TUCoPS :: Wetware Hacking :: Others :: powerse.txt

Hacking the Human Mind: A look at the power of social engineering

Hacking the human mind: A look at the power of social engineering
Jun 26 2002
By: L33tdawg

What is social engineering? It is defined as the act of tricking a person into
revealing their password or otherwise privileged information by convincing him/her
that you have valid access to the said information. In a not so politically-correct
manner, social engineering is more or less "lying through your teeth to get what you
want".

A classic social engineering trick is for a hacker to send email claiming to be a
system administrator. The hacker will claim to need your password for some
important system administration work, and ask you to email it to him/her. If you
read one of the older articles we have on e-mail spoofing, you'll see how this could
be useful.

A common variation of the e-mail attack (quite lame really) is to do the same either
by phone (you need to be really calm and collected, or you'll blow it) or IRC
(increasingly difficult if you're hoping to hack into anything meaningful). Now for this
article, and for PURELY demonstration purposes, I set about with the task of seeing
if I could recover someones personal details (including their address) through the
use of just their handphone number, without having to either a.) ask the person
directly *duh* b.) hack the telco's database - a LOT easier said than done.

The Setup

The first step is to find a `victim'. In this case I chose a good friend of mine
(*grin*). But to make matters more difficult, I assumed that I only had the persons
name and e-mail address. Certainly information that comes into most peoples hands
now and again depending on the industry you're in. Anyways, I've got the e-mail
address (check) and the person's name (I assume only first name for now even
though I have more information than that) . The second step is to fire up your
collection of IM clients. it's obviously best to have as many as possible, as I know
of a fair number of people (myself included) make use of more than 1 client in their
day to day activities. So I fire up ICQ (first choice, since their database usually has
a lot more interesting information *grin*). I feed in the person's first name,
estimated age group, I know the target is female, and I feed that in as well - I
know her location (Malaysia), and I know her e-mail address. Not bad - I hit jackpot
almost instantly. Now while I know you're saying that most people don't fill in their
information accurately, or not completely - I have to agree that this is true, which is
why having those extra IM clients (to do searches through) as well as doing a search
for the person's name and e-mail address (through google.com for instance) also
helps in recovering more personal details for which to use in your `attack'. But for
the sake of keeping things simple, I chose someone who is fairly (or was) active on
message boards in the past, which in turn means she left a `trail' for anyone
interested enough to follow.

So I've got the person's ICQ details and I'm lucky enough to find that she's
registered her handphone number in their database as well - wow that was certainly
easy. Now what happens if the person has NOT listed their number - hmmmz, well
then you'd need to social engineer it out of them! It's pretty simple. I know after a
fair amount of time, people WILL give out their personal contacts, even if they've
never met you before - it all depends on whether they perceive you as a threat or
not. But let's assume you're lucky and get the information without having to do too
much work. It's time to get cracking.

Now I'm sure most of you are familiar with prefixes for cellular numbers and that
each prefix corresponds to a different service provider. In Malaysia (for the sake of
the 90% of you reading this who aren't from here) the list is as follows:

Prefix :: Provider

012 :: Maxis
013 :: TMTouch
016 :: DIGI1800
017 :: TimeCel
019 :: Celcom

So in the case of my target, I know she's a 016 / Digi subscriber. So I fire up their
website (http://www.digi.com.my), look for the companies contact details and
give their customer support help line a call and I speak to one of the customer
service representatives in their credit control department (I can't recall his name).
Anyways, I proceed to explain to the person that I'm a friend of the victim's and
that I'm looking to help her out by paying her cellular bill (yeah. I'm really THAT
good a friend), but I explain to the rep that I do not have the value (to be paid) and
the account number. However, I do have her handphone number. To which the rep
cheerfully replies "sure no problem - let me have the phone number" (at this point,
I'm guessing no company sales/payment rep would turn you away - you're giving
them the cash remember? Or so they think.) The rep quickly checks with me the
accounts holder's name (for verification purposes I suppose, but in this case, the
victim's first name was sufficient even though it doesn't appear in the account
information!) I eagerly jot down the account number and the due amount. I proceed
to thank the rep for his time, and enquire as to where I could make payment. He
gives me a list of their payment centres and I jot those down as well.

Armed with my new information consisting of the account number, the person's first
name, and their cellular number, I proceed to the payment centre for Digi (which
incidentally happens to be JUST 10 minutes away from my house - how convienent).
I head on over, step up to the counter, and hand over the piece of paper with the
account number, payment amount and phone number listed and explain to them
that I'm coming on behalf of the victim and would like a print out statement of the
payment due. The service person behind the counter gladly prints out a copy of the
amount due. I push the rep further by asking for a print out of the calls made
(known here as itemised billing), and I get that information as well. I look through
it to make sure I've got what I want, thank the rep and explain that I need to go to
the ATM to get the cash and that I'd be back within 15 minutes. I never return.

So what did I manage to get away with?

1.) The victims billing address (our targetted data for this exercise) - This
information was provided courtesy of the bill itself

2.) The victims identity card number (this is listed on the bill as well). Incidentally, I
believe the Malaysian IC number is similar to that of the US Social Security Number
- so I'm sure most of you can appreciate the importance of this 12-digit number.
*grin*

3.) A list of all calls made, the duration, the number, the time, and the total cost
incurred - useful for understanding the personal ties the victim has by studying the
frequency of numbers called, as well as the time the calls were made.

Conclusions

Now while this exercise in social engineering was merely for demonstration purposes
only, and we weren't really out to do any damage, it does prove it's effectiveness in
obtaining otherwise unattainable information. I wouldn't recommend trying this on a
stranger or even a friend (unless your victim happens to be as understanding as
mine). Firstly, I believe it's illegal - secondly, it's not really ethical to go about
poking through people's personal data, but that's another story all together. As to
the telcos and companies that fall victim to social engineering? Well you can't
blame the help line staff - they're merely doing their job. But perhaps more
stringent checks for validity of claims before handing over personal information
would be advisable. Eitherways, I hope you found this article informative or at the
very least entertaining. Play safe.

Peace.
L33tdawg.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH