Social Engineering - Christopher Hadnagy [147]
You must never use these devices with the intent of getting an employee in trouble or to embarrass him or her. However, the information you get from these devices provides a great learning tool afterward for showing the staff who fell for the social engineer’s pretext and how. Having proof of a successful hack can go a long way toward educating the company and its staff on how they should react to malicious social engineering attempts—in other words, how to notice and then either avoid or mitigate these attacks.
The second reason to use recording devices in an SE gig is for protection, mainly for the professional social engineers. Why? Seeing every microexpression, facial gesture, and little detail that you can use later on is impossible. Capturing this information on camera gives you something to analyze so you do get all the details needed for the attack. It can provide protection in that you have a recording of the events to prove what was and was not done, but also in that it doesn’t leave everything to your memory of the situation. It also is a good educational tool for analyzing failed or successful SE attempts.
This principle is used in law enforcement. Police and federal agents record their traffic stops, interviews, and interrogations for protection, education, and proof to be used in court.
These principles also apply for audio recording. Capturing a phone call or conversation on a recording device serves all the same purposes as the ones mentioned previously for video. An important point to mention here is that recording people without their consent is illegal in many areas of the world. Make sure your ability to use recording devices is part of the social engineering contract you have signed with the company.
Audio recording devices come in all shapes and sizes. I own a small voice recorder that is a real working pen. This device sits nicely in my front pocket and records sound clearly up to 20 feet away. With 2 GB of internal storage I can easily record a couple hours of conversation without worry and then analyze it later on.
Cameras
Nowadays you can find cameras shaped like buttons; pens; hidden in the tips of pens; inside clocks, teddy bears, fake screw heads, smoke alarms; and basically any other device you can imagine. Locating a camera like the one shown in Figure 7-10 isn’t too hard.
Figure 7-10: The camera is hidden in the knot of the tie.
Yes, believe it or not, this tie is hiding a full-color camera that runs on a 12-volt battery and connects to a mini recording device. Wearing this tie into a social engineering audit ensures you capture everything within a 70-degree angle.
Using a recording device like this gives an advantage. The social engineer can focus on the pretext or the elicitation that he or she practiced beforehand without having to worry about trying to remember every detail.
One story I like to tell is how I used an audio recording device in an audit where I was testing a theme park that sells tickets online. This company operates a small ticket window with one woman behind it manning a computer with a Windows operating system on it. The pretext was that I bought tickets online in the hotel but couldn’t print them out. To assist I printed them to PDF and emailed the document to myself. I then used a line similar to this: “I know this is an odd request, but my daughter saw your ad at a restaurant. We went back to the hotel and bought the tickets online with the discount code and then I realized I couldn’t