Impressive Social Engineering Display

In this impressive social-engineering display, a hacker convinces a cell phone tech-support person to change an account password without being verified in any way.

Posted on December 15, 2016 at 3:43 PM • 15 Comments

Comments

parabarbarianDecember 15, 2016 6:59 PM

Actually that was pretty impressive. I guess there can sometimes be a little too much customer service.

TedDecember 15, 2016 7:34 PM

The Federal Trade Commission’s Lorrie Cranor had her mobile phone account hijacked early this year and writes about the experience on the FTC’s tech blog. According to the blog post, the four major mobile phone carriers -- AT&T, Sprint, Verizon, and T-Mobile -- allow customers to protect their accounts with a PIN or password before the account can be altered. The FTC and others have dedicated time to reaching out to the Black Hat and DEF CON communities to work towards building cooperative relationships and to address protecting critical infrastructure, filling the security talent gap, and creating cyber policy.

https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief

http://www.darkreading.com/analytics/government-hackers-learn-to-make-nice/d/d-id/1326570

65535December 16, 2016 2:45 AM

That is an interesting vid.

Did anybody notice that the women used a caller ID spoofer? That is where the originating phone number is spoofed to be the actual number of the person’s phone which is attached to the account [this method is also used in Swatter/swatting and by bill collectors]. There is some fairly serious technology at work.

The rest of confidence game was a youtube video of baby crying should and a good acting women.

The years past this would have been called “swindling” “conning” “scamming” instead of the 24 carrot expression “social engineering”. Basically, what you viewed was a con-game mix with a caller-ID spoof and a clever actor woman.

A swindle is still a swindle. It’s doesn’t need to be labeled “social engineering” although to explain criminal acts there is the term “criminal science.” Maybe “social engineering” is a sub-category of “criminal science.” The more thing change the more they stay the same… except for the caller ID spoofer software.

keinerDecember 16, 2016 3:36 AM

@65535

She told the "victim" in the very beginning she would "use" his phone number. Serious tech? Really? My SIP provider allows me to use any caller phone number I want to... just saying.

65535December 16, 2016 4:01 AM

@ keener

“My SIP provider allows me to use any caller phone number I want to... just saying.”

That is nice.

The two that I use don’t allow it. Mine only offer turning on your actually caller ID or turning off caller ID [for out bound calls]. I am in the States and in an area of high Swatting incidents. I believe my restrictions are because of high Swatting incidents in my area.

Actually, it is a little more complicated than I have described. I have a business so … OPsec and all, I cannot go into details. But, the above is the basic case.

Clive RobinsonDecember 16, 2016 5:30 AM

Socially Engineering (ie conning) Customer Support staff is a lot easier than it would otherwise be.

There are a number of reasons for this, the first is that they are subject to "Performance Monitoring" which is always lurking in the back of their mind. The second is the more obvious "We are here to help" mentality, exacerbated by the fact that many of the people they deal with are stressed / worried / don't have details etc.

Years ago I saw this sort of Social Engineering in the Hospitality industry where a hotel had hidden CCTV to try and stop room thieves talking a room key out of front desk staff.

But the question you have to ask when is Social Engineering "just employing natural tallent" and when id it "criminal". For several years I worked with some one who always got a hotel upgrade where ever he went. He had "the gift of the gab" and a nice line in "disapointed looks" and could "mump his way up" through atleast a couple of upgrade levels...

vas pupDecember 16, 2016 12:42 PM

A little bit out of social engineering, but directly related to psychological aspects of security and risks:

http://www.dw.com/en/study-finds-many-pilots-have-depression-but-dont-talk-about-it/a-36769201

"Medical experts found that 12.6 percent of the participants showed signs of depression. On average, the rate is between 4 and 7 percent. So pilots would appear to be more at risk. Some 4 percent even said they had had suicidal thoughts within the last two weeks." Happy Holiday Travel!

DroneDecember 18, 2016 2:01 AM

What do you expect when you're speaking with a clueless exploited offshore phone-bank slave making $1 an hour?

Clive RobinsonDecember 21, 2016 2:20 PM

@ Gavin,

Are you trolling this thread?

It's just that nobody else has mentioned Russia, the Democrats or the CIA here...

ModeratorDecember 21, 2016 2:46 PM

@Clive, thank you; Gavin's post is completely off-topic and has been removed. @Gavin, please feel free to contribute on-topic comments on this or other posts; save remarks about DNC hacking for posts touching upon that subject.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.