• Choose a category
• All
• Classic-Fiction

And that wasn’t all. He could go back at any time to search through the email messages and private memos of the company’s executives, running a text search for words that might reveal any interesting tidbits of information.

Late on the night that he conned his target into installing the Trojan Horse software, Bobby threw the cell phone into a Dumpster. Of course he was careful to clear the memory first and pull the battery out before he tossed it—the last thing he wanted was for somebody to call the cell phone’s number by mistake and have the phone start ringing!

Analyzing the Con

The attacker spins a web to convince the target he has a problem that, in fact, doesn’t really exist—or, as in this case, a problem that hasn’t happened yet, but that the attacker knows will happen because he’s going to cause it. He then presents himself as the person who can provide the solution.

The setup in this kind of attack is particularly juicy for the attacker: Because of the seed planted in advance, when the target discovers he has a problem, he himself makes the phone call to plead for help. The attacker just sits and waits for the phone to ring, a tactic fondly known in the trade as reverse social engineering. An attacker who can make the target call him gains instant credibility: If I place a call to someone I think is on the help desk, I’m not going to start asking him to prove his identity. That’s when the attacker has it made.

lingo

REMOTE COMMAND SHELL A nongraphical interface that accepts text-based commands to perform certain functions or run programs. An attacker who exploits technical vulnerabilities or is able to install a Trojan Horse program on the victim’s computer may be able to obtain remote access to a command shell.

REVERSE SOCIAL ENGINEERING A social engineering attack in which the attacker sets up a situation where the victim encounters a problem and contacts the attacker for help. Another form of reverse social engineering turns the tables on the attacker. The target recognizes the attack, and uses psychological principles of influence to draw out as much information as possible from the attacker so that the business can safeguard targeted assets.

mitnick message

If a stranger does you a favor, then asks you for a favor, don’t reciprocate without thinking carefully about what he’s asking for.

In a con like this one, the social engineer tries to pick a target who is likely to have limited knowledge of computers. The more he knows, the more likely that he’ll get suspicious, or just plain figure out that he’s being manipulated. What I sometimes call the computer-challenged worker, who is less knowledgeable about technology and procedures, is more likely to comply. He’s all the more likely to fall for a ruse like “Just download this little program,” because he has no idea of the potential damage a software program can inflict. What’s more, there’s a much smaller chance he’ll understand the value of the information on the computer network that he’s placing at risk.

A LITTLE HELP FOR THE NEW GAL

New employees are a ripe target for attackers. They don’t know many people yet, they don’t know the procedures or the dos and don‘ts of the company. And, in the name of making a good first impression, they’re eager to show how cooperative and quick to respond they can be.

Helpful Andrea

“Human Resources, Andrea Calhoun.”

“Andrea, hi, this is Alex, with Corporate Security.”

“Yes?”

“How’re you doing today?”

“Okay. What can I help you with?”

“Listen, we’re developing a security seminar for new employees and we need to round up some people to try it out on. I want to get the name and phone number of all the new hires in the past month. Can you help me with that?”

“I won’t be able to get to it ‘til this afternoon. Is that okay? What’s your extension?”

“Sure, okay, it’s 52 ... oh, uh, but I’ll be in meetings most of today. I’ll call you when I’m back in my office, probably after four.”

When Alex called about 4:30, Andrea