Common Social Engineering Attacks: Phone
From Learn to be a true Social Engineer
The most common social engineering attack is conducted by a phone. Calling the company and imitate someone that could pull information out of a user. Posing as a computer technician or a fellow employee could do the trick.
Helpdesk personnel is one of the most vulnerable persons since their work is to provide "help", something that an attacker can exploit to receive sensitive information. Helpdesk personnel are trained to provide support and be polite and friendly with the customer so they can answer any question quite easily
- Callers may be male or female
- Caller usually uses a private phone number
- Will attempt to gain as much information as possible including phone numbers, employee titles, address, social security number and other information
- Phone - A phone is necessary to conduct the phone attack
- Caller ID - Usefully if you wait a call back from the victim, as it might be somebody else calling back
- Voice Changer - Makes the voice sound deeper like a grown up man or higher to sound like a woman
- Mind - A good mind will help to respond back quick and efficient in questions asked
What You Need to Know
If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts.
In that case the caller contacted AOL's tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.
“They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.
Computer Security Institue
The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.
- Train employees to never give out passwords or any confidential information through the phone
- All employees should be assigned a PIN number as a metric of identification
- ↑ http://www.social-engineer.org/wiki/archives/CAPhone/CAPhone-ReadingRoom.html
- ↑ 2.0 2.1 http://social-engineer.org/wiki/archives/PenetrationTesters/Pentest-HackerTactics.html