• Choose a category
• All
• Classic-Fiction

And then I told him, “I’ll call you when you get there,” because of course I couldn’t have him calling the Repair Center and asking for me.

I knew he wouldn’t want to leave the comfort of the central office to bundle up and go scrape ice off his windshield and drive through the slush late at night. But it was an “emergency,” so he couldn’t exactly say he was too busy.

When I reached him forty-five minutes later at the Webster CO, I told him to check cable 29 pair 2481, and he walked over to the frame and checked and said, Yes, there was dial tone. Which of course I already knew.

So then I said, “Okay, I need you to do an LV,” which means line verification, which is asking him to identify the phone number. He does this by dialing a special number that reads back the number he called from. He doesn’t know anything about if it’s an unlisted number or that it’s just been changed, so he did what I asked and I heard the number being announced over his lineman’s test set. Beautiful. The whole thing had worked like a charm.

I told him, “Well, the problem must be out in the field,” like I knew the number all along. I thanked him and told him we’d keep working on it, and said good night.

mitnick message

Once a social engineer knows how things work inside the targeted company, it becomes easy to use that knowledge to develop rapport with legitimate employees. Companies need to prepare for social engineering attacks from current or former employees who may have an axe to grind. Background checks may be helpful to weed out prospects who may have a propensity toward this type of behavior. But in most cases, these people will be extremely difficult to detect. The only reasonable safeguard in these cases is to enforce and audit procedures for verifying identity, including the person’s employment status, prior to disclosing any information to anyone not personally known to still be with the company.

So much for that Doug and trying to hide from me behind an unlisted number. The fun was about to begin.

Analyzing the Con

The young lady in this story was able to get the information she wanted to carry out her revenge because she had inside knowledge: the phone numbers, procedures, and lingo of the telephone company. With it she was not only able to find out a new, unlisted phone number, but was able to do it in the middle of a wintry night, sending a telephone switchman chasing across town for her.

“MR. BIGG WANTS THIS”

A popular and highly effective form of intimidation—popular in large measure because it’s so simple—relies on influencing human behavior by using authority.

Just the name of the assistant in the CEO’s office can be valuable. Private investigators and even head-hunters do this all the time. They’ll call the switchboard operator and say they want to be connected to the CEO’s office. When the secretary or executive assistant answers, they’ll say they have a document or package for the CEO, or if they send an email attachment, would she print it out? Or else they’ll ask, what’s the fax number? And by the way, what’s your name?

Then they call the next person, and say, “Jeannie in Mr. Bigg’s office told me to call you so you can help me with something.”

The technique is called name-dropping, and it’s usually used as a method to quickly establish rapport by influencing the target to believe that the attacker is connected with somebody in authority. A target is more likely to do a favor for someone who knows somebody he knows.

If the attacker has his eyes set on highly sensitive information, he may use this kind of approach to stir up useful emotions in the victim, such as fear of getting into trouble with his superiors. Here’s an example.

Scott’s Story

“Scott Abrams.”

“Scott, this is Christopher Dalbridge. I just got off the phone with Mr. Biggley, and he’s more than a little unhappy. He says he sent a note ten days ago that you people were to get copies of all your market penetration research over to us for analysis. We never got a thing.”

“Market