Social Engineering - Christopher Hadnagy [164]
“Sure, what do you need?”
“The first thing I need you to do is an alphadent on Joseph Johnson, DOB 7/4/69.” (Alphadent means to have the computer search for an account alphabetically by taxpayer name, further identified by date of birth.)
“What do you need to know?”
“What’s his account number?” Keith asks (this is Joe’s Social Security number he is asking for).
She read it off.
“Okay, I need you to do a numident on that account number.” (Numident is similar to alphadent, only it’s a numerical search instead of an alphabetical one.) This was a request for her to read off the basic taxpayer data, and May Linn responded by giving the taxpayer’s place of birth, mother’s maiden name, and father’s name. Keith listened patiently while she also gave him the month and year Joe’s Social Security number was issued, and the district office it was issued by.
Keith next asked for a DEQY (pronounced “DECK-wee”; it’s short for “detailed earnings query.”)
“For what year?”
“Year 2001.”
May Linn said, “The amount was $190,286, and the payer was Johnson MicroTech.”
“Any other wages?”
“No.”
“Thanks,” Keith said. “You’ve been very kind.”
Keith then tried to arrange to call her whenever he needed information and “couldn’t get to his computer,” using a favorite trick of social engineers of always trying to establish a connection so that he can keep going back to the same person, avoiding the nuisance of having to find a new mark each time.
“Not next week,” she told him, because she was going to Kentucky for her sister’s wedding. Any other time, she’d do whatever she could.
At this point it seemed like game over. Keith had all the information he set out to obtain and now it was just a matter of calling the banks and offshore accounts, which, armed with the information he had, had now become a much easier task.
A well-executed and truly awe-inspiring attack.
Applying the SE Framework to the SSA Hack
The SSA attack just described leaves your mouth ajar and eyes wide. You can learn much from this particular attack, which used the social engineering framework.
Keith started the attack with information gathering. You are probably really tired of hearing me say this over and over again, but having information is truly the crux of every good social engineer attack—the more you have, the better.
Keith first found a truly amazing piece of intel on the Web, which dumbfoundingly enough, is still online at https://secure.ssa.gov/apps10/poms.nsf/.
This link directs you to an online manual for Program Operations of the Social Security Administration. It contains abbreviations, lingo, and instructions as well as what SSA employees are allowed to tell law enforcement. Armed with this information, Keith knew what to ask, how to ask, and how to sound like he belonged, as well as what information would raise red flags.
Although the link provided a wealth of information, he decided to take his information gathering a step further using the pretext of an Inspector General Office employee and calling his local SSA office. He really thought outside the box, by using his local office to obtain the internal numbers needed to complete his pretext as an internal employee.
Keith switched pretexts a couple of times and did so masterfully. He was able to obtain much of the information he needed by using the online SSA manual to develop the right questions. This manual proved to be an elicitation developer’s dream. Armed with the right words and language, he sounded like he fit right in. He built rapport and a frame that fed the pretexts perfectly. Building rapport is not an easy task, but Keith did it well and in a way that indicated he was well practiced in this technique. He used many influence tactics to make sure the target felt comfortable and at ease. For example, he mixed obligation and reciprocation artfully. When he was able to get May Linn on his side by describing the lack of good tools and the lack of support from his management, she felt obligated to help him out.
He also used keywords and phrases that commanded