Social Engineering - Christopher Hadnagy [172]
The pretext of the “free PDF software giveaway” had a lot of room for error. The pretext was solid, but a quick rejection would have meant a couple-day lag in the next attack attempt. It was also a “lucky guess” that the same version of Adobe would be used companywide and that the particular teller I chose had not updated her particular version of Adobe Reader to the newest edition, which would have in essence nullified my exploit attempts.
Banking on inherent human laziness is not a gamble I usually like to take, but in this case it worked out. Sometimes the best bet is to move forward as if what you are asking for is already a done deal. That attitude promotes a feeling of confidence and comes across to the target that what you are saying or doing is legit.
Using words and phrases such as, “I really need your help…” is a powerful tool, as mentioned in Chapter 5. Humans inherently want to help each other, especially when asked.
When asked, complete strangers will go to extraordinary lengths to “help out” even, as in this case, opening a unknown file from someone else’s email account. The plea to help a “poor dad” get his cute daughter into the park lead to a compromised system.
Once compromised, the software that stores all the credit card information for each guest was wide open to an attacker. The ability to collect that data with very little effort could have left the park open to massive loss, lawsuits, and embarrassment.
Top-Secret Case Study 1: Mission Not Impossible
Every now and then my colleague and I are either involved in a situation or hear of a story that we would love to see turned into a movie, but for security reasons we are not allowed to write about or even speak of it. For those reasons, I cannot mention who was involved or what was taken in the story that comes to us from a social engineer named “Tim.”
Tim’s goal was to infiltrate a server that housed information that could be devastating if it fell into the wrong hands. The particular high-profile company involved had a lot to protect. When Tim was contracted to get this company’s information he knew he would have to pull out all the stops; this job would test the very limits of his social engineering skills.
The Target
The target is a high-profile organization with certain corporate secrets that should never be revealed to its competitors. These secrets had to be guarded on servers that did not have outside access and were only routable from the internal network.
Tim was contracted to help the company test its security against a “rogue person” being able to infiltrate and walk out with the goods. Tim met one person from the company at an offsite location to sign the deal they worked out over the phone and e-mail.
The Story
Tim had a huge challenge in front of him. The first stage, as with any social engineering gig, was the information gathering. Not knowing what information he would and wouldn’t use, Tim went full-bore, collecting information such as the e-mail layout scheme, open requests for quotes, all employee names he could find, plus any social media sites they belong to, papers they wrote and published, clubs they were part of, as well as service providers they used.
He wanted to do a dumpster dive but when he scoped out the place he noticed that security was very strong around the dumpster area. Many of the dumpsters were even enclosed in small walled areas, so he couldn’t see the logos on the dumpster unless he breached the perimeter. After finding out the department that handles waste services, he decided to place a well-planned-out phone call to the company:
“Hello, this is Paul from TMZ Waste Disposal. We are a new waste disposal service in the area and have been working with some of the large corporations in the area. I am part of the sales team that handles your region. Could I send you a quote for our services?”
“Well, we are pretty happy with our present supplier, but you can submit a quote.”
“Excellent; may I ask you just a few quick questions?”
“Sure.”
“How many dumpsters