The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [61]
But his refusal to help didn’t seem to surprise her. She said she didn’t think it was something he could do anyway. That was like a challenge, because of course he was sure he could. And that was how he came to agree.
Alice had been offered a contract for some consulting work for a marketing company, but the contract terms didn’t seem very good. Before she went back to ask for a better deal, she wanted to know what terms other consultants had on their contracts.
This is how Peter tells the story.
I wouldn’t tell Alice but I got off on people wanting me to do something they didn’t think I could, when I knew it would be easy. Well, not easy, exactly, not this time. It would take a bit of doing. But that was okay.
I could show her what smart was really all about.
A little after 7:30 Monday morning, I called the marketing company’s offices and got the receptionist, said that I was with the company that handled their pension plans and I need to talk to somebody in Accounting. Had she noticed if any of the Accounting people had come in yet? She said, “I think I saw Mary come in a few minutes ago, I’ll try her for you.”
When Mary picked up the phone, I told her my little story about computer problems, which was designed to give her the jitters so she’d be glad to cooperate. As soon as I had talked her through changing her password, I then quickly logged onto the system with the same temporary password I had asked her to use, test 123.
Here’s where the mastery comes in—I installed a small program that allowed me to access the company’s computer system whenever I wanted, using a secret password of my own. After I hung up with Mary, my first step was to erase the audit trail so no one would even know I had been on his or her system. It was easy. After elevating my system privileges, I was able to download a free program called clearlogs that I found on a security-related Web site at www.ntsecurity.nu.
Time for the real job. I ran a search for any documents with the word “contract” in the filename, and downloaded the files. Then I searched some more and came on the mother lode—the directory containing all the consultant payment reports. So I put together all the contract files and a list of payments.
Alice could pore through the contracts and see how much they were paying other consultants. Let her do the donkeywork of poring through all those files. I had done what she asked me to.
From the disks I put the data onto, I printed out some of the files so I could show her the evidence. I made her meet me and buy dinner. You should have seen her face when she thumbed through the stack of papers. “No way,” she said. “No way.”
I didn’t bring the disks with me. They were the bait. I said she’d have to come over to get them, hoping maybe she’d want to show her gratitude for the favor I just did her.
mitnick message
It’s amazing how easy it is for a social engineer to get people to do things based on how he structures the request. The premise is to trigger an automatic response based on psychological principles, and rely on the mental shortcuts people take when they perceive the caller as an ally.
Analyzing the Con
Peter’s phone call to the marketing company represented the most basic form of social engineering—a simple attempt that needed little preparation, worked on the first attempt, and took only a few minutes to bring off.
Even better, Mary, the victim, had no reason to think that any sort of trick or ruse had been played on her, no reason to file a report or raise a ruckus.
The scheme worked through Peter’s use of three social engineering tactics. First he got Mary’s initial cooperation by generating fear—making her think that her computer might not be usable. Then he took the