Social Engineering - Christopher Hadnagy [163]
Besides these items one can’t improve much in this hack. Eric did a superb job at making sure it was done right by using many of the talents and skills in the framework to accomplish his goal.
Mitnick Case Study 2: Hacking the Social Security Administration
Mitnick mentions a man he called Keith Carter, a less-than-honorable private investigator hired to do some digging into a man who was hiding funds from his soon-to-be-estranged wife. She had funded his venture, which had grown into a multimillion-dollar company.
The divorce was almost settled but the woman’s attorneys needed to find the “hidden assets.” This attack vector is interesting because, as in the first case study, the story follows a very shady method of gathering intelligence.
The Target
The target was to find the assets of the husband, “Joe Johnson,” but that wasn’t the target used for the actual social engineering attack. To obtain information on Joe, the private investigator, Keith, had to hack the Social Security Administration (SSA).
Many times in a social engineering audit this option will present itself. This section covers some of the methods he used to accomplish this goal, but suffice it to say that hacking the SSA is a very slippery slope. As the story unfolds you will see how dangerous this particular hack was.
The Story
Joe Johnson was married to a very wealthy woman. He had knowingly used tens of thousands of her dollars to invest in one of his ideas. That idea grew into a multimillion-dollar organization.
As things happen, their marriage was not too solid, so they decided to divorce. During the divorce proceedings, soon to be ex–Mrs. Johnson “knew” he was hiding his money, trying to keep it out of the divorce settlement.
She hired Keith, the private investigator who was a less-than-ethical guy who didn’t mind riding the edge of what was legal and what was not to obtain the information he needed to make the case.
As Keith sat down to analyze the case he determined that a good starting point was the Social Security Administration. He thought that if he could just obtain Joe’s records he would be able to find some discrepancies and then nail his coffin shut. He wanted to be able to freely call Joe’s banks, investment firms, and offshore accounts pretexting as Joe. To do so he needed some detailed information, which is what led him to the path of hacking the Social Security office.
Keith began with basic information gathering. He went online and found a guide describing the SSA’s internal systems and their internal terminology and jargon. After studying that and having the jargon down pat he called the local public number of the Social Security office. When he got a live person he asked to be connected to the claims office. The conversation went like this:
“Hi, this is Gregory Adams, District Office 329. Listen, I am trying to reach a claims adjuster who handles an account number that ends in 6363 and the number I have goes to a fax machine.”
“Oh, that is Mod 3, the number is…”
Really? That easy? Wow. In a few moments’ time he gets the number of the internal office phones that the public normally cannot get. Now comes the hard part.
He has to call Mod 3, change his pretext, and obtain useful information on Joe. Thursday morning comes around and it looks like Keith has his plan well laid out. He picks up the phone and dials the Mod 3 number:
“Mod 3. This is May Linn Wang.”
“Ms. Wang, this is Arthur Arondale, in the Office of the Inspector General. Can I call you ‘May’?”
“It’s ‘May Linn’,” she says.
“Well, it’s like this, May Linn. We have a new guy who doesn’t have a computer yet, and right now he has a priority project to do so he’s using mine. We’re the government of the United States, for crying out loud, and they say they don’t have enough money in the budget to buy a computer for this guy to use. And now my boss thinks I’m falling behind and doesn’t want to hear any excuses, you know?”
“I know what you mean, all right.”
“Can you help me with a quick inquiry on MCS?” he asked, using the name of the computer system for