Social Engineering - Christopher Hadnagy [170]
To figure out whether a successful SE attack was possible, I had to understand the theme park’s processes and methods for checking in customers and what the employees would and wouldn’t do at their terminals—or more importantly, could and couldn’t do.
The Story
As mentioned earlier, the goal for this particular job wasn’t really complex; I just had to find out whether the person behind the counter would allow a “customer” to get the employee to do something obviously not allowed. Before I could even think of what that was I had to understand their business.
I browsed the park’s website and used Maltego and Google to research articles and other information about the organization. I also did some onsite research. I then went to the park and went through the process of buying a ticket at the ticket counter. During this process I started a small conversation with the teller, and spent some time observing the layout, their computer nodes, and other aspects of the “office” area.
This area was where I started to see a clear picture. During the conversation I mentioned I was from a small town with a huge name. When she asked where, and I told her, she issued the normal response:
“Where the heck is that?”
“Do you have Internet access here?”
“Yeah, I do.”
“Oh you’ll love this. Go to maps.google.com and type in the zip code 11111, and put it on satellite view. Look how small that town is.”
“Oh my gosh; that is tiny. I don’t think I’ve ever heard of this place before today.”
In this short amount of time I knew the following:
The layout of the space a teller has to work in
How employees check in each patron
That the computers have full web access
I went back to the park’s website and started browsing with a new enlightenment on their processes. I needed a way in to their computer systems. My pretext was a reasonable one—I was a father who was going to take his family to the theme park for the day.
My story was that the family and I didn’t have plans to do it, but we came to the hotel and were browsing the web for things to do and saw a great discount for the park. We went down to the lobby and inquired about getting tickets but the price we were given there was substantially more than what we saw on the web.
When we double-checked the price we had found, we discovered it was a web-only price. We paid and then realized the tickets needed to be printed so they can be scanned. I tried to get the hotel to print them but the printer was down. I had already paid and was nervous about losing the tickets so I printed them to a PDF and then e-mailed them to myself. Sounds like a reasonable story, doesn’t it?
One more step was needed before I could launch my evil plot. I had to make a quick phone call:
“Hello, is this XYZ Theme Park main office?”
“Sure is; how can I help you?”
I needed to get to an internal office person to ask my question and make sure I had the right answer. After requesting the purchasing department, I was directed to the right person. I said, “Hi, my name is Paul from SecuriSoft. We are giving away a free trial of a new software to read and even print PDFs. I would like to send you the URL for the free download, is that okay?”
“Well, I’m not sure whether we are interested, but you can send me some information.”
“Okay; excellent. Can I ask what version of Adobe you use now?”
“I think we are still on 8.”
“Okay; I will send you out a comparative information packet today.”
Armed with the version information, all I needed to do was create a malicious PDF embedded with a reverse shell (which would give me access to their computer once they opened the PDF), call it Receipt.pdf, and then e-mail it to myself.
The next day I roped my family into a little social engineering action. As they stood off in the distance I approached the woman behind the counter and started a friendly conversation.
“Hi there, how are you…Tina?” I said, reading her name tag.
“Doing okay, what can I help you with?” she said with a friendly customer service