From harry_murphy_2002@yahoo.com Wed Aug 28 19:58:02 2002
From: "Harry Murphy" <harry_murphy_2002@yahoo.com>
Newsgroups: alt.2600.hackerz
Subject: What is social engineering ?
Date: Thu, 29 Aug 2002 03:58:02 +0100
Organization: Altopia Corp. - Usenet Access - http://www.altopia.com
Lines: 205
Message-ID: <akk2p3$mie$0@pita.alt.net>
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Path: nubby2.!newsfeed4.cidera.com!newsfeed1.cidera.com!Cidera!news.maxwell.syr.edu!howland.erols.net!news.alt.net!usenet
Xref: nubby2 alt.2600.hackerz:248000

All research for this paper is being done purely as a matter of
self-interest and desire to help others minimize effects of this attack.
This information should be used only to make people aware of this matter and
should not be used to access any third party account without that account
owners permission. In doing so you will be breaking a few laws and I take no
responsibility for that in any way shape or form.



----------------------------------------------------------------------------
--------------------------------



What is this text about ?

This text will tell you in short how to gain access to almost anybodies
YAHOO account, this if you have a YAHOO account yourself should set you
thinking on how to avoid this happening to you, by the end of this text
hopefully you will be able to. But this does not just concern YAHOO it will
almost certainly work on any other online email provider which has a chat
facility as well, e.g. HOTAMIL, BIGREDANT etc etc....

YAHOO was chosen to demonstrate with because it is the system i am most
familiar with and often (along with HOTMAIL) has some of the most computer
illiterate users out there!


----------------------------------------------------------------------------
--------------------------------



Who should read this text ?

Anybody with a YAHOO account should read this text, it is meant for you so
as you can defend yourself against an account compromise happening against
you. Also this kind of attack will most likely work on many free services
with the correct adjustments, so overall everyone should read !!

----------------------------------------------------------------------------
--------------------------------



What is social engineering ?

I would say social engineering (when done well) is an art form, it is the
art of getting information out of a person without them even realizing what
it is you are doing. This can be used for a variety of  applications
usernames, passwords, code numbers etc. To do it well takes practice but
once mastered it is a skill that is extremely valuable.



----------------------------------------------------------------------------
--------------------------------



The basics of a YAHOO account.

Everybody who sets up a YAHOO account has to go through the same procedure,
submit name, address, area of work etc etc. Everybody also has to submit a
birth date, postcode and a 'secret question', these are the areas we will be
most interested in. The birth date has a four digit year (e.g. 1978 rather
than 78), this may stop confusion later. The best way to get to grips with
the registration process is to do it for yourself (if you haven't already)
click here. Once you have set up an account you will have a unique username
and a password.

YAHOO also has a handy little utility incase you forget your password, this
is what your secret question was for. If you forget your password you can
click on the 'problems signing in' link, this will bring up a screen which
asks you if you have forgotten your user name or password, you enter the
piece of info you know and (in this case the username) and it takes you to
another screen which asks you for a birth date and/or a post (zip) code and
your location (USA etc). If you enter this information correctly you are
then taken to the next screen where you are asked your secret question and
if you answer this successfully then your are issued with a new password.


----------------------------------------------------------------------------
--------------------------------



Aims of the attack

To gain access to an account you need a valid username and password, now
most people (unless very stupid) won't just tell you the password to their
account, but by using the forgotten password utility as described above then
you can still get a password to an account if you know certain pieces of
info. In this attack the users birth date and/or post (zip) code and secret
question must be got to gain a password for their account.


----------------------------------------------------------------------------
--------------------------------



The actual attack.

Finally we're on an interesting bit ! Right as said earlier this will be
social engineering at its finest, so we will make the victim give us all the
info we need to access their account (ironic huh !). We are also assuming
that the nicks used in YAHOO chat are the usernames of the accounts you want
to access (9 out of 10 times true).

Right once you have chosen your target you have to wait until they are in a
YAHOO chat room, this is assuming your target chats, if they don't other
methods will have to be used (explained later). To find when they are in a
YAHOO chat put them in your YAHOO pager and you will know when they are
online, you can go to the chat room they are in. Now you are in the same
room as your target begin a meaningless chat with them about
weather/life/music etc now once you've been chatting a few minutes you can
then begin to get your desired info out of them, birthdays are always fairly
easy e.g. :

<you> Hey its my birthday today :)

<lamer> oh cool happy birthday, how old are you ?

<you> 345  how old are you ?

<lamer> 22

<you> my friend is 22 when's your birthday ?

<lamer> October

<you> no shit so my friends what day ?

<lamer> the 5th

<you> my friends is the 15th  blah blah blah....

Excellent you have you first piece of info, now you need their location
their profile may contain this, if not most people give out the country they
are in very easily a/s/l usually does it ! Right now sometimes this is all
you need to get to the secret question page, other times a post (zip) code
is also needed. This is more difficult to pop in a conversation but can be
got out of your victim in a similar way to their birthday, just bullshit
about where in Tennessee?? etc etc. While all this is going on have another
browser window open and be inputting the data into the forms until you get
to the secret question page, when there it is often a question like 'What's
my favorite band ?' or 'What's my dogs name' a majority of  secret questions
can be got out of the user by more social engineering, like ' I've got a
fish called Wanda, do you have any pets ? ' . You get the idea by now ! Once
the secret question has been passed Voila a new password has been issued and
you can access the account.

REMEMBER: The password is now changed so the users old password wont work,
this means next time they log in they will have to go through the password
retrieval steps that you did, this means they may click (unlikely) or just
be thick (likely!) and not think anything of it. But now they have changed
the password again so if you want access back you have to do the steps all
over and this changes the password once more, if they password is changing
everyday the victim will probably realize something is wrong and may contact
YAHOO.



----------------------------------------------------------------------------
--------------------------------



With access what can be done ?

Once a password is gained all YAHOO services can be accessed, this includes
EMAIL, geocities (which uses the same password and username as YAHOO) chat
etc. You can pretend to be the victim in all ways while in YAHOO.


----------------------------------------------------------------------------
--------------------------------



Victim doesn't chat.

 If your victim doesn't chat then you'll have to go through different
channels to get them to give up personal data, this in itself could be a
whole other text so I'm not going into it in detail, but one method would be
to email something to let them give up their info ??? I'll leave all these
issues for another text. The chances of success are lower but it still can
be achieved.


----------------------------------------------------------------------------
--------------------------------



Summary

 Well I hope you a bit of an idea about social engineering if you didn't
before, and if you did then I hope that this text has at least shown you
knew ideas that are out there or at least been good to read !