The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [59]
“That’s Mod 3,” the man said. He looked up the number and gave it to Keith.
Next he called Mod 3. When May Linn answered, he switched hats and went through the routine about being from the Office of the Inspector General, and the problem about somebody else having to use his computer. She gave him the information he was looking for, and agreed to do whatever she could when he needed help in the future.
Analyzing the Con
What made this approach effective was the play on the employee’s sympathy with the story about someone else using his computer and “my boss is not happy with me.” People don’t show their emotions at work very often; when they do, it can roll right over someone else’s ordinary defenses against social engineering attacks. The emotional ploy of “I’m in trouble, won’t you help me?” was all it took to win the day.
Social Insecurity
Incredibly, the Social Security Administration has posted a copy of their entire Program Operations Manual on the Web, crammed with information that’s useful for their people, but also incredibly valuable to social engineers. It contains abbreviations, lingo, and instructions for how to request what you want, as described in this story.
Want to learn more inside information about the Social Security Administration? Just search on Google or enter the following address into your browser: http://policy.ssa.gov/poms.nsf/. Unless the agency has already read this story and removed the manual by the time you read this, you’ll find on-line instructions that even give detailed information on what data an SSA clerk is allowed to give to the law enforcement community. In practical terms, that community includes any social engineer who can convince an SSA clerk that he is from a law enforcement organization.
The attacker could not have been successful in obtaining this information from one of the clerks who handles phone calls from the general public. The kind of attack Keith used only works when the person on the receiving end of the call is someone whose phone number is unavailable to the public, and who therefore has the expectation that anyone calling must be somebody on the inside—another example of speakeasy security.
The elements that helped this attack to work included:
• Knowing the phone number to the Mod.
• Knowing the terminology they used—numident, alphadent, and DEQY.
• Pretending to be from the Office of the Inspector General, which every federal government employee knows as a government-wide investigative agency with broad powers. This gives the attacker an aura of authority.
One interesting sidelight: Social engineers seem to know how to make requests so that hardly anyone ever thinks, “Why are you calling me?—even when, logically, it would have made more sense if the call had gone to some other person in some completely different department. Perhaps it simply offers such a break in the monotony of the daily grind to help the caller that the victim discounts how unusual the call seems.
Finally, the attacker in this incident, not satisfied with getting the information just for the case at hand, wanted to establish a contact he could call on regularly. He might otherwise have been able to use a common ploy for the sympathy attack—“I spilled coffee on my keyboard.” That was no good here, though, because a keyboard can be replaced in a day. Hence he used the story about somebody else using his computer, which he could reasonably string out for weeks: “Yep, I thought he’d have his own computer yesterday, but one came in and another guy pulled some kind of deal and got it instead. So this joker is still showing up in my cubicle.” And so on.
Poor me, I need help. Works like a charm.
ONE SIMPLE CALL
One of an attacker’s main hurdles is to make his request sound reasonable—something typical of