SE

Search for:


Archive for June, 2010

The Pizza Delivery Man is a Social Engineer

Friday, June 25th, 2010

Everyone knows I am a stickler when it comes to the free pizza but this story just takes free pizza to a new level for social engineers, scam artists and con-men.

freepizza The Pizza Delivery Man is a Social Engineer

    Free Pizza - Real or Myth?

Most of us have probably done this:

You are hungry, so you call your local pizza place, realize you have no cash, so you tell the guy on the phone you need to pay with your credit card.

You read off the numbers tell him to put a few dollars on there for tip then chill a couple beers and wait.

This is what Brent did too.  He called his local Dominoes and ordered a pizza… here is his story:

“The other day I had a pizza delivered to my home using my Visa. When the pizza arrived, however, the driver refused to give it to me unless I either gave him my social security number or let him write down my driver’s license number. I refused because of identity-theft and general privacy concerns. I offered to show him my driver’s license and the Visa card I’d used to order the pizza, but he said he had to write down one or the other number.

When I called the local Domino’s about this, I was told that drivers are now required to get the information because, she said, people have been ordering pizzas with stolen credit cards. Why showing that my license and Visa matched wasn’t sufficient, she couldn’t say.”

Fortunately, this guy knew well enough to forgo the hunger pangs and not give out his social security number.  There is a good lesson there, I am not personally sure if Dominoes Corporate says this is their policy or not, but what I do know is that this is definitely a dangerous policy.

Anytime someone asks for our social security number to complete a purchase we should be leery.  At most a company may require a drivers license or some other ID to prove you are who you say you are, but considering you can go online and buy almost anything with any credit card it seems odd that a pizza guy would want a social security number.

The lesson:  Stay Educated, be cautious, think ahead and never give out person details too easily.

Posted in Social Engineering | No Comments »

Social Engineering CTF Update

Tuesday, June 15th, 2010

It has been only a week since we launched the registration for the Social-Engineer.Org First Social Engineering CTF – How Strong is Your Schmooze. What has happened in over a week?

The awareness that has been raised is just amazing. There has been many stories written and podcasts discussing the contest and what the rules are. People are wondering and very curious about what it will entail. There has been numerous alerts issued from various agencies about the contest. I will post one of them below.

contest 2 Social Engineering CTF UpdateWe are very happy with all the awareness this is raising for social engineering threats. At the end of the contest we are going to release a detailed report that will help all who are interested see what attacks worked.

Our Contest registration is full 100% and there is even a small overflow list. We are excited to see how the contest progresses and we wish all the contestants good luck. We are giving points for this things that you probably never even thought of gathering during normal social engineering gigs.

Stay tuned for more information.

As promised here is one of those warnings below:

Advisory ID: 2010-06-016
Date/Time Reported (GMT): 6/7/2010 8:14 PM
Title: DEFCON Social Engineering Capture The Flag Contest

Risk: 2
Audience: Analysts
Core Members
Premier Members
Standard Members

Type of Threat: Social Engineering

Summary: Hacker Conference DEFCON is hosting a Capture The Flag (CTF) contest that aims to test participants’ social engineering skills. The contest’s specific ground rules state that participants must legally socially engineer their way into a target company, and they are not allowed to get credit card numbers, social security numbers, passwords, involve porn, or
make the target feel “at risk.” Participants cannot use government agencies, law enforcement, or legal entities as a ruse to get inside, nor can they contact relatives of the targeted firm’s employees.
DEFCON 18 will take place July 30th – August 1, 2010 at the Riviera Hotel & Casino in Las Vegas, Nevada. Financial institutions should be aware of this upcoming contest, and should brief their personnel, especially call centers and legal departments regarding this event.

Business Impact: Social Engineering

Severity: 1 – Informational (Normal)

Urgency: 1 – Information Only

Credibility: 3 – Single Source

Description:
The CTF Rules
<our rules where posted here>

Recommendations: Financial Institutions are recommended to proactively brief their personnel, especially call centers and legal departments regarding this event.

Legal reminders for Financial Institutions: Any attempt to solicit information about an FI customer/client is considered an attempt at unauthorized access to customer information under

GLBA and Bank Secrecy Act provisions and may require submission of a Suspicious Activity Report.

Regulatory guidance: http://www.ffiec.gov/ffiecinfobase/resources/retail/frb-sr-01-11-identity_theft_pretext_calling.pdf
http://www.fdic.gov/news/news/financial/1998/fil9898.html

In New York State criminal impersonation is a misdemeanor: S 190.25 Criminal impersonation in the second degree: A person is guilty of criminal impersonation in the second degree when he:
1. Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or
2. Pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another; or
3. (a) Pretends to be a public servant, or wears or displays without authority any uniform, badge, insignia or facsimile thereof by which such public servant is lawfully distinguished, or falsely expresses by his words or actions that he is a public servant or is acting with approval or authority of a public agency or department; and (b) so acts with intent to induce another to submit to such pretended official authority, to solicit funds or to otherwise cause another to act in reliance upon that pretense.

Criminal impersonation in the second degree is a class A misdemeanor.

Source(s): http://www.social-engineer.org/blog/DEFCON-social-engineering-contest/
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=225400253

Posted in Social Engineering | 2 Comments »

Social Engineering being used by Child Predators

Monday, June 7th, 2010

I can remember as a child the PSA’s (see below for an example) about keeping your kids safe from predators. Times surely have changed in the recent years.  There are plenty of laws that are supposed to keep our kids safe.  Yet it seems that those who desire to hurt our children are coming up with more and more malicious ways using social engineering to lure children into the dark corners of their depravity.

button abuse cycle Social Engineering being used by Child Predators

Malicious Social Engineers May Use This

When the stories never cease to amaze you and you think you have seen it all, there comes a story that just seems to defy all logic.  Enters our present story.

Prosecutors in New Jersey USA says that Jonathan Prime, a 20-year old man convinced a 13 and 14 year old boy to send him pictures of their genitals.  How?

The two young men where frequent players of the game Call of Duty: World at War on MS Live.  It seems that Jonathan was able to convince the two young boys that it was a condition of the clan he was starting.

This wasn’t a lone incident, he did this to many children.  Many who rejected him but he was able to convince at least four of them by grooming them, getting them to comply and even getting one to call him and have phone sex.

Despite the inherent WTH factor here.  How could these kids fall for this?  How could they believe that this really was a term of the contract?

Those questions are above our scope of our site.  What we will cover is what could parents do to keep safe?  How is it possible to keep your children safe without having to unplug the television and disconnect the Internet?

There are certain things that can be done, but the reason many fall short is these steps don’t involve a plug in or device to keep you safe, but there are two steps that can keep your family safe.

  1. Communication:  Nothing can beat just sitting your kids down and talking with them.  Telling them what is going on in the world and how malicious people think.  Telling them what signs to look for and being involved in their lives.  This can keep them safe.
  2. If kids are going to play online, consider muting all the other players. It is normally possible to only talk to people that are known friends, instead of random strangers. Gaming can be a social event, but best to keep it social to those you know. Parents can use gaming as a chance to do something with their kids. If parents sit down and play games with the kids, they will better understand the potential issues that could be encountered. This will put them in a better situation to provide guidance to the kids in a manner that is truly helpful.
  3. Education:  Right along with communication, teach your kids about the world and what is going on.  If they are aware of the malicious attacks and how these people think they can be aware of their tactics.  This doesn’t mean you need to tell them all the gory details but keeping them aware can go a long way in a good protection plan.

We always strive to learn something from the attacks we analyze, but truly in this one there are no redeeming qualities.  All we can say, it is one of those attacks that is pure evil and malicious and there is not much to learn except, keep your kids safe.

Its 10:pm Do you know where your children are?

In the 1980′s before Social Engineers were using the Internet to Trap Children

Posted in General Social Engineer Blog, Interesting SE Articles | 2 Comments »

The Social Engineering CTF – How Strong is Your Schmooze

Tuesday, June 1st, 2010

Are you looking for a real social engineering CTF challenge? Tired of the usual, “IT Tech Guy” pretext? If you have the skills that make up a real social engineer, we challenge you to come and prove it.


contest 2 The Social Engineering CTF How Strong is Your Schmooze

Join Social-Engineer.Org and Offensive Security in the Official Social Engineering CTF hosted at Defcon 18.

We are inviting those of you who think you can use ethical social engineering skills to stretch your limits as a social engineer. A unique blend of information gathering, planning and attack vector execution will challenge the very core of every participant. This will be a different SE challenge as our focus is not on who can “get” the target the worst, but a true display of SE talents. Each participant will be given a target company and there will be point system. Full rules coming on the registration page.


1st The Social Engineering CTF How Strong is Your Schmooze
 – Your choice between an Offensive Security Wifu Course or a 16GB iPad, Winners Plaque and a spot on the Social-Engineer.org Podcast


2nd The Social Engineering CTF How Strong is Your Schmooze
 - Offensive Security Wifu Course and 2nd Place Winners Plaque

Registration will begin on June 3rd so stay tuned and be the first in line to sign up for this exciting new contest.

Posted in Social Engineering | 6 Comments »




SE Polls

SE CTF

Brad Smith