Stanley Mark Rifkin’s hack on security pacific bank’s wire transfer system:
1. Get a “daily code” that’s for “wire transfer” employee only via his project.
2. Wear “hats” (personify) to attempt transfer, doesn’t work, need one more info.
3. Wear another hat to get the missing info;
4. Swiss company -> Russia diamonds -> bring diamonds back to US
Social Engineer on “CreditChex” (bank use their info to vet customer who open new checking account).
Backstory: PI getting info from a divorcee – about where the money is.
End goal: get someone’s SSN + BankHistory (open new account / non-sufficient funds etc.)
Three calls:
Call-1: As author writing a book, get lingo “Merchant ID” form bank employee
Getting the terminology right, in order to sound knowing what they’re talking about later
“When you say you’re an author/movie writer, everyone opens up”
he bank employee’s hesitation when asked about “merchant ID”, supply an excuse.
Don’t “burn the source”: in order to not make the “hesitation” become “red flag”, didn’t ask a ton of questions regarding more info of the procedure.
Active listening – listen for how the person answered the question – the level of cooperation they have.
Call-2: As CreditChex “customer survey” to bank, hide the question “what’s the merchant ID” inside other innocuous questions.
Hide leaf in the forest: hide important question in other questions
Personal question: as tool to test willingness to cooperate. Watch for tonality change. If they’re skeptical, tonality will change (they will regard it as a landmine).
Don’t end the convo right after key info. Keep it going for a bit.
Call-3: As bank employee, use MerchantID to get target’s info.
Headhunter hiring engineers to competitors
Objective: Getting the employee directory (and corporate structure)
Four calls:
Call-1: Pretend as someone in corporate, wants transportation department number. Ask real-estate department as a backup number. After that, go after the true goal the account receivable department.
Establish corporate-identity, proactively ask a question, whether the receptionist is in building A or building B.
Call-2: Accounts Receivable department, get a specific “cost center” code.
Call-3: Real Estate department, pretend called a wrong number. Ask about who should call to get copy of department that prints the copy of employee directory.
Call-4: Publication department, send a copy, and use the cost code.
Skillset : same as “confidence man”
Example of getting EmployeeID by pretending the travel department wrongly booked a trip, and need employeeID to verify.
Phone company hacking
Lingo: MLAC (Mechanized Line Assignment Center)
Plus having a story to frame as company man working on a heavy-duty assignment
Wanted man applying for a job that requires fingerprint of state, want to know if state fingerprint database is linked to FBI’s
Pretend to survey the local police department’s fingerprint expert
Lingo: NCIC (National Crime Info Center)
Phone hackers try to get the “test volume” from phone company
Background: Phone company publish a test phone number directory each year, and one special number is called “loop-around”
Ask employee to put the volume outside in order to replace the new volume.
Finding unlisted phone number
Pretend to be a fellow employee whose computer crashed by a virus
And let the employee look up some customer info
Build trust & get customer’s credit card number
Pretend to be a manager of another branch/store. Four calls to build trust & then attack.
Getting a phone for free
Know who’s the name of an employee on a certain shift
When shift happens, call another employee in a diff branch & make up a story (already paid but no inventory in the original store) to make her give the phone for free.
Social engineer getting data from NCIC
NCIC procedure/manual was online/public
Use frame of familiarity with NCIC database procedure to get info from operator (i.e. a person’s criminal background)
In Military/Police, workers have huge respect for rank. Position as someone of higher rank.
Plant Trojen horse to find out company’s secret files (bookkeeper’s computer)
Call-1: Pretend as IT guy, call the bookkeeper there might be some outage. Leave phone number for hacker’s burner. And find out port number of the bookkeeper’s computer.
Call-2: Call the IT guy, pretend as bookkeeper, to disable to port from bookkeeper.
Call-3: Get called from bookkeeper, claim busy & prioritize the problem in order to get appreciation from bookkeeper.
Call-4: Frame to Trojan planting as “to prevent similar issues in the future”.
Reverse social engineering: if it’s a inbound call from the target, the hacker gets more credibility
For computer-challenged worker more likely to “just download the little program”.
Get password from a new employee
Tendency: don’t know many people & procedures, want to make good first impression (eager to cooperate)
Call-1: Pretend as security department, develop security seminar for new employees hired last month & get the second call in order to receive the list
Call-2: Call a new employee, instill a bunch of security info. Then get their current login credential & make them change it based on simple instructions
Corp Espionage getting login from employee
Target a certain product with high intellectual property and gather info.
Call-1: Switch operator, frame as “promised someone in engineering group to follow-up, first name start with S”. Choose one and proceed.
Call-2: Frame as “someone in mail room, looking for someone in charge of the special project team”, redirected but got VM indicating whom to talk to.
Call-3: Frame as “doing a favor for the team lead who left”. Ask which system/server they use. Plus the email list of people in the special proj team.
Instead of email, ask for fax. Because email don’t end with company name would raise suspicion. Play some trick to ask her to send the name list to a fax machine (in a stationary store). Don’t go in-premise because it greatly increase risk.
She doesn’t reject the Fax (more difficult) because she doesn’t want to be find out stonewall someone her boss need help from [team-player desire].
Call-4: Ask switch operator for IT department, frame as “someone not computer savvy, need to setup inbound-dial access to company system”.
Server structure, once dial in, can access any computer. There’s a guest account with no password required. Meaning have access to one computer in Unix.
In Unix, password stored in a file as one-way hashed result. Use dictionary attack and got one guy’s password as “Janice”. But doesn’t work yet.
Then call the guy, frame as IT team, and pretend server is down until mid next week.
Response – absolutely unacceptable. If want to proceed faster / cut corners, need his password. Raise suspicion.
Use the initial password form excuse, and bet the target doens’t remember what’s his initial password he used years ago. Then got the actual username & password.
Frame: initially uninterested to help, but later work on helping to get the work done. If target has impression you’re helping them, they’ll likely willing to provide some confidential info.
Got the design files for the special proj, FTP the files to a “dead drop” (i.e. a file server in another country).
Website “Phenoelit” seems to store a list of default passwords.
Getting access to company’s WAN
Call-1: Ask Receptionist any Joneses”. Get a specific name & department.
Call-2: Call the person, frame as “Payroll”. Makeup an urgent situation that his paycheck deposit account was changed. Ask employee number.
Call-3: Sysadmin, frame as “the person in call-2”. Use name + employee number + context info to setup a temporary account to access company intranet.
Candy security: hard on outside, soft on inside.
Speakeasy security
Example: CNA : special service that translates phone number to address.
No id verify
Passing time based password
Wait for snow in Dakota, then once getting username & access & background info.
Call-1: Frame as the employee, compromise the security person to do time based password for him. Use “Fetch the security device of the employee” where fetch as keyword will make it less likely the security person do it. Then security person too willing to help, and after talking to security person’s manager, helps.
Call-2: Use internal Bulletin board, find a person who knows a certain development server, ellicit the server name. But there’s a firewall between attacker & the dev server.
Call-3: Call security again to create temporary account to access dev server.
Get access to movie producer & get on visitor list
Frame as new employee first day, want to ask for direction, especially effective is the target is motherly type who likely adopts a stray kitten.
Getting phone number of someone who changed the phone and made it unlisted
At the time, if phone number change, the physical connection from home to central office doesn’t change.
Frame as someone in repair center, with emergency situation that a paramedic unit out of service. Need to repair soon.
Then when meet on field, ask LV (line verification) of a certain line, which reports telephone number.
CEO attack – frame as CEO’s secretary and ask for something (urgently)
Social Security Admin attack – find out where money goes
Learn the lingo via their manual – https://secure.ssa.gov/apps10/
Call-1: call public number to go to a “private number”
Call-2: Frame as a fellow coworker (office of inspector general, agency with broad powers) to raise sympathy and ask questions with lingo to achieve goal.
Above & Beyond – establish long-term connection as infra. So the excuse is a fellow new join coworker has to use “attacker”‘s computer. Instead of spill coffee on keyboard.
Corp Espionage of getting some documents
Frame as IT support to fix computer, use fear (of not able to use computer) to get initial cooperation, then build rapport by testing a few files & telling her concerned about her computer security & ask her not to reveal password. Then leverage that to ask her do a favor by testing out a temporary password. Use this short window of temporary password to gain access.
Find out if police have filed an affidavit for arrest for you
Call-1: District Attorney Office’s Records department – framed as investigator ask for affidavit. Use “absent-minded recently & forgot the file” to raise sympathy. And ask her to fax it. Which needs internal cost code.
Call-2: Ask DA office receptionist, what’s the accounting code. Frame as police officer.
Call-3: Back to records department – get it faxed.
Call-4 & beyond: In order to reduce tracing risk in the local fax shop. Have two hops in the fax. Use one call to find manager’s name of store #2. And call the manager of store #1, claim as worker of store #2, and manager of store #2 (same chain store) asked there’s a upset customer, given sender wrong fax number, and waiting for an important doc. Ask to redirect.
Then two more calls to get rid of the copy.
Note: Fax -> Email service exists
Find out college student’s names between certain year ranges of a university at CS major
Reason: For common name (i.e. Michael Parker), if there’s a student of same name graduated in college previously, use his SSN for job application (when vetting, university will say yes), and use the hacker’s true SSN in newcomer registration form.
Call-1: Find out server/URL of the DB – call registrar’s office – frame as computer center, a potential maintainance & don’t want to disturb their access, wants to know server name. (Target machine get).
Call-2: Find out a username & password – call another person in registrar’s office – same computer center. Need a favor to test if “password works” for the new production system. Use a login simulator to steal the password.
Call-3: Run the query – call registrar office, frame as dean of engineering’s office – want to know who to talk to when having problem accessing student files. Redirected to sysadmin of the college, frame as some new employee in registrar’s office – use “don’t want to lose job” to raise sympathy and get the list.
Getting info from bank to see if someone has lot of money in account
Call-1: [EZ] Get a bank’s branch number, no frame
Call-2: [EZ] Get another branch employee’s lunch time, framed as a customer getting a lot of inheritance, asking for investment options, slipping the question in.
Call-3: [Difficult] Call #2 bank’s when employee on lunch leave, framed as another branch’s coworker Fax based on the left employee’s request. Raise suspicion but use implicit threat that the left employee would know the non-cooperation. Use B/E pronounciation similarity to get two codes.
Call-4: [Difficult] Call another bank to get personal password-like info of the mark. The bank needs a random code from code {A..F}. But framed as a bank’s worker, and claim computer is being used by another co-worker (add some urgency), use B/E code to get.
Call-5: [EZ] use a 800 number, framed as the mark, with password-like info, to get actual financial info.
Get info from DMV (driver license etc.) in a streamlined fashion
Call-1: Get general public DMV number, then call Sheriff State’s teletype and ask what’s phone for DMV number for police use. And while asking, get the first 7 digits right based on public phone info.
Call-2: Call DMV, framed as biggest switch provider, claiming need to do switch update, need dial-in number to switch. Once get that, there’s a famous default username for the model, then guessing common passwords, it’s “update” it turned out. Then based on phone number from call #1, get dozens of other phone number for the same purpose & their structure based on switch. Call forward to his pre-paid phone.
Call 3+: inbound police officer phone, get their all info (request code etc.), after multiple identities, stop the call forwarding. Permission escalated.
Tour the chopper factory via social engineering without badges
Call receptionist: get an employee (in marketing department, because every company has a marketing department) name + phone. Then his boss’s name + phone.
Buy an old license plate at flea market.
In security guard post at entrance, call guard post, framed as tech support that heard there’s a phone problem in guards’ phone. To know their number of phones & extension. Then get claim the marketing guy in #1 have sent two colleagues to the factory and ask them to leave message for the next guard.
Final act: Visit the factory, caught by a guard, claim security badge left in car. Framed as the marketing guy, phoned the boss, while the boss is yelling “who are you etc.” just answer as if there’s a convo. They figured there’s <15 minutes for the boss lady to find out where the call is from (the guard post).
Dumpster diving
Digging corporate trash for internal phones / info
Oracle did dumpster diving for a Microsoft lobbyist group called “ACT”
Disgruntled employee access boss’s computer to replace PPT to cause public embarassment
Hacker dial in from outside via modem cable
Car repair shop getting parts at only 1% premium over a big wholesaler
1. Charm the receptionist, who wants to get promoted to marketing department and potentially getting pay doubled, framed as someone who is powerful (dressing nicely / talking refined)
Two stage attack to build trust, first stage – chatty convo to build trust, second stage – ask for a conference room after sitting down 15 mins pretending to work.
2. Once have the receptionist charmed, pretend the person to meet is held in meeting, and request a conference room. Which means his laptop can connect to port behind the firewall.
3. Prep: Call the IT team as support person, claiming they have a two year support feature for free. Then ask the list of applications their computer is running. Then identify which application is the “mark” – which can be used to change contracts in the past.
4. Identify all user + dictionary attack for password to get access & modify the contract.
One grifter wants to discuss with another grifter who’s currently in jail, without pretend as family visit, but by using attorney- client convo previlege
Context: the Attorney-client convo phone in jail is programmed specially that prevents inbound call (and only allow pre-determined phone number)
Objective-1: Find out all phones for attorney client phone call in jail, and change them to allow inbound calls.
Call-1: Framed as General Services Administration (US Gov’s department that purchases goods & services for the gov), call the phone company. Pretending there’s a acquisition order for gov and need to know phone numbers / costs for the detention center. [Make sure they aren’t allowing inbound calls].
Call-2: Find out RCMAC (the department that can remove inbound-deny phone property).
Call-3: Call RCMAC, framed as repair technician, ask to remove the deny termination feature (that denies inbound calls). Lady says “no service changes” after searching. Claims the account representative sick and someone else takes the order, no need to fix it. Then the lady removed inbound deny feature for the phone. Since the lady is helpful, ask to change properties for the other phones as well – which is accepted and done.
Objective-2: Find which house number the grifter in jail is in.
Phone prison in another state (because all prison in US use the same DB).
Pretend asking if a prisoner in their prison (i.e. Miami). Act surprised when not, because the hacker suppose the prisoner transported. Ask more details including house number of the prisoner.
Objective-3: Match which phone is which housing number.
Call in & it would not ring (silent), wait till it’s picked up, pretending to be a public defender office. And say will find attorney, ask which housing number they’re in.
Objective-4: synchronize the clock, schedule a call that uses “attorney client privilege”
Call detention center, framed as “official need to ship some properties of the inmate”. Works.
Hacking contest
Unconventional approach: pick the logic then hack the computer.
Hacking
Dictionary attack
800 common words (i.e. “password”) then append two words / append digit.
Then google search “wordlist dictionaries”
Brute-force
Against password hash dump (pwdump3) on some windows/unix
Utility: L0phtcrack3
Use social engineering to install backdoor.
Getting SSH username & password & IP
Framed as a database vendor talking to IT support of the company. Pretending there’s an emergency bug that cause data loss, want to install it via non-conventional methods (Software team still putting out fire, so could be available on website later) can only install via CD / Telnet / SSH.
Install spyware by dressing spyware as “manuscript.doc.exe” which windows by default hides the “.exe”.
Silent install the spyware to avoid detection by anti-virus software.
Talk to HR and find out new employees & their extension.
Then pick a new employee & go to his office to receive a inbound phone & follow instruction to download the spyware. Frame as VP of finance & talk to new joiner (has authority).
Fake caller ID to elicit material non-public info (i.e. earning) by framing as upstream/downstream vendor/customer
At the time, it seems you need access to PBX switch & program it accordingly.
Identity Theft
Setup a voicemail by framing as an employee traveling to remote location & need a voicemail box setup
Then pretends to be the employee & get the truly interested info (the ID of the mark)
Traffic ticket avoidance
Traffic ticket -> Officer name + signature
Call-1: Frame as attorney calling subpoena control, subpoena the officer, find out which days won’t work for him.
Then schedule the trial on those days, officer doesn’t attend, case dismissed.
Industrial espionage – take team out to dinner – gain trust & ask to email
Leak source code & set someone up as revenge
Get file: frame as colleague asking for source code
Frame to appeal for sympathy, yelled by boss because backup failed after invaded by computer worms