Interesting social engineering malware trick

I just stumbled on this interesting article about a scam that uses social engineering to trick people into downloading a trojan and running it.

The trick? People receive an email message with a video attached. The video does not appear to run, because of a missing video codec. (it actually *does* run, but shows a black screen for about 1 minute). A message appears with a link to the "missing codec", and users download it and install it.

Very clever, and another reminder to be extremely suspicious of email attachments.

Cool social engineering webapp

The guys at Paterva have made a web-frontend of their application. Check it out at their website.
This will save you a ton of work, because it automatically searches Whois information, google, PGP keyservers and lots of other places for information about people, email addresses, and domainnames. Nice work!

Social engineering technique: listen!

One of the social engineering techniques I use is intimidation. While it isn't always a pretty sight, it will often get the job done. The problem I had in the beginning was, it didn't work for everyone. Some people would get very compliant, while others would just get stubborn and refuse to cooperate.

It was only after I actually started to listen to what people actually said, that I was getting consistent results. For instance, when I asked a secretary some questions about her boss, she answered them. She also told me he was a nice guy, and she loved workin for him. I noticed then that, as soon as I started using intimidation (using the future policeman con), she clammed up, and refused to answer any more questions.

On the other hand, when I talked to a system operator at a government organisation, he would not answer me, and kept on referring to "the rules". At that point I told him that I was investigating a fraud case, and that I found it remarkable how he did not cooperate. After that point, he became an avalanche of information, and I eventually had to hang up to stop him blabbering.

The big "secret" I found out eventually? If you pay attention to what people say, and how they say it, you'll know how to deal with them.

Here's how:

- if someone is talking towards something (a person, a case), then he/she is often loyal to that case, and intimidation won't work. Flattery or sympathy will work better here.Examples of people talking towards something:
"Oh mr. Renaldo, yes, I know him, I worked with him on my last project!"
"Yes, I work on the new marketing project. It's very exciting!"

- if someone is talking away from something, then he/she isn't loyal, and often has issues with that person/organisation. At the very least, they're desinterested. In this case, intimidation can give them that little push so they'll start to cooperate and give you the information you want:
"Renaldo? Oh him.. Yeah he works around here, but I don't know him that well."
"Yes I work in marketing. Is this going to take long? I have a lot to do today."

By just listening how people say certain things, I am now able to use intimidation only when it is effective. The other times, I'll use something else, like sympathy or a desire to help. That way, I can make someone's day better and get the information I want at the same time!

Social engineering and time

No, I'm not going to give you tips on time-managment (I suck at it big time), nor will I try to tell you that things will improve over time: things change, but do not always improve! If you don't believe me, just leave your BLT sandwich on your porch for a week. See?

What I'm talking about is abusing time in the processes of authentication and verification. It is often an easy way to deflect annoying questions and nosy people. Let's look at a situation I run into during an assignment a couple of months ago:


I am walking around in a no-go area. I simply tailgated another employee through the "high security" gate, and am now trying to find a place to plug in my laptop, so I can take a look at the internal network. Suddenly, an voice behind me asks me: "what the hell are you doing here?".

I turn around to see a red-faced floormanager walking my way. I smile, shake his hand, and introduce myself. I tell him I'm with a consultant firm called Jackson, and we're here for the transaction systems. Somehow, my smart business suit and suitcase do not convince him.

"who sent you here? "
"My manager did, mister de Vries. This project has been approved by your CFO, mister Willekens"
"Mister Willekens is on vacation right now!"
(of course he was, I'd already figured that out by calling his secretary)
"Well, if it makes you feel more at ease, I can fax the contract to you. What's the number of you fax machine?"
"It's 024-2023043"

I pull out my mobile and call my own office:
"Hello, Carla? Hi, Hans here. "
The people at my office know to play along when I use the name "Hans".

"Would you do me a favour, and fax the contract for the Astropol transaction project to 024-2023043? Ah, I see. Sure, sure, I understand, well do it as soon as it is fixed, ok? This is rather urgent."

I turn to the floor manager and explain that our fax machine is paperjammed, but that they'll fax the contract as soon as possible. He slowly calms down, and even starts to apologize:
"Look, sorry if I was a bit hard on you, but we have very strict rules around here, so you see...Would you like some coffee?"
"Yes please, and while we're at it, can I ask you a couple of questions about the transaction system we're supposed to help you guys with? There's a couple of things that are still a bit vague to me.."

I continue to milk the manager for all the information I need. He is quite content to help me, because, in his mind, everything is OK. The written contract is on it's way, right? Riiight.. I even convice him to let me plug my laptop into the network.
"To check my e-mail".
Just before I leave, he tells me that I better call my office again: "because they still haven't sent me that fax". I assure him I will get right on it, and leave the building with a big smile.

Did the manager do anything wrong?
Well, not according to the policies of that company. The policy stated that visitors should carry visitors' passes. It did not mention consultants or temps.
The manager asked me for my credentials. However, he couldn't decide what to do next when these credentials would be delivered in the near future. The policy was specific on what he should do, but the policy did not take into account exeptions: delayed credentials.

Should he stand next to me, waiting for the fax?
That would be a waste of time.
Should he send me outside, until the fax had arrived?
That would be impolite.

So, while trying to figure out what to do, he was extremely open for suggestions.
And that's what I gave him..

So, you want to be a social engineer?

Congratulations if you have decided to become a disciple of the lost art of social engineering. I say lost, because the art has lost it's meaning over the last few years, and has been dilluted by people who talk a lot, but do not practice. Lost, because there are people who try to turn it into a science (it isn't), or try to persuade people that you need special powers to become a social engineer (you don't).

Too many times I hear people asking the same questions whenever they want to delve into the wonderful world of social engineering. The first knee-jerk reaction is:
"yeah, I've read the books, listened to the CD's, bought the T-shirt, I know social engineering"
The point I'm trying to make is, social engineering isn't something you can learn from a book, a CD or a movie: it's something you can only learn by doing.

I've had numerous people tell me that they "know all about social engineering", only to have them shuffle their feet and look to their toes when I give them the phone to make the call.
"Who, me?"

And then, the excuses creep in:
"I need more information on the target"
"You go ahead, I'll go last"
"Now is not a good time, I need to prepare myself for this"
"I'm more of an e-mail person"
"But what if they don't believe me?"
"What if they want to call me back?"
"What if I fail? Won't that ruin everything?"

Social engineering is doing. Social engineering is doing, falling flat on your ass, and getting up without second thought and try again. Until the time you can grab a phone and instantly strike up a conversation, you might "know" social engineering , but won't be a social engineer.

How you can train yourself to do this, is something I'll write about another time.