Social Engineering Via Voicemail

Here's a clever social engineering attack:

The Division has received a number of calls concerning a voicemail message left by an anonymous female caller urging them to purchase a particular penny stock. The message is intended to appear as if the caller is calling a close friend and has dialed the wrong number. The caller talks fast stating she has a great inside deal on a penny stock. The caller personalizes the conversation by saying the recommendation comes from a broker the woman is dating and that her father previously purchased stock and made a huge profit. The purpose of the call is to make you think you've received a hot stock tip by mistake.

Posted on May 20, 2005 at 8:37 AM • 29 Comments

Comments

Matt ClausonMay 20, 2005 9:45 AM

Bruce, I'm not quite certain I'd call it a social engineering attack, just as I wouldn't call recieving the same spam via email an SE attack. A new delivery method/scam, yes... But not really an attack.

xMay 20, 2005 9:58 AM

Oh here we go with the semantics... This is an attack, in the general sense: Something that tries to make something bad happen, that isn't supposed to happen under ideal circumstances.

xxMay 20, 2005 10:15 AM

Too right, its an attack, SPAM IS a social engineering attack. Good golly.

hudsonMay 20, 2005 10:35 AM

The Observer column in the print edition of the Financial Times had a short blurb on the caller ("Debbie") last week and compared her track record to that of other analysts. Interestingly, she caused the price of the OTC stock to move than most financial analysts would have been able to do by giving buy recommendations.

Mark H.May 20, 2005 10:51 AM

I received a voice message like this a couple months ago, so this is not exactly new. But it was very well done. Had me going for about 1/2 second :)

Matt ClausonMay 20, 2005 10:54 AM

While spam is a social engineering attack in the sense that it tries to get you to buy something, the same could be said for regular advertising, which a lot of people wouldn't classify as an SE attack.

Tim VailMay 20, 2005 11:15 AM

I agree, regular advertising is not a SE attack. I'd even agree that spam might not be a social engineering attack in some sense.

However, the part that really makes this an "social engineering attack" is the fact that the caller deliberately makes it sound like they are giving a hot tip to a personal friend. This is a misleading technique meant to gain someone's trust so that they will buy the stock they would not otherwise buy. Techniques like this to gain someone's trust in order to break it is what social engineering attack is all about.

That is the real issue here.

Fred F.May 20, 2005 12:31 PM

In the US it would at least be deceitful advertizing. The FTC should be able to prosecute if they want to.

jblMay 20, 2005 12:51 PM

Re: "In the US it would at least be deceitful advertizing. The FTC should be able to prosecute if they want to."

So should the SEC (and they do). This is a telemarketing version of the "Pump & Dump" scam that's been so common in email spam[1] for the past many years. I often copy spam reports for this kind of spam to enforcement@sec.gov.

/JBL

[1]"SPAM" (all caps) is the registered trademark owned and reserved by Hormel Foods Corporation. They've been very tolerant of people, including the entire spam-fighting community, using the generic term to refer to bulk/junk email, and out of respect for that I like to follow their typographic convention (see http://www.spam.com/ci/ci_in.htm). Of course they've also been profiting from the connection with Monty Python and the musical "Spamalot".

DevanshuMay 20, 2005 12:54 PM

All spam is definitely not a social engineering attack; but of course a lot of it is. It is definitely an attack since it tries to subvert the system through social engineering.

Saar DrimerMay 20, 2005 2:47 PM

I would say that even "deceitful advertising" is a social engineering attack. An attack _attempts_ to bring harm to the victim; any attempt to provide false information in order to inflict (financial, in this case) damage is an SE attack, IMO. As Devanshu says, much of SPAM is of such nature.

pigletMay 20, 2005 3:16 PM

While we are about to argue about the semantics: The purpose of an "attack" is not necessarily to inflict damage, but to gain something. If somebody is harmed in the process, this is a side effect and not generally the intention (sometimes it is). Now some of you will say that the attacker cannot make a gain without harming others. But if that is true, then you should also agree that capitalism is a very evil system ;-)

DevanshuMay 20, 2005 3:30 PM

I disagree with piglet- attacks don't necessarily need to gain anything. You could have a a purely psychopathic attack. The motivation is not important; the potential damage to someone is.

yodatMay 20, 2005 3:36 PM

Whether or not its SE or spam or whatever, will make absolutly no difference in the outcome if you are dumb enough to fall for it so why spend all this time arguing whether or not its SE.

What it is, is a scam that is intended to separate you from your money, period.

pigletMay 20, 2005 3:54 PM

Right Devanshu - so let's be precise and say that some attacks intent to inflict damage, and some attacks intent to realize a gain. Some attacks have a completely different intention (e.g. surprise, fame, political statement, communication guerilla) while some seem not to have any intention at all ("purely psychopathic").

Which brings us to the next question: what, exactly, is an attack? ;-) "Something that tries to make something bad happen", that won't do. In truth, the word "attack" implies only a tactique, not a purpose, and it isn't even always clear whi is attacker and who is defender.

Davi OttenheimerMay 20, 2005 9:09 PM

I find it interesting that anyone would describe a fraud scheme perpetrated through an automated system as "social engineering". Although human behavior is obviously influenced by signs/language, a more useful definition of social engineering deals with actual human interaction (social skills) used to obtain or compromise information, usually with intent to gain higher authorization/access to systems or organizations, not just money.

If the "engineering" is all performed behind the scenes (e.g. in an effort to build an efficient one-to-many spim/spam engine), rather than in an "interactive" environment, then I do not think it qualifies as "social" enough to be labelled "social engineering". If we do not make this sort of distinction, then social engineering will become vaguely defined as any kind of human behavior modification.

IanMay 20, 2005 10:41 PM

"Social" Engineering is what we have here. You go from text to voice and next to moving pictures - on the "compelling" scale. If you "hear" it you are one step closer to the truth. Just like "everything" on TV is true - what you hear with your ears - also rings of truth (no puns please).

So the "danger" is how compelling voice is over the now common text spam.

Me, I say it is at least an order of magnitude more effective just by being in "voice" format.

And guys... it HAS to end with a cute voice saying "I love you bye bye"...

That is a direct attack on you.

A F(r)iendMay 20, 2005 11:30 PM

Capitalism is a social engineering attack writ large. Being born is like joining a Monopoly(TM) game after the other players have bought up all the properties and built houses and hotels.

That said, are people really so stupid that they would buy a stock just because some hot sounding woman left a message sounding like it was meant for someone else? There is an old saying that says you can't cheat an honest man. As long as greed is part of human nature, these lame "attacks" will continue to succeed.

A F(r)iend

-jcMay 22, 2005 7:19 AM

So does this mean that there will also be the morta(ge ads, the viagra/callis spam and the bigger better sexual prowess aids filling up voice mail (answering machines) as well as my computer mailbox in the near future?
If so, this is going to become a real problem.

Ari HeikkinenMay 22, 2005 2:48 PM

I wouldn't call this an attack. It probably isn't even illegal. It would probably equal to a little "prank" message to someone's voicemail. I'm sure you wouldn't even get fines anywhere in the world for doing this (leaving one message to someone's voicemail). Maybe if someone could prove you left that same message to say thousands of voicemails, but it's unlikely that many would even bother to complain (and you could send those messages from payphones).

mud and flameMay 22, 2005 5:45 PM

@Ari Heikkinen:
"I wouldn't call this an attack. It probably isn't even illegal."

Maybe you missed the point of doing this? It's a "pump and dump" scheme in which someone buys a penny stock, makes fraudulent statements to get others to buy it, and then sells when the price rises. It's a venerable form of fraud, illegal under the Securities Act of 1933 in the U.S.

Tim VernumMay 22, 2005 9:51 PM

Whether this specific case is an SE attack isn't really that important.

What's more intesting to think about is whether this class of attack can be used more extensively?

I imagine a number of phishing scams could be targeted in this way.

How about: "Hey John, it's me. About the pre order for Star Wars tickets, just logon to www dot preordertickets dot com and use your credit card. We'll organise transport at lunch tomorrow."

That'd probably get a few Credit card numbers out of people. (Not that credit card numbers are that hard to come by anyway).

I'm sure you could do similar things to get social security numbers, etc.

Davi OttenheimerMay 23, 2005 12:46 AM

"As long as greed is part of human nature, these lame "attacks" will continue to succeed."

That's a fallacy and an unfair characterization of the situation -- you're blaming the victim. Trust should not be thrown out the window just because someone has found a way to manipulate it.

Bruce SchneierMay 23, 2005 2:59 AM

"That's a fallacy and an unfair characterization of the situation -- you're blaming the victim. Trust should not be thrown out the window just because someone has found a way to manipulate it."

Don't confuse understanding the situation with blaming the victim. I think he's right; attacks the prey on greed will continue to succced as long as greed is part of human nature. That doesn't make those attacks right, that doesn't make the victims blameworthy, that that should make confidence trickstering legal.

Understanding the part of human nature that responds to these sorts of attacks is a necessary first step towards defending against them.

JonathanMay 23, 2005 10:27 AM

This occurane could be seen to some as an attack, and others as something minor. In actuality they are both these things. We need to consider a few things. While in many respects this is an invasion of privacy, an annoyance, a mistruth, and something which could potentially lead to negative events, the effects of this disturbance are dependent on the reaction of the individual. If the individual is intelligent and aware, the disturbance will easy pass by as 'one of those things' and they will continue with their lives. If enough people grow aware and the success rate of fooling people with these drops, I believe they would simple fad away as time passes and society pushes forward to new things.

Ari HeikkinenMay 23, 2005 1:36 PM

I have to admit I only read the quote and not the alert itself. Reading that alert it looks like fraud, but you still have to evaluate these cases one by one. How about hiring someone to leave these messages about your competitors stock and then report that to SEC?

Nick BrookeMay 24, 2005 3:20 AM

I first heard this done, rather well, on Capital Radio (London, UK), c.20 years ago, as an April Fool's prank. During a phone-in competition, the DJ appeared to get crossed lines with a worried caller talking about how he's dumped the bag holding the money from "the job that went wrong" in a certain hollow tree in a corner of a park in London, and hoping his confederate will be able to get there to reclaim it. Of course, a radio crew was staking out the tree and interviewing any optimistic/credulous listeners who just happened to be passing by...

another_bruceMay 25, 2005 12:25 AM

a fool and his money were lucky to get together in the first place.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..