ORIGINALLY POSTED BY JAYMILL230 FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
It comes as no surprise to many people that most people that all beginning hackers and crackers start off with the computer end of business. However, many hacks begins/end with a much more effective technique, Social Engineering. Often, Humans are much easier to crack then their digital counterparts, and there are several ways to do it.
The first is pretexting, the attacker pretends to be someone in authority when they are not, often over the phone. They will more then likely have done research before hand and will know things like, birth date of the person they are imitating, the last bill amount of a company, the holders social security number, or any number of other means of authentication$. Once they have the victim believing their story, there is no shortage of things they can do. For an example, say that you called up a companies DNS provider, and convinced them that your server is now on a new IP, you’ve set yourself up for a near perfect Phishing attack, which we will talk about more later.
Phishing is technically a form of social engineering because it would be my job, as the attacker to make you believe that I am someone I am not. I would possibly take the role of your bank, your credit card company, a sweepstakes official, or a near unlimited number of other companies with whom you deal on a day to day basis. Phishing can take several forms; it may be in the form of an e-mail, telling you we need to verify important information otherwise “Your Account Will Be Canceled”, or a number of other dire warnings. It could also take the form of a fraudulent website, such as the myspace phishing attacks, which captured more then 32,000 legitimate passwords and e-mails. Getting people to use these websites instead of the actual ones is the trick, it could combine an actual computer attack, which may change the link to my website, or it could be a pretexting attack on the DNS combined with phishing like we talked about before.
Phishing is not only taking place on the net any more either. Attackers are now setting up phishing Interactive Voice Responders (IVR’s), or those annoying things that say “Press 1 for this, Press 2 for this, Prima tres para espanol!. Often you will receive this ‘Toll Free Number’ from a phishing e-mail. These will ask you to enter your account number, say your name, and possibly your pin number as well.
My personal favorite type of SE is the road apple. Here is a prime example, an attacker was unable to get into the network of a company using direct means, so he made about 40-50 CD’s with nothing but the company’s logo on them, drove at night to the company parking lot, and spread the CD’s around. Each CD contained some form of malware that would ‘phone home’ to his computer. He then went home and simply waited. Around 30-40 of the CD’s were taken in by people in the company, placed in their machines, and run. Soon he had a large number of computers infected, and his attack was underway. A road apple does not just have to be a CD, but could be a thumb drive, or anything containing the malware you want to run.
The last and my second favorite is Quid-pro-quo, something for something. This can take place in the form of calling random numbers in the company pretending to be from tech support, it’s only a matter of time until you get somebody who is having a legitimate problem. Then while helping them (its beneficial if you actually do fix their problem), you give them commands to enter, or better yet, send them to a phishing site to ‘verify’ themselves, or ‘download’ some scripts that you want run. The other example of quid-pro-quo is workers actually giving away their passwords in return for a cheap pen. In 2003 a security company set up a booth outside the company, and had people write down their passwords (granted anonymously, but usernames are much easier to get), in exchange for a very cheap pen. 90% of the workers who stopped at the booth completed the survey and walked away.
This is only a brief overview of a very broad topic that has almost unlimited applications. The key thing that was not talked about in any of this though is being creative and personable. There are far greater numbers of attacks that can be considered social engineering, and no one could possibly cover all of them in one paper.