Social Engineering Penetration Testing: Executing Social Engineering Pen Tests, Assessments and Defense

enterprises.

Chapter 1

An Introduction to Social Engineering

Gavin Watson,    Senior Security Engineer, RandomStorm Limited

This chapter will introduce the reader to the concept of social engineering.

Information in this chapter

• Defining social engineering

• Examples from the movies

• Sneakers

• Hackers

• Matchstick Men

• Dirty Rotten Scoundrels

• The Imposter

• Famous social engineers

• Kevin Mitnik

• Frank Abagnale

• Badir Brothers

• Chris Hadnagy

• Chris Nickerson

• Real-world attacks

• The RSA breach

• The Buckingham Palace breach

• The Financial Times breach

• The Microsoft XBox breach

• Operation Camion

Introduction

This chapter has the sole aim of introducing the reader to the concept of social engineering. There are various definitions, some vague and others precise, and these will be discussed in order to explain what the concept of social engineering is really about. Everyday examples will be used to show the reader the various forms of social engineering used, highlighting how such techniques are not necessarily confined to the realm of criminal activity.

To further understand the social engineering concept, this chapter will then discuss some of the excellent examples from various movies. With the assistance of poetic license, writers have been able to create wonderful examples of how social engineering could potentially be used. Although these examples are of course fictitious, they are in fact based on very real techniques, providing criminal minds with inspiration as well as providing entertainment.

Certain individuals have pioneered social engineering techniques, resulting in some being made famous and others fairly notorious. The exploits of both historical and modern day social engineers, such as Kevin Mitnick and Frank Abagnale, will be covered. This will demonstrate how single individuals have used these techniques to achieve extraordinary breaches of seemingly robust security.

This chapter will conclude by focusing on the negative side of social engineering and how it has been used to commit crime. The various attacks discussed demonstrate the true reality of the situation: Social engineering attacks are routinely being used by organized criminal groups and they are a highly effective means of assault.

Defining social engineering

Social engineering has many definitions depending on which book you read or to whom you speak. The Oxford dictionary defines it as:

The application of sociological principles to specific social problems…

Despite being partially relevant, in truth it falls far short of accurately describing what real world social engineering truly is.

Another possible definition of social engineering might be:

The art of intentionally manipulating behaviour using specially crafted communication techniques.

This definition reduces social engineering down to the absolute basics of leveraging communication in all its possible manifestations with the objective of exploiting the human factor. Therefore, where there is interaction there is always the capacity and potential for social engineering. The most fundamental example of this would be the act of lying. Although the historical roots of individuals committing immoral acts is beyond the scope of this book, it is important to note that social engineering is as old as communication itself.

The SANS Institute’s definition¹ provides an alternative explanation, which is certainly closer to the mark with:

Social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.

The important part of this definition is the context within which the concept is applied. You could define social engineering as the techniques used to elicit information or manipulate behavior but that doesn’t do it justice in the context of information security, which is the focus of this book. When it comes to securing your business’ sensitive information social engineering then becomes:

The art of eliciting sensitive information and/or manipulating individuals into performing actions that may result in a security breach.

You could argue that eliciting sensitive information is in itself a security breach, but what is meant in this definition are breaches of network or physical security or indeed both. This definition and the context of business information security is the basis for all information within this book.

Considering the use of the word "art in the previous definition, is social engineering regarded as an art form? The authors of this book believe the answer to that must be yes. Social engineering is not an exact science, often involving the application of very creative thinking. This book aims to present very logical and structured models to aid in social engineering assessments, however, it does not mean that social engineering can be completely reduced to an absolute if A set of actions then B." The models presented in this book help to ensure value for the client through accurate and thorough assessments. However, once these models have been followed the social engineer can apply all manner of creative spins on the scenarios, providing of course that they don’t then contradict the advice of the models used in the first place.

The various social engineering techniques aim to exploit vulnerabilities in human nature rather than those of a computer system. The terms, human hacking and hacking wetware have been used in obscure security articles and some cyberpunk inspired novels to describe social engineering methods. A typical social engineer may use myriad psychological techniques to manipulate their target, these can range from leveraging emotional states through to clever sentence structure and personality profiling. The techniques used vary greatly and so social engineering can be thought of as an eclectic collection of manipulation techniques. However, it is not just limited to psychological trickery. Social engineers may use props and disguises and even go to the great lengths of creating entire scenarios involving many different stages to achieve their objectives. The techniques can also be applied to other platforms such as telephone calls or e-mail, not just face-to-face encounters.

Arguably one of the finest examples of individuals that engage in social engineering techniques are successful sales persons. The average sales person has one simple objective: to sell their service or product to their client. In order to do this the sales person will not simply ask the client if they would like to buy, but rather leverage every possible available technique to influence the client’s decision. A very simplistic example would be the use of open rather than closed questions. A closed question can be answered with a simple Yes or No whereas an open question requires a lengthier, often less absolute answer. For example, the sales person may say:

So how many would you like to buy? rather than Would you like to buy it?, or How can I help you? rather than, Can I help you?

There are even various sales models and methodologies focused simply on overcoming client objections to successfully close a sale. However, the parallels between successful social engineers and successful salesmen go far beyond the standard sales process.

The very best salesmen will research their potential client, perhaps simply to find something they have in common to talk about. Mentioning your latest golf exploits at the end of the meeting may well gain favor with a client that has a keen interest in the sport. Some sales persons may take this even further by actually profiling their client, reading any available information associated with the subject to provide a better sales pitch. This initial reconnaissance is mirrored in the first stages of a social engineering attack with the target company and the staff research. Social engineers will harvest as much information as they can to increase the chances of perpetrating a successful attack. Consequently, both salesmen and social engineers will take full advantage of getting to know their targets very well.

Additionally social engineers may try to impersonate individuals to elicit sensitive information from their targets. Similarly, the successful sales person may also try impersonation in an attempt to gain a foothold for the sales process. For example, impersonating staff members simply to get a direct telephone number to a particular department or specific staff member or to elicit information on competing sales companies. Social engineers will contact the target company to elicit similar information to aid in further attacks. The only difference is the ultimate objective with the salesman wanting a sale and the social engineer wanting to gain access to sensitive information or to gain information they can use to attack the company in some other way.

Therefore it can be said that salesmen make the best social engineers, with their natural confidence, positive attitude, and experience of effective influencing techniques. Their sole purpose is to sell you a concept or an idea. However, when that concept changes from buying something to giving up your password, you’d best be on your guard, buyers beware!

There are a plethora of individuals in everyday life that use social engineering techniques, not just clever sales persons. In fact you may have used the techniques many times yourself, perhaps to convince a friend to do something or prise some snippet of information out of a colleague. Indeed numerous agencies, departments, organizations or groups are known to employ such techniques as part and parcel of their standard trade craft. For example:

• Law enforcement agencies, in order to draw information out of alleged criminal suspects

• Private investigators, to elicit information

• Lawyers, when questioning the witness

• Grifters and Hustlers, when tricking their mark

• even children, when trying to manipulate their parents

• organized criminals when attacking businesses.

Examples from the movies

Poetic license has enabled writers to create some of the most entertaining and often ludicrous social engineering scenarios. Although most of the creative hustles we see in the movies are somewhat far-fetched, they are almost always based on very real techniques. In truth the movies can often demonstrate what could potentially be possible if the social engineer was daring enough and had the available resources to attempt it.

Sneakers

The 1992 film Sneakers directed by Phil Alden Robinson is full of excellent examples of social engineering techniques. The main character Martin Bishop runs a Tiger Team² style company who specialize in breaking security systems, with the aim of helping the client better defend against similar attacks. The team are approached by government officials and pressured into retrieving a mysterious black box device from the famous mathematician Dr. Gunter Janek. The box is believed to have been built for the former Soviet government and the United States are concerned that it may be a case of national security. Martin and his team retrieve the box, discovering that it is able to break any US encryption scheme. Martin hands the box over to the government officials but soon realizes that they were in fact impostors and his team then has to pull off their most difficult mission yet to get the box back and into safe hands.

The scene where Martin is approached by the government officials and asked to perform the task of retrieving the black box device is an excellent example of multiple social engineering techniques. The two government officials are impostors, actually working for a criminal organization. Martin is duped and drawn into their plot by a number of factors. First, the two officials present plausible facades as government officials: they have what appears to be the correct credentials, talk like government officials and even produce information that Martin presumes only a government would have. All these reaffirm their credibility and so to Martin the two men look, sound and act exactly like the people they are trying to impersonate. They both put pressure on Martin and make him focus on an ultimatum: help them or have his real identity as a computer hacker used against him. In doing so they successfully manipulate Martin into agreeing to help them, all the time keeping his attention fixed on his situation and leaving no room for doubting their actual identities. Despite performing similar impersonations countless times, Martin falls for their scam completely. The social engineering element of this scene is the combination of impersonation, choice of words and subtly guiding the victim to focus on the right elements.

For Martin to achieve his objective he needs to break into the building where the black box is initially located, by gaining access through reception. Again, this is accomplished by using more than one social engineering technique. One of the team members approaches reception claiming that they have a delivery to take inside. The receptionist refuses to allow them entry and the team member continues to try and convince the receptionist to make an exception, claiming that they may lose their job. This is already an attempt to invoke guilt in the target to try and make them comply. Simultaneously, Martin approaches the desk asking if his wife had dropped a cake off, referencing the second floor of the building. The purpose of this is to plant the seed of credibility while the receptionist is distracted. The receptionist then returns to arguing with the delivery driver. Martin leaves before returning with a cake and balloons, asking the receptionist to release the locking mechanism as he has no hands free to retrieve his card (a card he doesn’t have). With the receptionist distracted by the delivery driver and an ensuing argument, Martin then shouts at the receptionist to "Push the damn buzzer will you!" Of course the receptionist immediately does so to escape the increasingly stressful situation. The two team members both impersonate different individuals and play out a scenario designed to confuse, disorientate and stress the receptionist, manipulating him into opening the door for Martin. The situation or scenario is entirely plausible and that results in the security being breached without anyone knowing. The receptionist was not forced into doing something they knew would result in a breach, they caused a breach but would probably never realize they did. From the receptionist’s perspective, Martin would have had access in any other case. This creation of a plausible situation adding in the elements of impersonation and emotional manipulation is a superb example of social engineering in action.

Later on in the film the team engage in further reconnaissance of a specific employee so as to find something they could use to manipulate him. They discover the target to be hopelessly uninteresting and even resort to stealing his garbage, in an attempt to find anything useful. This is a classic example of dumpster diving, a subject that will be revisited in Chapter 11. However, this apparently desperate approach provides fruitful results, as the team uncover evidence of his involvement in the computer dating scene, providing a new vector for attack: the Honey Trap. This involves the use of an attractive team member of the opposite sex to pretend to be attracted to the target, using the computer dating system as a tool with which they can gain access to the individual of interest.

This tactic is nothing new, in fact Greek Mythology makes mention of the Sirens who were dangerous and beautiful creatures, portrayed as femme fatales who lured nearby sailors with their enchanting music and voices to shipwreck on the rocky coast of their island. Indeed, this tactic proved to be extremely successful when used by the Dissident Republican terrorists against members of the British Military.

Thoroughly researching a target, even if it means going through their garbage, is one of the first stages to building a successful attack scenario.

Hackers

The 1995 film Hackers, directed by Iain Softley, begins with the arrest of 11-year-old Dade Murphy (aka Zero Cool). Dade is charged with writing a computer virus that causes 1507 computers to crash and a seven point drop in the New York Stock Exchange. Following his arrest Dade is banned from using a computer until his 18th birthday. He teams up with a group of hackers and they uncover a plot to release an extremely dangerous computer virus. The computer genius behind the evil plot frames the hackers and they race to gather evidence to clear their names.

The film Hackers is certainly embellished, showing wildly unrealistic scenarios with myriad technical inaccuracies and exaggerations. However, the film does contain some great examples of social engineering methodologies to aid attacks against technical systems.

Having turned 18, Dade immediately resumes his passion of hacking into the computer systems. His first target is the OTV Studios television network where he gains the initial foothold on the computer network using social engineering techniques. Dade calls up the security desk impersonating a Mr Eddie Vedder from the accounting department. The security desk employee (Norm) answers the phone. Eddie explains that he has just had a power surge at his home, which has wiped out a file he was just working on. He expresses the seriousness of the situation claiming that he is in big trouble and asks "Do you know anything about computers? Norm responds with a somewhat apprehensive, Err…Gee. Dade now knows that the employee certainly isn’t confident with computers and therefore his pretext is more likely to be successful. Dade continues My BLT drive on my computer just went AWOL and I have this big project due tomorrow for Mr Kawasaki. Throwing in a few abbreviations, he continues to make the security desk employee feel more inadequate to deal with the situation, giving Dade the upper hand. He also stresses the importance of the project claiming If I screw up, he’ll make me commit hari-kari. This increases the pressure on the target so that when a solution is presented they’ll grab it. Dade then asks Could you read me the number on the modem?" The security desk employee jumps at the opportunity to escape the situation and happily reads off the number. Having possession of the modem number, Dade is able to connect to the television studio’s networks.

Putting the technical inaccuracies aside, this is an excellent example of social engineering in action. Through one phone call Dade establishes if the target individual is vulnerable, plays through a plausible scenario (pretext), applies pressure and then presents a solution that results in him obtaining the sensitive information.

Matchstick Men

The 2003 film Matchstick Men tells the story of two con artists, Roy and Frank. Together they run a small-time grifting operation selling water filtration systems at greatly inflated prices, promising the unsuspecting victims big prizes that they of course never collect.

Roy suffers from obsessive compulsive disorder (OCD), which begins to affect his work. His partner Frank suggests he see a psychiatrist to help him cope with his symptoms. While Roy is only interested in replacing his medication, the psychiatric sessions end up exploring Roy’s difficulties. The subject of Roy’s previous relationships is discussed, revealing that he has a daughter, something he suspected but never confirmed. Roy’s life is turned upside down when he decides to meet his 14-year-old daughter Angela, especially when she learns of his real profession and wants to get involved.

The entire film is an example of an extended (long game) con involving countless techniques. The two con artists employ a variety of different techniques including distraction, misdirection, impersonation, emotional manipulation and baiting to name just a few. However, it is the technique of baiting that features most prominently in their cons. The phrase "You can’t con an honest man" is mentioned in the film, implying that only the dishonest would take the bait. Their regular con selling water filtration systems baits the victim with a chance to win a huge prize. This is provided they’re willing to play the system and dodge the tax. In their later cons they bait the victim by presenting the opportunity to make a large sum of money, although through obviously fraudulent ways.

Baiting is a classic technique used by social engineers and is often seen in phishing scams. The social engineers often attach malicious files with tempting names such as Payroll 2014 for example. Baiting can also be seen in physical attack vectors such as leaving tempting CDs or USB drives loaded with malicious software. The hope being that staff members might pick it up and put it into their PC, falling victim to their own curiosity. The technique of baiting will be revisited and fully discussed in Chapter 3.

Dirty Rotten Scoundrels

The 1988 comedy Dirty Rotten Scoundrels, directed by Frank Oz and starring Michael Caine and Steve Martin, depicts the hilarious competition between two con men. Michael Caine’s character (Lawrence Jamieson) is a smooth operator conning wealthy women out of large sums of money through clever and elaborate impersonations. Steve Martin’s character (Freddy Benson) also cons money out of women but often using less than sophisticated methods. The two con men soon realize that the town isn’t big enough for both of them and agree to a bet. The first one successful in tricking $50,000 out of an American Soap Queen visiting town gets to stay, the other must leave for good.

The film includes a variety of examples of how social engineering techniques can be used in support of grifting, that is, swindling the target out of money. Both con men tend to focus on manipulating their victims by leveraging emotional states, with sympathy being their emotion of choice. One particular scene clearly demonstrates how these subtle emotional manipulation techniques can be used to great effect.

The character of Freddy Benson first appears in the film as he enters a passenger train restaurant coach. He looks around for a victim and discovers a female character sitting alone at a table. His main objective is to trick the woman into paying for his meal. From that moment, before he has even sat down, he begins to play out the social engineering scenario. He immediately removes his hat and puts on an expression of sadness, putting himself into character. He asks if he may sit opposite the woman and she agrees. When the waiter asks if he’d like to see the menu he says "Oh yes…. Starving…. Really starving then on seeing the menu comments on the prices and asks the waiter for water. Straight away he is building up his pretext, planting the seeds of sympathy in the victim’s mind. This is more effectively accomplished as Freddy isn’t directly conversing with the victim, instead ensuring they overhear the conversation. This indirect manipulation adds credibility to the pretext, as the victim is unlikely to think they are being targeted if they are not being spoken to directly. The female character then comments on him ordering water when he is so hungry, Freddy explains that he is saving his money to pay for his ill grandmother’s hospital bills. He continues saying that he’s never been good with money, returning what little money the Red Cross pays him. All of this is obviously designed to invoke feelings of sympathy in the victim. Freddy then finishes by saying his grandmother taught him to always be truthful and good. This last comment about being good presents a way out for the victim. The female character feels sorry for Freddy, she can’t help his grandmother but she can be good and at least pay for a meal for him, seeing as how he’s really starving."

The Imposter

The 2012 film The Imposter is based on the real-life case of the confidence trickster Frédéric Bourdin. In 1997 Frédéric impersonated Nicholas Barclay, a 16-year old who went missing 3 years earlier, despite Frédéric being in his twenties. The film includes dramatizations of actual events, interviews with the family, interviews with Frédéric himself and original footage from the time.

Frédéric’s case demonstrates an incredible example of the power of impersonation techniques. Using only a telephone he impersonated Spanish police officers, social workers, the individual who found Nicholas and of course Nicholas Barclay himself. He was successful in fooling both Spanish and US officials and, unbelievably, even Nicholas’ own family. The impersonation lead to Frédéric being collected by Nicholas’ sister and taken back to the United States where he lived with the family for months. Posing as Nicholas he told investigators that he had been kidnapped, tortured and sexually abused by European, Mexican and US military personnel, luckily escaping and finding himself lost in Spain.

His ultimate objective was to be incorporated into the family and to obtain the childhood that he’d never had. Is this social engineering in the sense of sensitive information and security breaches? If you treat Nicholas’ family as the supposedly secure unit, Frédéric had successfully extracted all manner of sensitive information about the family and had manipulated their behavior, ensuring that any interactions were consistent with their real child. This is effectively the same as a business believing a social engineer to be their chief executive, treating him as such and granting him access to all the business information and services.

Impersonation over the phone is extremely powerful and relatively risk free for the social engineer. Communication is reduced down to a single channel and is therefore more easily controlled. The social engineer does not need to worry about visual issues such as how they’re dressed, how they look or what their body language is saying. They only need to have the right sounding voice, speak consistently with that of the impersonated individual and create a plausible situation. When Frédéric contacted Nicholas’ family to inform them that their child had been found he sounded professional and concerned, just like a social worker. The family had no reason to doubt the caller and so his impersonation was successful.

He used impersonation multiple times from start to finish, right from impersonating the individual that found Nicholas through to Nicholas himself. The string of impersonations built up credibility and strengthened the ruse. Criminal social engineers often use similar methods, making quick simple phones calls to elicit innocuous information, using that same information to aid in further attacks, progressing the overall attack toward the ultimate objective.

When meeting the family in person Frédéric looked significantly different to what the family expected. His eye color was wrong, he was much taller than they thought he would be and he was incapable of speaking English without an accent. Perhaps the family did know of the impersonation, or perhaps the want for their child was strong enough to cause a significant amount of denial. Whatever the case was, it still stands that the power of impersonation can be significantly enhanced if the victim truly wants to believe.

Frédéric’s impersonation was eventually revealed by private investigator Charles Parker and the FBI agent Nancy Fisher. In the film Frédéric comments that he believed at least some of the family members knew he was an impostor. He told police that he believed the family had been involved in the disappearance of Nicholas and therefore found Frédéric’s impersonation to be a useful turn of events. Whatever the truth was, Frédéric’s case is one of the most remarkable examples of the power of impersonation.

As this is not a fictional film it would perhaps be better suited in a different section but it provides a convenient link to the next section on real-life social engineers.

Famous social engineers

In the world of social engineering there are a few individuals that have stood out from the crowd, making a name for themselves. Some of these individuals have become famous for their positive use of the techniques, helping to secure businesses and educate the masses, while others have become notorious for using the techniques to commit crimes. Whether or not social engineering has been used for good or bad these individuals clearly demonstrate what can be achieved using these techniques.

Kevin Mitnik

Kevin Mitnick was at one point the most wanted computer criminal in the United States. Aged 16 he used social engineering and hacking techniques to break into the computer systems of dozens of companies. He would often not need to use any technical methods to break into his target company. Rather, he would use a variety of social engineering techniques to trick users into revealing the required credentials or telephone numbers he needed. He was first convicted in 1998 and sentenced to 12 months in prison with 3 years supervised release. Toward the end of his supervised release he successfully hacked into the Pacific Bell mail systems, leading to a warrant for his arrest. Kevin fled, spending two and a half years as a fugitive until his apprehension on February 15th, in North Carolina. When arrested, he was found in possession of cloned mobile phones and many forms of false identification. His remarkable use of social engineering is wonderfully described in his books The Art of Deception, The Art of Intrusion and Ghost in the Wires. Kevin now works as a security consultant helping business to defend against such attacks.

Frank Abagnale

Frank Abagnale is often regarded as another of the one of the world’s most successful confidence men. Many a reader may have read of or seen his exploits in his book Catch Me If You Can or the film adaptation. He demonstrated an extraordinary use of social engineering techniques impersonating an airline pilot, a college professor, a lawyer and a doctor to name just a few. In addition he had successfully cashed $2.5 million in fraudulent checks all over the world. These exploits inevitably led to his apprehension by French police in 1969 and serving multiple sentences in France, Sweden and the United States. During this time he successfully escaped incarceration on more than one occasion. On his release he tried to hold onto a series of legitimate jobs but as soon as companies learned of his criminal past, they would terminate his employment. As with Kevin Mitnik, Frank now works as a security consultant giving advice to companies including the FBI.

Badir brothers

In 1999 Ramy Badir, Muzher Badir and Shadde Badir had 44 charges made against them for crimes such as telecommunications fraud, computer data theft and impersonating a police officer. Despite being blind from birth these three brothers used social engineering and hacking techniques to swindle as much as $2 million from their victims. The brothers’ incredibly sensitive hearing, programming skills and uncanny ability to impersonate a wide array of characters make them a force to be reckoned with on the phone lines.

Chris Hadnagy

Chris Hadnagy is a modern-day expert in social engineering and human interaction, demonstrating a thorough understanding of techniques such as microexpressions, influence and rapport building. He is the lead developer of "www.social-engineer.org and author of Social Engineering: The Art of Human Hacking and his second book, due February 2014, Unmasking the Social Engineer: The Human Side of Security."

Chris also leads an elite team of professional social engineers in his company Social-Engineer, Inc. (www.social-engineer.com). There they offer a range of social engineering testing and training services. The ongoing Social-Engineer.org podcast also offers great insight into all manner of techniques, studying those that use social engineering in everyday life. Chris is undoubtedly one of the good guys, using social engineering techniques to help secure businesses all over the word.

Chris Nickerson

Chris Nickerson is notorious for his part in the TruTV’s Tiger Team, a show in which Chris and his colleagues attempt to breach the security of businesses. The ultimate goal of the show was to demonstrate how vulnerabilities in the electronic and physical security could be exploited and ultimately mitigated against. He is at the forefront in information security and at the time of this writing leads a security team at Lares, offering a multitude of professional services from penetration testing and social engineering to policy creation and compliance