Volume 02 Issue 05

 
header.jpg

 

In this issue

·         Social Engineeerings and Marketing Secrets Revealed

·         Social Engineering Your Policies

·         SE Tool Review

·         The Monthly Tip

·         Next month...

 

SE-review

This month I would love to rant and rave about the products we are testing... but it is a bug...err...big surprise.

 After we come back from Shmoo there will be full reviews of some amazing products.

In the meantime make sure to check out Spy Associates for the latest and greatest Social Engineering Tools out there.

 

UNSUBSCRIBE

by sending an email to

[email protected]

The Monthly SE Tip...

 

"We desire most the thing that is hard to obtain...".  This quote is rooted in the principle for this month’s tip.

Scarcity is a powerful tool for the social engineer.  Knowing that most people will desire the thing that is hard to obtain, the thing that is available only to the elite or the thing that is scarce can help us in building a desire for others to "help" us to our goal.

Insurance sales people used to use a great tactic where they would tell you, "Mrs. Smith, I was just next door and when I signed up Mrs. Jones for our policy she was so excited I asked her who could benefit the most.  I told her I only have ONE policy left for this area and I needed to give it to someone who really deserves it and she recommended you."

There are a few tactics at play here, but the principle of scarcity is the one we are focusing on.  By telling Mrs. Smith there was only one left and we would only sell it to the person most deserving, we make the policy elite, special and something to be sought after. 

This same principle works in social engineering every day.  "Only 4 more left, click now to get yours"  "Get abs like the stars, the first 10 people get the special price of...."  There was a story on the Internet of a few guys who opened a club and they were getting little to no business.  After trying sales, promotions, special nights they thought there was no hope.

One of the guys decided to try something unique... he hired 2 huge body guard looking dudes, a red grand opening type chain and then paid a few of his buddies in free booze to stand outside the club as they were waiting in line to get in.  Before you know it there were people begging to get into this club.  Why? 

Scarcity.  Only a few were allowed in at a time and the thoughts might have been, "What is so awesome in there?  I need to see." 

We can use this in audits to manipulate people into allowing us access or giving us information.  Read our framework for more detailed information on this topic.

______________________

 

 

What's coming next month….

 

The Special Episode of the Podcast is still an amazing hit.  I guess everyone is interested in learning more about the team behind BackTrack 4. 

Our next podcast will be released in another week.  Keep checking our Podcast page for the latest updates.

 

If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.

 

__________

 

Want to get involved?

We are asking you to keep sending in your submissions and ideas for social-engineer.org.  We appreciate all the feedback and ideas.

To contribute your ideas or writing send an email  to [email protected]

 

 

Feature

The History of Scams Through the Ages

Even though scams are becoming more and more prevalent in today's day and age are they new?  Are the "bad guys" becoming more and more intelligent in their methods to entrapping people?

Let’s look at some examples from history and see how scams have, and have not, changed over the years.

Experts have agreed that the motivation for most scams is greed.  Although that is true, it is found that fame, attention or just the need to maliciously hurt and steal from others are also strong motivators for scamming other people.

While I am sure there were scams way before this time, this one is notable.  In 1812 in Philadelphia, PA USA a man name Charles Redheffer claimed that he invented a perpetual motion machine.  His claim was backed up by an actual working device.

Now all he needed was some government funding to build a larger version.   He got the money and built the machine but then fled the city when the inspectors found out he had hidden the power source.  He fled Philadelphia and then tried the same scam in NY City USA but was caught when the inspectors removed a wall of the machine to see an old man eating a sandwich and turning a crank.  If you are interested you can still see the machine in the Franklin Institute of Philadelphia.

Analyzing this scam we can see some basic principles at play here. Mostly what we can see from this scam is that it is greed based. People wanted to believe in his invention as it would mean significant technological advancement for that time.  What's more is that he offered "proof" that his promises are close.  This basic scam was based on promising something that people wanted.  That promise would cost them and it did.

50 Years Later
About 50 years later in 1875 John Keely founded the Keely Motor Company.  John "invented" another amazing machine, the "vibratory engine".  This amazing device could run a fully-loaded train for over 1 hour on only 1 quart of water.

When he displayed this device for investors they were all more than willing to pour money into this invention. 14 years later and LOTS and LOTS of money poor Keely croaked.  When he did they inspected the work that all their money should have bought…. well to their surprise there was an air compressor two floors down that powered the "vibratory engine" and no water was involved.

Another greed based scam.  This scam was based on the same principles as Redheffer's scam… the need for people to believe this is possible and with some patience and money they could be a part of history.  It plays on greed in two parts.  Firstly, the greed of the scammer and how he takes money for something he knows is false.  Secondly, the greed of the investors thinking of the promise of the "big payout" they can get if this works.
 

Bra's are good
This story takes us to 1950 in Miami Florida USA.  Police uncovered a crime ring that involved young women working for a local phone company.  These young women worked for Southern Bell as counters.  The police found that when you mix young women, lingerie and money anything can happen. 

These employees had the job of counting the money that came in from pay phones.  Before the money was officially marked as counted the girls would stuff $15 rolls of quarters down their bra's.  They would get up to 4 or 5 a time and then excuse themselves to the ladies room.  From there a "handler" would take the rolls and smuggle them from the building.



Through a report of one of the girl’s roommates they were caught and through an amazing turn of events they were released and the full amount they stole was never determined.

This scam again feeds off of greed.  Different from the last one as it is just off of greed of the scammers.  This scam didn't involve actually tricking people into a corner as much as setting up a process to extract and hide the money.
 

Feeding off Pain
The previous examples might seem humorous to us, where as this next scam is one that will probably disturb us all.

After the attacks in New York City on 9/11/2001, where terrorists took out the Twin Towers killing thousands of innocent people, the pain and suffering wasn't over.

Many saw the amazing way the whole world came together to support, love and help those who lost loved ones in those attacks.  For some, they saw an opportunity to scam people.

Here is a list of a few accounts:

  • Maureen Curry of Vancouver, Canada reported that her daughter, Carolyn Burdz, had been killed in the attack. She also complained that her employer had refused her request for bereavement leave. Friends and sympathetic politicians quickly raised over $2000 for her. But in reality her daughter was alive and well and living in Winnipeg. The two had been estranged for years.
  • Cyril Kendall claimed that his son Wilfred died in the attacks on the World Trade Center, for which he received $160,000 in compensation from the Red Cross. One problem. He didn't have a son named Wilfred. But he did manage to buy a shiny new car with the Red Cross money to help assuage his grief over the death of his nonexistent son. He was later sentenced to 11 to 33 years in prison.
  • Sanae Zahani, a 20-year-old woman from Morocco, gained national attention for the search for her sister who, so she said, had been working in a bond-trading firm inside the World Trade Center. She even told her story on the Rosie O'Donnell show. But Zahani never had a sister who lived in New York. Zahani disappeared when this awkward flaw in her story was discovered.


This scam is a lot different the all the previous ones.  Even though in some there was a payout this scam is based on peoples need for attention.  One expert denoted that when the scammer saw and heard the attention that many of the victim's family was getting they became jealous and wanted to feel part of that "love".  To get the feelings they craved they created fake family members that suffered tragic loss.

Unfortunately, it might seem like no one is hurt by this type of scam, but there is some serious damage done.  Trust.  People are "taught" by this type of scam to be distrusting and that effects how others view those.  Sadly, this can even effect how people treat those who really need help.

The ol' Bait N Switch
Bait and Switch has been used since the beginning of carpet salesmen, card tricks and even more recent....

In 2008 in Nebraska USA the State Attorney General intervened when local gas stations where caught advertising low fuel prices but when motorists drove in they found out that the "lower" prices where only at one pump and the customers had to figure out which one.  Bait and switch techniques are still used in airline travel and other types of online buying.  The buyer is lured into the site to buy under a pretense of great prices.  When they go to buy the item is out of stock but the next best one (of course at a higher price) is available.

This scam is money motivated also.  It also plays on people's inherent want to save a little of the hard earned cash they make.  Heck if this fuel station is 10 cents less I could easily see myself pulling in and even waiting a while in line to save that cash. 

What does all this point to?
Millions, even billions of dollars a year are lost due to people falling for scams.  As ridiculous as it seems people still fall for the "Nigerian Email scams" and other similar ones every day.  One report states that as of 5 years ago the lost from the Nigerian 419 scam alone was 3.2 billion dollars from 37 reporting countries.

Take a look at this chart:

Motivation

Greed

Fame

Malicious

Attention

Redheffer

*

 

 

 

Keely Motors

*

 

 

 

Change in the Bra

*

 

 

 

9/11 Pain

*

*

 

*

Bait N Switch

*

*

*

 

This just scratches the very tip of the surface of scams and their effects on people.  What this does show us is that many, if not most of the scams out there are motivated by greed.  Due to that, it is easy to see how these types of attacks will increase when the economy is down or when tragedy occurs.  As security conscience folks we need to be aware of this and educate our customers, our companies and our families how to identify and protect against these attacks.

How to Identify:
Here is a very short list of things to keep in mind to identify modern day scams:

  • The organization has no website and cannot be located in Google.
  • The email or requestor asks for bank account information, credit card numbers, driver's license numbers, passport numbers, your mother's maiden name or other personal information.
  • The email or caller advises that you have won a prize - but you did not enter any competition run by the prize promoters.
  • The email claims you won a lottery (we know of NO legal lottery that notifies winners by email)
  • The mail may be personally addressed to you but it has been posted using bulk mail - thousands of others around the world may have received the exact same notification.
  • The return address is a yahoo, hotmail, excite.com or other free email accounts. Legitimate companies can afford the roughly $100 per year that it costs to acquire and maintain a domain and related company email account.
  • The prize promoters ask for a fee (for administration, "processing", taxes, etc.) to be paid in advance. A legitimate lottery simply deducts that from the winnings!


Preparation and education can go a long way in protecting you from falling prey to this type of attack.  Until next month.....

By Chris loganWHD Hadnagy

Social Engineering Your Policy

I wanted to take a slightly different approach this month in the newsletter and talk about an area of security which can be social engineered but is often overlooked: Policy.

When I do a breach investigation or a penetration test, one of the more interesting things to do is a root cause analysis. This is intended to determine what failure occurred to let a system get compromised? Why did an adverse event occur?

And the scary part about the answer is: Most of the time it is a failure of policy.

This makes sense, as policy is foundational for any information security program. When policy fails, it has a cascading affect throughout the organization.

So, how do you fix this?

How do you correct the problem? This is where social engineering comes in.

I like to use the definition of social engineering as "Trying to manipulate an individual or a group to take an action which may or may not be in their best interest." If you consider that definition in regards to policy, and the application is obvious.

Anyone that is in charge of policy is trying to direct a population into taking specified behavior. But, it is not working. Lets examine why.

We will break this down into two camps.

1) The Policy Writer (social engineer)

2) the population that should be following the policy (the target).

Lets look at the policy writer first. Who are they? And what are their goals?

To answer the first question, they are typically higher level management. Most of the time they are removed from the day to day activity they are setting policy for, with the nature of their job necessitating they look at the bigger picture on a regular basis.

So what is their goals? They want "security", but often times don't exactly understand it thinking of it as more of a "state" then anything else. Which is not to criticize at all, as this is an easy situation to be in when you don't deal with information security on a regular basis. But really, that is exactly the point: How can you be expected to create a quality product when you don't understand what a quality product is?

The other aspect of most policies the circumstances they are written under. Most of the time, organizations find themselves in a position where a compliance mandate is driving the creation or change to a policy statement. Most of the time in this situation, the policy statement is written completely to match the compliance goal, without much regard to organizational needs.

One last point to discuss about many corporate policies. And this is a big one: In many instances policy writers are not concerned about the organizations well being, but rather their own. Many in corporations live in constant fear that their job will be at risk if they "do the wrong thing", so often times employees will fall back toward doing what is expected rather then what is right and whenever possible try to transfer the liability off to some other party. Paperwork and meetings are normally an indicator of work being accomplished, right?

So, with policy writers working with this motivation, what do they wind up with?

A mess.

A mess of policies that on paper look good, but don't really work for the organization due to the fact they never considered their target.

Or, to put this in terms of a pentest: Say you were putting together a phishing message and only considered your own needs with no regard to the target. What would you wind up with? More then likely a phishing e-mail that reads like this:

Dear Sir/Madam,
    Please send me your username and password.
            Thank you.
            The Hacker.


What sort of response would you get with that sort of phishing mail? Most policies are the equivalent of this.

Lets consider the incentives of the target, the employees of the organization that are expect to follow the policy.

What are the motivating factors for most employees throughout the day? Is it to be secure and follow policy? No way. Their real drivers obviously vary from employee to employee, but there are many common traits.

  • They want money.
  • They want to get promotions.
  • They want to stay off their bosses radar.
  • They want to do as little work as possible without getting in trouble.
  • They want more time off, want quitting time to get closer, more vacation days.
  • They want their work to be as easy as possible.


Most people are lazy. This is a pretty universal fact. Water runs downhill.

So, how can policy be addressed taking this information in mind? The first and most important step is simple

  • Make it easier for employees to work inside the policy then outside the policy.

This is the same principal as when engaging in a social engineering situation, you need to lead the target into feeling as if the most logical choice for them to make is the one you want them to make.

If the policy is written as such that it is easier for them to work inside of it, rather than outside of it, enforcement will not be an issue. If this single principal was applied to most policies, making them enabling rather than restrictive, most policy programs would have a incredible increase in effectiveness.

Making it easier to work inside of the policy is harder than it sounds. It requires actually understanding what the jobs of separate employees are and how they accomplish them. This is not easy, but with such a high return the investment is well worth it.

Lets look at a quick example. Many policies have a statement somewhere along the lines of "Employees may not use removable storage, such as USB drives or thumb drives". This is a logical statement, but is very often ignored.

To break down the motivation, the policy statement is there to prevent data leakage. Now, do employees ignore it because they have a strong motivation to work from home? No, not really. Imagine a scenario where an employee gets out of a 1pm meeting with a project that needs to be complete for a meeting at 8am the next morning. However, the employee has to take his kids to soccer practice starting at 6pm and in order to meet that time needs to be out of the house by 5:30, meaning needs to be home by 5 to get them ready meaning has to leave the office no later than 4:15 or so in order to leave enough time to get home by 5pm. So with just a few hours to get the work done, there is just not enough time.

So, does the employee decide to tell the kids no, you can't go to soccer today because I have to do this project? Or, does the employee put the work on a thumb drive, take the kids to soccer, then sit down for a few hours before bed and finish the project up?

The problem is not the removable media. The problem is the employee needs secure remote access. How did the policy statement help the problem?

There are other aspects of social engineering that can be applied as well. For instance, look at what your employee’s motivations are and consider how you can incentives positive behavior? Can you measure success, and perhaps reward with extra days off? Most policies will state "failure to comply with the policy will involve consequences up to and including termination". Remember being a kid and people told you can't do something? All it does it make you sneakier, and harder to catch. Policies that rely completely on disciplinary action do not consider reality.

Another concept is ensuring the employee is actually tooled to comply with the policy. Far too often I come across organizations where if employees followed the policy it would have the consequence of making it so they are not able to actually do their job. If we set expectations for employees but don't give them the tools to accomplish those expectations and then punish them when they are not able to comply, that’s not corporate governance. That is abuse.

If we consider the social engineering aspects of our information security policies, we can easily see many areas would SE concepts will help. Social engineering is not just for stealing passwords and causing trouble. Taking the time to learn and apply these techniques to your company's information security polices can have real return in terms of compliance, security, and overall company culture.


Written by Jim "Elwood" O'Gorman

 

footer.jpg