Sneakers

The 1992 film Sneakers directed by Phil Alden Robinson is full of excellent examples of social engineering techniques. The main character Martin Bishop runs a Tiger Team² style company who specialize in breaking security systems, with the aim of helping the client better defend against similar attacks. The team are approached by government officials and pressured into retrieving a mysterious “black box” device from the famous mathematician Dr. Gunter Janek. The box is believed to have been built for the former Soviet government and the United States are concerned that it may be a case of national security. Martin and his team retrieve the box, discovering that it is able to break any US encryption scheme. Martin hands the box over to the government officials but soon realizes that they were in fact impostors and his team then has to pull off their most difficult mission yet to get the box back and into safe hands.

The scene where Martin is approached by the “government officials” and asked to perform the task of retrieving the black box device is an excellent example of multiple social engineering techniques. The two government officials are impostors, actually working for a criminal organization. Martin is duped and drawn into their plot by a number of factors. First, the two officials present plausible facades as government officials: they have what appears to be the correct credentials, talk like government officials and even produce information that Martin presumes only a government would have. All these reaffirm their credibility and so to Martin the two men look, sound and act exactly like the people they are trying to impersonate. They both put pressure on Martin and make him focus on an ultimatum: help them or have his real identity as a computer hacker used against him. In doing so they successfully manipulate Martin into agreeing to help them, all the time keeping his attention fixed on his situation and leaving no room for doubting their actual identities. Despite performing similar impersonations countless times, Martin falls for their scam completely. The social engineering element of this scene is the combination of impersonation, choice of words and subtly guiding the victim to focus on the right elements.

For Martin to achieve his objective he needs to break into the building where the black box is initially located, by gaining access through reception. Again, this is accomplished by using more than one social engineering technique. One of the team members approaches reception claiming that they have a delivery to take inside. The receptionist refuses to allow them entry and the team member continues to try and convince the receptionist to make an exception, claiming that they may lose their job. This is already an attempt to invoke guilt in the target to try and make them comply. Simultaneously, Martin approaches the desk asking if his wife had dropped a cake off, referencing the second floor of the building. The purpose of this is to plant the seed of credibility while the receptionist is distracted. The receptionist then returns to arguing with the delivery driver. Martin leaves before returning with a cake and balloons, asking the receptionist to release the locking mechanism as he has no hands free to retrieve his card (a card he doesn’t have). With the receptionist distracted by the delivery driver and an ensuing argument, Martin then shouts at the receptionist to “Push the damn buzzer will you!” Of course the receptionist immediately does so to escape the increasingly stressful situation. The two team members both impersonate different individuals and play out a scenario designed to confuse, disorientate and stress the receptionist, manipulating him into opening the door for Martin. The situation or scenario is entirely plausible and that results in the security being breached without anyone knowing. The receptionist was not forced into doing something they knew would result in a breach, they caused a breach but would probably never realize they did. From the receptionist’s perspective, Martin would have had access in any other case. This creation of a plausible situation adding in the elements of impersonation and emotional manipulation is a superb example of social engineering in action.

Later on in the film the team engage in further reconnaissance of a specific employee so as to find something they could use to manipulate him. They discover the target to be hopelessly uninteresting and even resort to stealing his garbage, in an attempt to find anything useful. This is a classic example of dumpster diving, a subject that will be revisited in Chapter 11. However, this apparently desperate approach provides fruitful results, as the team uncover evidence of his involvement in the computer dating scene, providing a new vector for attack: the “Honey Trap.” This involves the use of an attractive team member of the opposite sex to pretend to be attracted to the target, using the computer dating system as a tool with which they can gain access to the individual of interest.

Thoroughly researching a target, even if it means going through their garbage, is one of the first stages to building a successful attack scenario.

Hackers

The 1995 film “Hackers”, directed by Iain Softley, begins with the arrest of 11-year-old Dade Murphy (aka Zero Cool). Dade is charged with writing a computer virus that causes 1507 computers to crash and a seven point drop in the New York Stock Exchange. Following his arrest Dade is banned from using a computer until his 18th birthday. He teams up with a group of hackers and they uncover a plot to release an extremely dangerous computer virus. The computer genius behind the evil plot frames the hackers and they race to gather evidence to clear their names.

The film “Hackers” is certainly embellished, showing wildly unrealistic scenarios with myriad technical inaccuracies and exaggerations. However, the film does contain some great examples of social engineering methodologies to aid attacks against technical systems.

Having turned 18, Dade immediately resumes his passion of hacking into the computer systems. His first target is the OTV Studios television network where he gains the initial foothold on the computer network using social engineering techniques. Dade calls up the security desk impersonating a Mr Eddie Vedder from the accounting department. The security desk employee (Norm) answers the phone. Eddie explains that he has just had a power surge at his home, which has wiped out a file he was just working on. He expresses the seriousness of the situation claiming that he is in big trouble and asks “Do you know anything about computers?” Norm responds with a somewhat apprehensive, “Err…Gee.” Dade now knows that the employee certainly isn’t confident with computers and therefore his pretext is more likely to be successful. Dade continues “My BLT drive on my computer just went AWOL and I have this big project due tomorrow for Mr Kawasaki.” Throwing in a few abbreviations, he continues to make the security desk employee feel more inadequate to deal with the situation, giving Dade the upper hand. He also stresses the importance of the project claiming “If I screw up, he’ll make me commit hari-kari.” This increases the pressure on the target so that when a solution is presented they’ll grab it. Dade then asks “Could you read me the number on the modem?” The security desk employee jumps at the opportunity to escape the situation and happily reads off the number. Having possession of the modem number, Dade is able to connect to the television studio’s networks.

Putting the technical inaccuracies aside, this is an excellent example of social engineering in action. Through one phone call Dade establishes if the target individual is vulnerable, plays through a plausible scenario (pretext), applies pressure and then presents a solution that results in him obtaining the sensitive information.

Matchstick Men

The 2003 film “Matchstick Men” tells the story of two con artists, Roy and Frank. Together they run a small-time grifting operation selling water filtration systems at greatly inflated prices, promising the unsuspecting victims big prizes that they of course never collect.

Roy suffers from obsessive compulsive disorder (OCD), which begins to affect his work. His partner Frank suggests he see a psychiatrist to help him cope with his symptoms. While Roy is only interested in replacing his medication, the psychiatric sessions end up exploring Roy’s difficulties. The subject of Roy’s previous relationships is discussed, revealing that he has a daughter, something he suspected but never confirmed. Roy’s life is turned upside down when he decides to meet his 14-year-old daughter Angela, especially when she learns of his real profession and wants to get involved.

The entire film is an example of an extended (long game) con involving countless techniques. The two con artists employ a variety of different techniques including distraction, misdirection, impersonation, emotional manipulation and baiting to name just a few. However, it is the technique of baiting that features most prominently in their cons. The phrase “You can’t con an honest man” is mentioned in the film, implying that only the dishonest would take the bait. Their regular con selling water filtration systems baits the victim with a chance to win a huge prize. This is provided they’re willing to play the system and dodge the tax. In their later cons they bait the victim by presenting the opportunity to make a large sum of money, although through obviously fraudulent ways.

Baiting is a classic technique used by social engineers and is often seen in phishing scams. The social engineers often attach malicious files with tempting names such as “Payroll 2014” for example. Baiting can also be seen in physical attack vectors such as leaving tempting CDs or USB drives loaded with malicious software. The hope being that staff members might pick it up and put it into their PC, falling victim to their own curiosity. The technique of baiting will be revisited and fully discussed in Chapter 3.

Dirty Rotten Scoundrels

The 1988 comedy “Dirty Rotten Scoundrels”, directed by Frank Oz and starring Michael Caine and Steve Martin, depicts the hilarious competition between two con men. Michael Caine’s character (Lawrence Jamieson) is a smooth operator conning wealthy women out of large sums of money through clever and elaborate impersonations. Steve Martin’s character (Freddy Benson) also cons money out of women but often using less than sophisticated methods. The two con men soon realize that the town isn’t big enough for both of them and agree to a bet. The first one successful in tricking $50,000 out of an American “Soap Queen” visiting town gets to stay, the other must leave for good.

The film includes a variety of examples of how social engineering techniques can be used in support of grifting, that is, swindling the target out of money. Both con men tend to focus on manipulating their victims by leveraging emotional states, with sympathy being their emotion of choice. One particular scene clearly demonstrates how these subtle emotional manipulation techniques can be used to great effect.

The character of Freddy Benson first appears in the film as he enters a passenger train restaurant coach. He looks around for a victim and discovers a female character sitting alone at a table. His main objective is to trick the woman into paying for his meal. From that moment, before he has even sat down, he begins to play out the social engineering scenario. He immediately removes his hat and puts on an expression of sadness, putting himself into character. He asks if he may sit opposite the woman and she agrees. When the waiter asks if he’d like to see the menu he says “Oh yes…. Starving…. Really starving” then on seeing the menu comments on the prices and asks the waiter for water. Straight away he is building up his pretext, planting the seeds of sympathy in the victim’s mind. This is more effectively accomplished as Freddy isn’t directly conversing with the victim, instead ensuring they overhear the conversation. This indirect manipulation adds credibility to the pretext, as the victim is unlikely to think they are being targeted if they are not being spoken to directly. The female character then comments on him ordering water when he is so hungry, Freddy explains that he is saving his money to pay for his ill grandmother’s hospital bills. He continues saying that he’s never been good with money, returning what little money the Red Cross pays him. All of this is obviously designed to invoke feelings of sympathy in the victim. Freddy then finishes by saying his grandmother taught him to always be truthful and good. This last comment about being good presents a way out for the victim. The female character feels sorry for Freddy, she can’t help his grandmother but she can be “good” and at least pay for a meal for him, seeing as how he’s “really starving.”

The Imposter

The 2012 film “The Imposter” is based on the real-life case of the confidence trickster Frédéric Bourdin. In 1997 Frédéric impersonated Nicholas Barclay, a 16-year old who went missing 3 years earlier, despite Frédéric being in his twenties. The film includes dramatizations of actual events, interviews with the family, interviews with Frédéric himself and original footage from the time.

Frédéric’s case demonstrates an incredible example of the power of impersonation techniques. Using only a telephone he impersonated Spanish police officers, social workers, the individual who found Nicholas and of course Nicholas Barclay himself. He was successful in fooling both Spanish and US officials and, unbelievably, even Nicholas’ own family. The impersonation lead to Frédéric being collected by Nicholas’ sister and taken back to the United States where he lived with the family for months. Posing as Nicholas he told investigators that he had been kidnapped, tortured and sexually abused by European, Mexican and US military personnel, luckily escaping and finding himself lost in Spain.

His ultimate objective was to be incorporated into the family and to obtain the childhood that he’d never had. Is this social engineering in the sense of sensitive information and security breaches? If you treat Nicholas’ family as the supposedly secure unit, Frédéric had successfully extracted all manner of sensitive information about the family and had manipulated their behavior, ensuring that any interactions were consistent with their real child. This is effectively the same as a business believing a social engineer to be their chief executive, treating him as such and granting him access to all the business information and services.

Impersonation over the phone is extremely powerful and relatively risk free for the social engineer. Communication is reduced down to a single channel and is therefore more easily controlled. The social engineer does not need to worry about visual issues such as how they’re dressed, how they look or what their body language is saying. They only need to have the right sounding voice, speak consistently with that of the impersonated individual and create a plausible situation. When Frédéric contacted Nicholas’ family to inform them that their child had been found he sounded professional and concerned, just like a social worker. The family had no reason to doubt the caller and so his impersonation was successful.

He used impersonation multiple times from start to finish, right from impersonating the individual that found Nicholas through to Nicholas himself. The string of impersonations built up credibility and strengthened the ruse. Criminal social engineers often use similar methods, making quick simple phones calls to elicit innocuous information, using that same information to aid in further attacks, progressing the overall attack toward the ultimate objective.

When meeting the family in person Frédéric looked significantly different to what the family expected. His eye color was wrong, he was much taller than they thought he would be and he was incapable of speaking English without an accent. Perhaps the family did know of the impersonation, or perhaps the want for their child was strong enough to cause a significant amount of denial. Whatever the case was, it still stands that the power of impersonation can be significantly enhanced if the victim truly wants to believe.

Frédéric’s impersonation was eventually revealed by private investigator Charles Parker and the FBI agent Nancy Fisher. In the film Frédéric comments that he believed at least some of the family members knew he was an impostor. He told police that he believed the family had been involved in the disappearance of Nicholas and therefore found Frédéric’s impersonation to be a useful turn of events. Whatever the truth was, Frédéric’s case is one of the most remarkable examples of the power of impersonation.

As this is not a fictional film it would perhaps be better suited in a different section but it provides a convenient link to the next section on real-life social engineers.

Kevin Mitnik

Kevin Mitnick was at one point the most wanted computer criminal in the United States. Aged 16 he used social engineering and hacking techniques to break into the computer systems of dozens of companies. He would often not need to use any technical methods to break into his target company. Rather, he would use a variety of social engineering techniques to trick users into revealing the required credentials or telephone numbers he needed. He was first convicted in 1998 and sentenced to 12 months in prison with 3 years supervised release. Toward the end of his supervised release he successfully hacked into the Pacific Bell mail systems, leading to a warrant for his arrest. Kevin fled, spending two and a half years as a fugitive until his apprehension on February 15th, in North Carolina. When arrested, he was found in possession of cloned mobile phones and many forms of false identification. His remarkable use of social engineering is wonderfully described in his books “The Art of Deception”, “The Art of Intrusion” and “Ghost in the Wires”. Kevin now works as a security consultant helping business to defend against such attacks.

Frank Abagnale

Frank Abagnale is often regarded as another of the one of the world’s most successful confidence men. Many a reader may have read of or seen his exploits in his book “Catch Me If You Can” or the film adaptation. He demonstrated an extraordinary use of social engineering techniques impersonating an airline pilot, a college professor, a lawyer and a doctor to name just a few. In addition he had successfully cashed $2.5 million in fraudulent checks all over the world. These exploits inevitably led to his apprehension by French police in 1969 and serving multiple sentences in France, Sweden and the United States. During this time he successfully escaped incarceration on more than one occasion. On his release he tried to hold onto a series of legitimate jobs but as soon as companies learned of his criminal past, they would terminate his employment. As with Kevin Mitnik, Frank now works as a security consultant giving advice to companies including the FBI.

Badir brothers

In 1999 Ramy Badir, Muzher Badir and Shadde Badir had 44 charges made against them for crimes such as telecommunications fraud, computer data theft and impersonating a police officer. Despite being blind from birth these three brothers used social engineering and hacking techniques to swindle as much as $2 million from their victims. The brothers’ incredibly sensitive hearing, programming skills and uncanny ability to impersonate a wide array of characters make them a force to be reckoned with on the phone lines.

Chris Hadnagy

Chris Hadnagy is a modern-day expert in social engineering and human interaction, demonstrating a thorough understanding of techniques such as microexpressions, influence and rapport building. He is the lead developer of “www.social-engineer.org” and author of “Social Engineering: The Art of Human Hacking” and his second book, due February 2014, “Unmasking the Social Engineer: The Human Side of Security.”

Chris also leads an elite team of professional social engineers in his company Social-Engineer, Inc. (www.social-engineer.com). There they offer a range of social engineering testing and training services. The ongoing Social-Engineer.org podcast also offers great insight into all manner of techniques, studying those that use social engineering in everyday life. Chris is undoubtedly one of the “good guys”, using social engineering techniques to help secure businesses all over the word.

Chris Nickerson

Chris Nickerson is notorious for his part in the TruTV’s Tiger Team, a show in which Chris and his colleagues attempt to breach the security of businesses. The ultimate goal of the show was to demonstrate how vulnerabilities in the electronic and physical security could be exploited and ultimately mitigated against. He is at the forefront in information security and at the time of this writing leads a security team at Lares, offering a multitude of professional services from penetration testing and social engineering to policy creation and compliance testing.

The RSA breach

In 2011 hackers successfully accessed highly restricted areas of renowned security firm RSA’s network. RSA are well known for their two-factor authentication system (SecurID), providing users with a secure way to log in to systems. The target of the attack was the proprietary information associated with that SecurID token system, allegedly wanted to aid in separate attacks against other security firms.

The hackers were able to achieve their objective by combining traditional technical hacking skills with social engineering techniques. They sent spear phishing e-mails to relatively low-privileged staff members of RSA containing a Microsoft Excel spreadsheet attachment labeled “2011 Recruitment Plan”. Spear phishing e-mails are a more targeted type of the traditional spam-like phishing e-mails most people are familiar with. They may be tailored to a specific individual rather than being a generic format applicable to a wide audience. The bespoke nature of the spear phishing e-mail makes it an extremely effective attack technique. A full breakdown of performing a spear phishing attack is covered in Chapter 9.

The “2011 Recruitment Plan” title of the e-mail attachment was designed to entice the user to open it. The attachment was of course malicious and exploited a flaw in Flash that had not yet been publicly revealed. This exploit opened up a “back door” to the victim’s computer, allowing the attackers to then use traditional network penetration techniques to access the target systems. Having located the proprietary information, the attackers exfiltrated the data to an external location. RSA managed to detect the attack but were too late to prevent the loss of sensitive information.

In this case the bulk of the attack was very technical in nature, leveraging a flaw in Flash and elevating privileges on the network. However, the initial delivery mechanism that provided the foothold on the network was achieved through social engineering. Reduced down to the most basic level, the perpetrators had to manipulate a user into doing something that established a remote connection back to their computers. This could be accomplished in many ways such as downloading and running a program, browsing to a malicious web site or, in this case, opening a malicious Microsoft Office document. The attackers could have approached reception impersonating a new starter and ask them to print off their curriculum vitae (CV), which just happened to be a malicious PDF document. They could have telephoned the staff impersonating the IT department asking the users to browse to specific sites for troubleshooting purposes. In this case, they chose the least risky option in that e-mails are notoriously difficult to trace back to the source. The e-mail would probably have looked right and had an enticing enough attachment to trick the users into opening it, successfully manipulating them into performing the required action.

As with most well-crafted social engineering scenarios the users may not have realized what they had done. The document would have opened and may have contained some information of interest. The user would most likely have thought little more about it and continued with their usual work while the attackers breached more systems and searched the network for their ultimate objective.

The Buckingham Palace breach

The undercover reporter Ryan Parry was able to penetrate the seemingly robust security of Buckingham Palace during a visit by US President George Bush. The event was considered to be the largest ever security operation in Britain, involving both British and US security agencies.

Ryan Parry responded to a job advertisement on the Buckingham Palace web site, providing a CV which failed to mention his current occupation as a reporter and with one real reference and one fake reference. As a result he was successful in obtaining the job as a footman due to insufficient screening procedures and worked at the Palace for 2 months. At no time during these 2 months was Ryan searched or his background sufficiently investigated. Ryan commented that “Had I been a terrorist intent on assassinating the Queen or President George Bush, I could have done so with absolute ease.” Ryan was able to walk freely around the Palace grounds taking pictures, including some of the Queen’s breakfast table, the suite where President Bush and his wife were allegedly staying and the bedrooms belonging to Prince Andrew and Prince Edward.

Gaining a job at the target company is a classic social engineering tactic and considered a long game impersonation strategy, something covered in greater detail in Chapter 4. This level of impersonation is very difficult to combat once the attacker has been accepted, unless of course they are caught doing something clearly untoward.

The issue here is in the screening process, ensuring that the individual you are hiring is not just suitable for the role but unlikely to present a significant threat. This is not an easy task, which makes this attack an extremely effective way of breaching the security of the target company.

The Financial Times breach

On May 14 2011 the notorious hacker group Syrian Electronic Army (SEA) successfully compromised Gmail and Twitter accounts used by staff members at The Financial Times. The hackers then used these accounts to compromise additional user accounts and services. The group was ultimately successful in publishing their own SEA content via The Financial Times’ web sites and social media accounts.

Although some technical elements were involved in this attack, the majority of the successes were due to social engineering techniques. The SEA were able to trick staff members of The Financial Times into revealing their Gmail account passwords. This was achieved in a similar way to the RSA breach, by sending cleverly crafted spear phishing e-mails.

The initial e-mails that were sent appeared to come from Financial Times’ staff members. The e-mails’ sender could have been spoofed, or the attacker may have already compromised some legitimate e-mail accounts. Either way the recipients of the e-mail would likely have believed it to be a reliable source. The e-mail contained a link to a CNN article, which of course actually linked to a compromised web site that then linked to a malicious web site. The malicious web site was a clone of The Financial Times e-mail login portal. If the user logged into this fake portal, the credentials would be logged and sent to the attackers. The user would then be redirected to the official Gmail account and not realize anything untoward had happened.

An interesting development in this case was when The Financial Times detected and responded to the attack. They sent out e-mails warning users that some accounts were being compromised by a phishing attack and that they should change their password as soon as possible. The attackers then also received these e-mails as they had already compromised several accounts. They then sent out perfectly matching e-mails but swapped the legitimate links for malicious ones.

Eventually Google blacklisted the malicious URL and the phishing attack stopped, but not before the attackers had successfully published their SEA content.

The Microsoft XBox breach

In March 2013 the Microsoft XBox Live accounts of high-profile current and former Microsoft employees were compromised by attackers. This was not accomplished through direct technical hacking techniques such as password attacks against login portals or zero-day exploitation³ code. Instead the attackers followed the standard social engineering methodology of acquiring one piece of information to then acquire another more sensitive piece.

The attackers were able to gain access, through social engineering techniques, to the social security numbers (SSNs) of their high-profile targets, then use this information along with other details to gain access to the XBox Live accounts. However, Microsoft claim to not store SSNs or link them in any way with XBox Live accounts. So how did the attackers use the SSN of their targets? The attackers used the SSN, along with social engineering techniques, to attack a third-party company that did utilize the SSN and also had information regarding the XBox Live accounts. It was this third-party company that was attacked, not Microsoft directly.

This attack demonstrates two very common and effective social engineering techniques. The first is the concept of turning innocuous information into sensitive information. For example, the attackers may have had some snippets of personal information regarding the Microsoft employees. This may have been e-mail addresses, date of birth, etc. They then used this information, along with social engineering, to trick a company into revealing the employee’s SSN. Then the SSN can be used to trick the third-party company into resetting the password for the XBox Live account or whatever was required to gain access to it. The scope for this concept is great and it will be revisited many times throughout the subsequent chapters.

The second concept covered in this attack is the idea that the target information may be found in more than one location. For example, if an attacker wanted to acquire your bank details would they necessarily target your bank? Your account details will likely be stored in many different places by various companies. It may be far easier for an attacker to target your local gym who might store your bank details after you set up a direct debit with them. The security of any information is only as strong as the weakest place in which it is stored or used.

Operation Camion

The Home Office Police Service employ a series of antiterrorist policies, in support of TACT 2000, known as operations Clydesdale, Camion, Kratos, Lightning, Rainbow and Trammel. Although this information is restricted to those personnel requiring it, the limited “Open Source” information highlights countermeasures for addressing an issue where terrorist groups use social engineering impersonation techniques.

The well-known auction website eBay was reported to have surplus emergency vehicles such as police cars, ambulances and fire trucks for sale, sometimes for as little as a few hundred pounds. It was believed that terrorists would be able to purchase these vehicles to aid in attacks against primary targets in Britain. The terrorists would use these vehicles to avoid attention, gain access to restricted areas and as an effective bomb delivery mechanism.

The increased concern over attacks of this type resulted from security breaches in the Middle East. A coordinated terrorist attack in Saudi Arabia resulted in the theft of 15 police vehicles. Closer to home, in Leicester Square, Central London, police uniforms, a police fuel card and log book were stolen from a police vehicle when officers were distracted by a disturbance.

Access to emergency vehicles, uniforms and credentials would significantly aid an attacker in building a social engineering scenario. They would gain instant credibility and would only have to focus on acting the part sufficiently. The serious issue here is that the attacker need not steal these items, they can now legitimately purchase them online.