Social Engineers: Identity Thieves
From Learn to be a true Social Engineer
Identity theft is the use information such as peoples names, bank account numbers, addresses, birth dates, and social security number without the owners knowledge. This can range from putting a uniform to impersonate someone or an elaborate scam involving DNS poisoning and phishing scams.
Gartner research firm, estimates that 57 million U.S. adults received a “phishing” attack e-mail within the past year. More than half of those that responded were victims of identity theft. This scam is carried out by sending legitimate e-mails to unsuspecting individuals. The e-mails are designed to make the recipient believe that they are from an institute they must trust, such as their banking institutions or any other company that may require you to provide personal information for authentication. As the unsuspecting person hands over this information they have opened up themselves or their businesses to attack. Even seemingly benign information can lead to something severe. Divulging even personal information can lead to an attacker launching an attack, as shown in the story about AOL mentioned in our framework .
Another commonly used method to gather information about someones identity is by dumpster diving. Individuals and business throw away lots of sensitive information containing address, phone numbers, credit card receipts, and even social security numbers. This information can be used to build the identity that you want. You can also find birthday cards and addresses of family members of businesses that or used by the individual to gain a foot hold into their identity. If you find that someone one is using a cleaning service frequently and paying them for services this could be used as a way into the organization. Using this information you could pose as a janitor and use that as a way into an organization to either carry out the attack or gain even more valuable information from bins used for shredding or even find an unlocked terminal of someone that has gone home for the evening.
Here is an example of dumpster diving. This technique used as part of Identity theft can held valuable results. Workers become complacent and do not think about what they are throwing away. Receipts with signatures, copies of invoices, order forms, and other items are swept into the trash as workers hurry out of the office on a Friday night or just before a holiday. Another rarely thought of items is anything placed underneath signatures. When consumers sign receipts there is often a note pad or a desktop calender that is thrown out at the end of the month. With a persons address, phone number, account number, and their signature, the theft is mostly completed. Most homes are easy targets as well. Many people get pre-approved credit cards and these simple get thrown away and can be used, along with other information, to open fraudulent accounts.
Another method you could use to gather information for your Identity theft is by using skimming. Skimming is an example of a low tech technique used to scan or swipe your credit or bank card and get the information off the magnetic strip. This scam is fairly easy to carry out in restaurants or any place that you give someone your card and they walk out of sight to run the charges. You run the card through a hand held scanner and you are able to capture the card information off it and then use it at another time to run up charges on the account. The Center for Identity Management and Information Protection says that mail theft, dumpster diving, stolen wallets, and other low-tech or no-tech methods are used far more often, with only 10 percent of scammers using the Internet exclusively.
Another method used with Identity theft is Pharming. These scams use basically two methods, in the first the attacker modifies the computers hosts file and uses links in e-mails that look like they send you to a legitimate site for a financial institution. The web site is actually correct but you have made their system go to a fraudulent IP for that URL. The second attack exploit vulnerabilities in DNS servers that redirect victim's to the fake websites. The erroneous site enables the attacker collects user-names, password, account information, and anything else that is entered in the web site. The Drive-by Pharming attack is a fairly sophisticated attack that involves modifying the configuration of the external router as apposed to the computers local host file or the DNS server. Again it is the same principle but you are modifying the settings for an entire network rather than just a single host.
A less thought of attack that can really be vicious is Tombstone Theft. Tombstone Theft involves stealing someone identity that has passed away. You can assume this individuals identity and likely get away with your deceit for some time. Because of someones death people often forget about notifying banks and other credit card companies right away after their loved ones death. As far as the financial companies know, the individual is alive and using their cards or accounts as normal. A way to get this information is through Funeral home notices or obituaries. Funeral homes can be careless in their handling of personal information about their customer and information can be gained form news paper obituaries. An example of this crime can be found in Atlanta Georgia. Personal identity information of some 80 people were sold for $600 US a piece. That information was used to secure over $1.5 million in loans.
How Identities Are Stolen
There are six key ways identity theft occurs and these are all discussed in depth in our framework:
- Dumpster Diving: Rummaging through your trash or your company's trash an identity thief can find enough information about you to launch an attack. [Dumpster Diving section in wiki]
- Skimming: This is where an attacker uses a special device to store your personal information when you buy something from a store. This is the type of attack that was used against TJ MAx.
- Phishing: Pretending to be a financial institution or company a malicious email is sent trying to encourage you to visit a very realistic looking site and entering your personal info.
- Changing Your Address: It has been done where an identity thief can divert your bills after they order high ticket items, to another location simply by filling out a "change of address" form.
- Stealing: Still viable, but an identity thief who steals a purse or wallet can take the theft further by now taking your identity.
- Pretexting: Use false pretenses they obtain personal information from you that can lead to your identity being used falsely.
Famous Identity Thieves
One recent popular example of identity theft is shown in the movie "Catch Me if you Can" this was based on a real life impersonations of Frank Abagnale. Frank Impersonated being a doctor, lawyer, prison inspector, maybe most famously an air line pilot. His airline scams alone cost Pan AM Airlines untold sums as Frank flew over 1 million miles to over 26 countries and stayed at various hotels along his way. Another more popular example of Franks scams was in the form of fraudulent checks. Frank used impersonation, pretexting, and other techniques to carry out some extraordinary scams.
In the example above Frank used a pilots uniform and some prior knowledge of airports to carry out this scam. Another trick that he used ir pretexting In other words you use a position of authority to get things that you need or pretending that you are in real need of something of importance or urgent. Impersonation is used in the same way. Through observation you can use the jargon, the attire or a uniform, and some general knowledge to impersonate someone to steal their identity in a literal sense of the word. You can take a picture of an ID card and print it out and paste you own picture on "Tom Smiths" access badge and now you are him. You can dye your hair or put in false teeth to disguise your self as the individual you are trying to impersonate.
Unfortunately there is no 100% sure fire way to protect yourself from this type of attack. Mainly it is being observant. Looking at bills as they come in, be aware of your personal information coming in and out and be quick to uncover anything that seems not right. If you feel you have been a victim do not wait, do the needed research to confirm and then file a police report. Then close your accounts and change numbers for the items that might be compromised.
Looking at bills as they come in, be aware of your personal information coming in and out and be quick to uncover anything that seems not right. You can also protect yourself by looking into identity theft protection from Life Lock or another highly regarded identity theft service to ensure the highest security of your personal information.
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-phishing_attack.pdf
- ↑ http://www.youtube.com/watch?v=T-cI0xMo4l8
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-DumpsterDiving.html
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-ChangingTechniques.html
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-Pharming.html
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-Techniques.pdf
- ↑ http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-FrankAbagnale.htm