Entries Tagged "social engineering"

Page 8 of 11

More Forged Credentials

I’ve written about forged credentials before, and how hard a problem it is to solve. Here’s another story illustrating the problem:

In an apparent violation of the law, a controverisal aide to ex-Gov. Mitt Romney created phony law enforcement badges that he and other staffers used on the campaign trail to strong-arm reporters, avoid paying tolls and trick security guards into giving them immediate access to campaign venues, sources told the Herald.

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

Posted on July 20, 2007 at 1:37 PMView Comments

New Trojan Mimics Windows Activation Interface

Clever:

What they are calling Trojan.Kardphisher doesn’t do most of the technical things that Trojan horses usually do; it’s a pure social engineering attack, aimed at stealing credit card information. In a sense, it’s a standalone phishing program.

Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you don’t enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..

Running on the first reboot is clever. It inherently makes the process look more like it’s coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.

More info here.

Posted on May 5, 2007 at 7:59 AMView Comments

Social Engineering Notes

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV. A summary:

Just days after the Boston bomb scare, another team of Boston-based pranksters smuggled and distributed 2,350 suspicious light-up devices into the Super Bowl. Due to its attractiveness as a terrorist target, Dolphin Stadium was on a Level One security alert, a level usually reserved for Presidential inaugurations. By posing as media reporters, the pranksters were able to navigate 95 boxes through federal marshals, Homeland Security agents, bomb squads, police dogs, and a five-ton X-ray crane.

Given all the security, it’s amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn’t be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Again, no surprise here. But it makes you wonder what’s the point of annoying the hell out of ordinary citizens with security measures (like pat down searches) when the emperor has no clothes.

Someone who crashed the Oscars last year gave similar advice:

Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned.

On a much smaller scale, here’s someone’s story of social engineering a bank branch:

I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.

“Hello,” I say. “John Doe with XYZ Pest Control, here to perform your pest inspection.?? I flash her the smile followed by the credentials. She looks at me for a moment, goes “Uhm… okay… let me check with the branch manager…” and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.

It does.

Social engineering is surprisingly easy. As I said in Beyond Fear (page 144):

Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.

All it takes is a good cover story.

EDITED TO ADD (4/20): The first commenter suggested that the Zug story is a hoax. I think he makes a good argument, and I have no evidence to refute it. Does anyone know for sure?

EDITED TO ADD (4/21): Wired concludes that the Super Bowl stunt happened, but that no one noticed. Engaget is leaning toward hoax.

Posted on April 20, 2007 at 6:41 AMView Comments

Story of a Credit Card Fraudster

A twopart story from The Guardian: an excerpt from Other People’s Money: The Rise And Fall Of Britain’s Most Audacious Credit Card Fraudster.

The first time I did the WTS, it was on a man from London who was staying in a £400 hotel room in Glasgow. I used my hotel phone trick to get his card and personal information—fortunately, he was a trusting individual. I then called his card company and explained that I was the gentleman concerned, in Glasgow on business, and had suffered the theft of my wallet and passport. I was understandably distraught, lying on my bed in Battlefield and speaking quietly so my parents couldn’t hear, and wondered what the company suggested I do. The sympathetic woman at the other end proposed I take a cash advance set against my account, which they could have ready for collection within a couple of hours at a wire transfer operator.

Posted on April 4, 2007 at 6:25 AMView Comments

Social Engineering Diamond Theft

Nice story:

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

[…]

Mr Claes said of the thief: “He used no violence. He used one weapon—and that is his charm—to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

“You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.”

People are the weakest security link, almost always.

Posted on March 19, 2007 at 3:42 PMView Comments

Huge Online Bank Heist

Wow:

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona—up to £580,000—in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

This is my favorite line:

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

Um…hello? Are you an idiot, or what?

Posted on January 23, 2007 at 12:54 PMView Comments

MPAA Kills Anti-Pretexting Bill

Remember pretexting? It’s the cute name given to…well…fraud. It’s when you call someone and pretend to be someone else, in order to get information. Or when you go online and pretend to be someone else, in order to get something. There’s no question in my mind that it’s fraud and illegal, but it seems to be a gray area.

California is considering a bill that would make this kind of thing illegal, and allow victims to sue for damages.

Who could be opposed to this? The MPAA, that’s who:

The bill won approval in three committees and sailed through the state Senate with a 30-0 vote. Then, according to Lenny Goldberg, a lobbyist for the Privacy Rights Clearinghouse, the measure encountered unexpected, last-minute resistance from the Motion Picture Association of America.

“The MPAA has a tremendous amount of clout and they told legislators, ‘We need to pose as someone other than who we are to stop illegal downloading,'” Goldberg said.

These people are looking more and more like a criminal organization every day.

EDITED TO ADD (12/11): Congress has outlawed pretexting. The law doesn’t go as far as some of the state laws—which it pre-empts—but it’s still a good thing.

Posted on December 4, 2006 at 7:38 AMView Comments

Notary Fraud

Many countries have the concept of a “notary public.” Their training and authority varies from country to country; in the United States, their primary role is to witness the signature of legal documents. Many important legal documents require notarization in addition to a signature, primarily as a security device.

When I get a document notarized, I present my photo ID to a notary public. Generally, I go to my local bank, where many of the employees are notary publics and I don’t have to pay a fee for the service. I sign the document while the notary watches, and he then signs an attestation to the fact that he saw me sign it. He doesn’t read the document; that’s not his job. And then I send my notarized document to whoever needed it: another bank, the patent office, my mortgage company, whatever.

It’s an eminently hackable system. Sure, you can always present a fake ID—I’ll bet my bank employee has never seen a West Virginia driver’s license, for example—but that takes work. The easiest way to hack the system is through social engineering.

Bring a small pile of documents to be notarized. In the middle of the pile, slip in a document with someone else’s signature. Since he’s busy with his own signing and stamping—and you’re engaging him in slightly distracting conversation—he’s probably not going to notice that he’s notarizing something “someone else” signed. If he does, apologize for your honest mistake and try again elsewhere.

Of course, you’re better off visiting a notary who charges by the document: he’ll be more likely to appreciate the stack of documents you’ve brought to him and less likely to ask questions. And pick a location—not like a bank—that isn’t filled with security cameras.

Of course, this won’t be enough if the final recipient of the document checks the signature; you’re on your own when it comes to forgery. And in my state the notary has to keep a record of the document he signs; this one won’t be in his records if he’s ever asked. But if you need to switch the deed on a piece of property, change ownership of a bank account, or give yourself power of attorney over someone else, hacking the notary system makes the job a lot easier.

Anyone know how often this kind of thing happens in real life?

Posted on November 29, 2006 at 7:19 AMView Comments

1 6 7 8 9 10 11

Sidebar photo of Bruce Schneier by Joe MacInnis.