Social Engineering - Christopher Hadnagy [161]
This would be a little irritating, I am sure, for the officer, but it would tie up all the loose ends. In the meantime, Eric now owned the identity of that officer. He could use this information for many things, but mostly to obtain information from the DMV whenever he needed.
He did his DMV information gathering for a few hours then called back into the switch and disabled call forwarding; he now had a juicy list of information in his possession.
For months after this hack, Eric could easily dial back in, enable the call forwarding switch, collect a number of officer information facts, disable call forwarding, and then use those police credentials to obtain valid driver’s licenses that he would sell to private investigators or others who would not ask how he obtained this information.
Applying the SE Framework to the DMV Hack
In the story, Kevin identified some things that Eric did and attitudes he had that made him successful, such as not being afraid or uncomfortable talking to police and being able to find his way around unfamiliar areas.
You can also identify what part of the social engineering framework Eric used and how he used it.
For example, the first step in any successful social engineering audit or attack is information gathering. In this account you can see that Eric must have really done his homework prior to the attack. He knew a lot about the phone system, the way the DMV operates, and the general workings of the process he wanted to infiltrate. I am not sure how long ago this attack occurred, but nowadays making an attack like it is even easier due to the Internet. It is a goldmine for information gathering. Just a couple of years ago someone figured out a hack for a Tranax ATM, and within a few weeks manuals containing step-by-step processes of how to perform the attack were available on the Internet.
Also, as mentioned previously in this book, choosing a pretext that mimics what you do in real life or things you did in the past can increase your chance of success. The power lies in the fact that because the pretext is more “realistic” to you it helps you gather information as well as breach the target. Eric seemed to have a very intimate knowledge of this field.
As you may recall, the next part of the framework is elicitation, or being able to cleverly craft questions to obtain information or access to something you want. Eric elicited information masterfully. When on the phone with the police, Eric’s use of elicitation served as the proof that he was who he said he was and knew his “job” well. He knew the lingo and asked routine questions that had to be answered. As a matter of fact, not asking those questions would have probably caused more of an alarm than by asking them. That is the power of good elicitation tactics.
Early on Eric knew he had to obtain certain phone numbers to perform the attack. Instead of trying to explain why he needed certain information, he used an assumptive close as mentioned in Chapter 3, and asked questions that basically stated, “I deserve these answers now, so tell me what I am asking.” This is another example of powerful elicitation; you can learn a lot from analyzing his methods closely.
Most good attacks also include a very high amount of pretexting. This account was no exception. Eric had to develop a few pretexts in this attack vector. He had to switch gears many times to accomplish his goals. As impressive as it is that Eric had to impersonate law enforcement (which he did very well), keep in mind that this practice is highly illegal in the United States. You can learn much from the process and methods Eric used, but be cautious how you apply them. Even in a paid social engineering audit, impersonating a law enforcement agent is illegal.
Know your local laws—that is the lesson—or don’t be afraid to be caught. Despite the fact that it is illegal, you can learn a lot from analyzing