harmless query provide information that can be used in further attacks? Looking at the type of information that can be acquired, it becomes obvious that it can.
First of all, it is possible to identify who handles recruitment for the organization. This information could be used to target the attacks more effectively, for example ensuring that a malicious payload is sent in the form of a CV.
If it is identified that a third party handles recruitment, this could potentially be used to impersonate them in further attacks. For example, looking at any vacancies on the corporate web site and then call in pretending to be the recruiter. What about arranging an interview for one of the social engineering team members? This could at the very least get the consultants beyond the security-controlled doors and into a restricted area. The same concept applies to organizations that handle recruitment internally. It is worth noting that this is entirely down to the time frames assigned to the engagement. It is not likely to be a quick win in most cases.
Another angle is the potential to find out who it is that heads up internal departments. For example, speaking with the recruitment officer about an IT role, and then ask to speak with the person who heads up the IT team, to ask them some questions about the job. Not only does this get another internal contact, but the potential to build rapport with somebody on the inside. This relationship can be built upon and used further down the line.
Sales calls
Sales calls are going to be a daily occurrence for any business. That means that it is possible to impersonate a sales call without any fear of blowing your cover. Better yet, write up a pretext and get the sales team to make the call for added authenticity! Sales people are natural social engineers, and they do it every single day, so why not take advantage of that skill set?
First of all, in the event of dealing with an IT or software business, call the main help desk and ask to speak to somebody in charge of IT related acquisitions. Having done some homework allows the consultant to ask for the person directly at this point. Try beginning with going into the details of a great offer on antivirus software and ask them if it is something they are looking to address in the short term. Often people have been heard to answer straight up with “We use McAfee and the license has 2 years left to run on it” but also get people who just say they already have it and that they aren’t interested. There is nothing to stop you pushing for more information though, a simple “Do you mind me asking which antivirus it is that you currently use?” Most sales guys will try this anyway so that they can attempt to pit their product against the embedded competitor, so it would not sound out of place. In a real-world engagement, this information could be used to prepare payloads that may be more likely to get around the target’s antivirus. A practical tip here would be to install it in a virtual machine and then test various combinations until something is found that works. It’s always better to spend the time preparing properly than to have chaos during the site visit.
What about an example that could gain you information about physical security? The same approach works just as well here. Call in and ask for whoever is in charge of facilities management. Perhaps as a salesperson for a site security firm in this instance, offering CCTV installations, alarm maintenance, door control systems and security guards. Again, the objective here is to find out what they currently have, and if there are any gaps in coverage. Once again, if they respond with “sorry we already have xyz” push for the name of the vendor or systems in use. If they provide the name of the security firm that currently manages the building, this could use this later in an impersonation attempt. If the engagement was longer term, it may be possible to put together uniforms and badges.
Surveys
Surveys are one of those age-old social engineering clichés that never seem to go away, but do they work? Here is what it could be like to be in the shoes of the recipient of that call:
| Caller: | “Hi, Could you help me with some survey questions?” |
| You: | “erm, no, go away” |
Well that panned out well. Joking aside though, as with most things, it’s about how the question is delivered, in the first place. It’s not just how the questions are worded either, but what the pretext is too. In the example above, a random stranger calls and asks if there is a willingness to waste precious time answering some largely pointless questions. The answer is almost always going to be no.
The only way to make this stick is to motivate them to want to answer. Try choosing somebody in a position of authority to get the job done, or somebody in an official capacity, say, for example, somebody from the Office for National Statistics or local Chamber of Commerce. The trick is to keep it short, maybe four to five questions only.
A good example is to call to perform a survey on the impact of social media in the workplace. The questions might be along the lines of:
1. Are you a member of any social networking sites, such as Twitter or Facebook?
2. Approximately how often do you use these sites?
3. Do you use these sites to stay in touch with your colleagues outside of work?
4. Does your employer allow you to access social media sites on your lunch break?
5. Do you think that social media sites improve morale among employees?
A simple set of questions that should take no longer than a minute or so to get answers to. What has been achieved is to find out if their workstations have outbound Internet access and if content filtering is likely to be in place. Useful to know, if the intention is to send phishing e-mails during the engagement.
The idea is to ask a handful of seemingly harmless questions and slip in the one question that really needs answering. The trick there is to ask it in an indirect manner, as with question four. You will also note “on your lunch break.” People won’t admit to doing something that they shouldn’t, like surfing Facebook during work hours, but on their lunch break? They are being allowed to say yes without implicating themselves.
Surveys can certainly have a place in an engagement, but they require a great deal of patience and persistence to pull them off.
Impersonating staff members
Impersonating other members of staff is definitely one of the most effective ways of getting the job done. This applies not only to information gathering, but to the actual attack too. Too few organizations have a means or even a process of authenticating internal staff members prior to giving them information, something that social engineers play upon. It has even been known for team members to call into an organization and make a name up. That’s right, a nonexistent employee being given information over the phone. This just reinforces the point that if there’s enough gaul to pick up the phone and sound legitimate, it is likely to get a positive result.
There are a number of good examples of impersonating employees in the section “Who Ya Gonna Call?” but there are numerous more angles left that could be exploited.
The help desk
What about choosing to impersonate a member of the help desk and call other internal staff to help diagnose issues that may not actually exist. Remember, someone, somewhere is going to be having problems with their computer, and they are likely to be very vocal about it. That being the case, how would the call play out?
| You: | “Hi it’s Mike in support, we have been seeing errors in the logs on our mail server that indicate you are having issues sending mail, are you still having problems?” |
| Them: | “No, I’m not having any issues at the moment” |
| You: | “Ok, can we just do a few quick checks so I can add some details to the support ticket? It will help us later if things stop working” |
| Them: | “Sure, what do you need me to do?” |
The rest of this call is going to depend on the type of information needed. If it’s just needing to know the internal IP address scheme, talk them through the process of launching a command prompt and typing ipconfig /all. This will net you the client network IP addresses as well as the server network via the DNS server addresses. The DNS server is very commonly the Domain Controller too, which is certainly going to help to narrow down the focus of an on-site attack. What about more advanced information though?
| You: | “Ok, we need to double-check that you are connected to the domain properly, are you ready for the next commands?” |
| Them: | “Fire away” |
| You: | “Ok, type net accounts /domain” |
Getting the victim to read the response out should provide the domain’s password policy. This information could be used to avoid lockout thresholds when attacking external systems.
How about going to the extent of having them check their Internet access by clicking on a malicious hyperlink. A preferred option is a credential harvester to avoid any embarrassing antivirus alerts.
Employee numbers
Plausibility is always the name of the game in social engineering. If the consultant has a business “need to know” they are far more likely to acquire the information they need. If the goal is to get a staff member to reveal their employee number, how could that be done? It needs to be somebody within the business that may need that, so how about finance?
| You: | “Hi Sarah, It’s Jim in finance, how’s things?” |
| Sarah: | “Hi Jim, fine thank you, what can I do for you?” |
| You: | “Sarah, we have just got updated pay information through from the guys that handle our payroll, and we think a lot of it is wrong. It looks like a lot of the employee number’s don’t match what I have on record” |
| Sarah: | “Uh oh, that doesn’t sound good” |
| You: | “It’s a disaster Sarah, it looks like at least half of them are wrong, including yours, which could mean that people don’t get paid properly” |
| Sarah: | “Oh no!” |
| You: | “We are trying to correct everybody’s record, and we have got to you in the list, could you read out your employee number so that I can verify that our records are now correct?” |
| Sarah: | “Sure, it’s 4454536346346” |
| You: | “It looks like yours was correct after all, I’m glad we confirmed it though! Wouldn’t want people without pay come the end of the month!” |
The second somebody thinks they might not get paid, they will be very compliant. Money is certainly one of the very best motivators. The story works because it is expected that a finance team may need this information. It is also not unusual for an external organization to handle payroll. In fact, frequently businesses can suffer from miscommunication between internal finance teams and external payroll. This all adds to the plausibility of the scenario. All that is needed now is to be comfortable enough on the phone to get the chitchat down that will break the ice. As always, keep it simple. The more overcomplicated a scenario, the more likely it is to go wrong. Don’t get hung up on any stumbles during the call, they happen in legitimate calls too, just recover and move on. The scenario would give a member of the finance team good reason to be a little nervous, after all, people may react angrily.
Employee numbers can be useful on a number of fronts. First of all, they can be used as authentication mechanisms on public facing web portals. Second of all, they can be used to authenticate inbound calls. The employee number can also enable a call into HR and then be used to gain further intelligence.
Obtaining key information and access
Here are some scenarios for getting access to sensitive information, systems, or physical premises.
Credentials and e-mail access
Most organizations have some sort of public facing mail presence, usually via outlook web access (OWA). To gain access via some sort of deception, the first thing required is to identify who can provide the access required. There is little point in ringing the person who looks after the fish tank after all.
This being the case, there are two usable routes; either contact the user directly, or contact the help desk and get them to reset the password. Here is a quick a run through some plausible scenarios.
First of all, it is assumed that we have not only gathered plenty of e-mail addresses, but we have also enumerated sub domains and identified OWA or similar. All of this can be achieved during the reconnaissance phase as noted in Chapter 8.
For instance, it is possible to get a password reset with nothing more than the username and the URL for OWA. A simple call, while pretending to be flustered, explaining that you were about to go into an important meeting and access to important e-mails was needed, supported by a few failed authentications against OWA, to lock out the account, was enough to gain the assistance of an extremely helpful support technician. However, they still needed an e-mail to verify the identity. A simple task! Using all the research, before hand, and with the name of the victim’s assistant, the conversation went along the lines of:
“So, If I get Jane Rogers to e-mail you, you can reset my password? She is my PA.” The support technician said that would be fine.
Unfortunately, access to Jane’s e-mail account hadn’t been achieved, and spoofing wasn’t an option and there wasn’t sufficient time to set up a good enough fake domain within the time frame. The only remaining option was to hope that the targets mail client didn’t display the actual e-mail address, instead showing the ‘name’ of the sender. Using a standard free mail account, making sure the “mail from” name showed as Jane Rogers. An authorization e-mail was created, along with contact instructions and a mobile number. Added to this was a forged e-mail signature that had been recovered during the reconnaissance phase. Another call was placed to the help desk, to let the technician know that there should be a mail waiting for him from Jane, even though it was known that it hadn’t been sent it at this point. Periodically, further calls were made with each one gradually sounding more and more flustered and irritated, each time ensuring to mention the name Jane Rogers. Persistently insisting that Jane had said that she had sent the e-mail several times. Some time later, the message was sent. Eventually, the long awaited call was received. The support technician walked through the process of logging into the account with a new password.
As previously mentioned, putting pressure on somebody can often corner them into doing things they may not normally do. The technique of “pressure and solution” was covered in more detail in Chapter 3. If the e-mail had been sent straight away, the mission may still have been successful, but the first approach tends to be the most successful and more stable. In total, there were somewhere in the region of around six calls during the day speaking to the individual in support, and by this point the engineer was on first name terms. Resulting in the support technician appearing to be relieved at finally being able to help with the problem.
It is important to note that while there’s a great deal of satisfaction out of a job well done, it’s not fun exploiting a hard working guy like this. For this reason, it is always important to emphasize that the issue here was not how the call was dealt with. The issue was that the employers had not provided the necessary tools to perform this role in a secure manner. The improvement of this situation should be the ultimate goal of any engagement.
This scenario can be tweaked, if necessary. For example, it be could claimed that the Blackberry had been lost, stolen, or damaged beyond repair, and that access to the e-mails was urgently required. In this pretext, it could also be forgiven for not knowing how to access e-mail remotely, and therefore not knowing the URL for OWA. The recommended option is to go with lost or stolen, rather than damaged in this attack vector. Damaged means that the serial number can still be read, from the device. Telling them the device has been stolen means they are very likely to lock the account and reset the password to avoid compromise. It also means the victim may well have their device wiped. These are all things worth bearing in mind before carrying out this attack.
These principals all apply to remote access VPN portals too. In fact, in many cases, the VPN may also authenticate against the domain, so if you have managed to reset one, you may be able to access everything with the same credentials. VPN access is probably the ultimate goal if you are working remotely. It will be identical to being sat on their physical network. At this point, the test comes back more toward traditional penetration testing.
Physical access
There is nothing better than gaining physical access to something that is well guarded. Finding the hole in process that allows someone to waltz right past the security guards, cameras, and alarms is a priceless feeling. In many cases, it won’t be turning up completely unannounced, as a lot of the groundwork first and hopefully will have made arrangements, over the phone.
The physical access zero day
There is an approach, which has been proven to be extremely successful, across a number of engagements. Typically, this approach would be used in shorter engagements, the type that lasts 1 or 2 days in total. There isn’t a lot of room for maneuver here, so the typical approach would be a day of reconnaissance and a day on-site.
We jokingly refer to the approach as a zero day because of its consistent success. Maybe its success is directly related to the number of days an engagement lasts. Less days equals less investment, in this aspect of security, so maybe the organizations are trying to understand the issues that could be deemed low hanging fruit? This approach certainly attacks the obvious avenues. A client may want to understand the bigger issues, fix them, educate, and then reassess. Eventually, less obvious issues will be sought that potentially take more time to test.
The scenario has been covered to some extent in this book already. The general premise is to impersonate a staff member and arrange passes for an upcoming visit.
During the reconnaissance phase the names of internal staff, office locations, and staff that are away on vacation should have been identified. All of these pieces of intelligence come into play during the scenario. Calling in to a regional office and impersonating head office staff is always a good angle, as we covered during the section titled “Who Ya Gonna Call?”
Knowing which employee is away and for how long enables the engineer to carry out an impersonation during the call, without fear of being found out. It is best, if it can be discovered, which office and department the individual works in, before the call.
As covered in earlier sections, it is then a simple matter of coming up with a reasonable story for attending the regional office and needing access. How about somebody working in IT attending site to do some maintenance and upgrades? This would give a solid reason for being there, as well as plausibility for accessing the network. It is also likely that the consultant will be able to talk should they come up against inquisitive staff members. Again, preparation work is needed to identify that the site does not have its own IT staff. For example, why not try the “I’m away for a couple of weeks and need to get a guy out there to upgrade some of the switches” line. Then just tell the reception staff when you will be arriving and to have the passes ready. Worst-case scenario is that they ask for further authorization, at which point you can ask to speak to their supervisor and put further pressure on them. I know we mention meeting rooms an awful lot, but once you have your foot in the door with the passes, get the receptionist to book out a room for you. It will give you somewhere to work from where you are unlikely to be challenged. It really takes the pressure off and you can continue with your objectives, in relative peace.
It may seem like an extreme long shot but it does work surprisingly often. If there was a longer engagement, then undoubtedly the approach could no doubt be more advanced, but there is a lot to be said for simplicity.
More information has been provided on the subject of applicable techniques in Chapter 3.
What if there was a desire to weaponize a phone based attacks and compromise a host?
Weaponizing your call
I realize I am at risk of talking about penetration testing, but these calls have to have practical and actionable outcomes. You might not always be testing the physical security of an organization, but need to compromise a host within the network from the outside. I’m sure there are a number of ways to perform this, but this is one of the favorites.
First of all, a Wireless Pineapple from Hak5 and a laptop with a packet injection capable WiFi adapter is required. There are many wireless adapters with Atheros chipsets, which support this functionality, such as either an Alfa or a TP-Link 722n. The nice thing about the TP-Link is that they are easily available on Amazon and currently in the UK cost just over £8. They are basically giving them away! One other important item required is a sign-off to DoS the wireless access points. This in itself may be a show stopper, but it’s a realistic concept that even moderately technical attackers could implement.
The vector is basically the sabotage and assist concept discussed in Chapter 3. Sabotage and assist, as its name implies, is the act of breaking something and then using that as a pretext to help somebody out and fix the issue. It is even possible to social engineer a third party to break something and then make the call claiming to be in a position to help. Whichever way this is looked at, it’s an effective technique.
This will avoid a great deal of the technical details, on the wireless side of things, as they are covered extensively on the Internet.
Basically, it’s a case of performing a wireless de-authentication attack against the wireless network at random intervals, disrupting communications for all who are connected to it. After several cycles through this process, the target is called, impersonating the help desk staff. The target is informed that everybody in their department is dropping off the network at random intervals and ask if they had noticed any issues. Even if the target didn’t, somebody around them is very likely to have noticed. If not, keep calling through to other numbers until someone is found.
At this point, the victim is informed that a new wireless network has been set up to resolve the issue and talk them through the process of connecting to it. Of course, the wireless network they are connecting to is a hostile WiFi pineapple or similar rogue device. Now all the traffic can be intercepted, from the client to any destination.
There is also functionality within the Social Engineering Toolkit to build attacks of this type. Configure an SSID and when a client connects, all DNS traffic is intercepted and the target routed to malicious pages of choice instead of their own internal resources.
Summary
This chapter has covered various aspects of telephone attacks and how they can be used during an engagement.
Numerous real-world examples and scripts were provided, throughout the majority of the chapter, hopefully giving some ideas and inspirations for future engagements, or for self-defensive education. Whichever side of the fence a reader may sit, they should now be better prepared for these attacks.
Next, came some practical issues relating to phone systems, caller ID, and environmental sounds, all of which are easy to overlook when under pressure, even though they are of the utmost importance during any assessment.
Finally, looking into active information gathering, which is similar to e-mail information gathering in many ways and obtaining key pieces of information, again diving into some practical examples before ending on the weaponization of phone calls with a view to compromising an internal system.
Chapter 11 covers all aspects of on-site social engineering work and physical security.