how to social engineer into anything or; the line-interruption method
a write-up to help organizations defend themselves against unorthodox attack vectors
quick intro:
back during my shithead teenager h4x0r days i ran with some phreakers and social engineering guys. during this time i came up with a method to breach the internal networks of, well, pretty much everything. i've been going full disclosure with this technique as of late because i think it's something that would still be very effective present day and it, and other techniques like it, are things people with access to sensitive information need to be trained to watch out for.
how it's done:
i'll use a hypothetical attack against aol and resetting the password to a target's aol account to explain the process, but this can be reworked for pretty much anything.
first, you'll need an accomplice or the ability to pull off two very distinct voices.
second, you'll need to make an account on the target service with the name and address information filled out with things like "THIS IS A TEST ACCOUNT", "TEST PURPOSES ONLY" etc.
friend = person #1, the oblivous customer
se = person #2, the social engineer
jeff = phone rep
pregame:
jeff: thank you for calling america online's new registrations department, my name is jeff how many i help you?
friend: hello i'm tony and i need internet. now you guys have the email and the web, right?
jeff: we certainly do! with america online you can blahblahblah
*let this exchange go on for about a full minute*
se: *beep boop* (use two rapid touch tones)
se: hello, i'm sorry to interrupt this phone call. jeff how ya doin today?
jeff: i'm fine..
se: great, [name of friend] do you mind if i place you on hold for a minute or two?
friend: n.. no that's fine
se: great thanks. *beep boop*
se: ok i've placed the caller on hold, jeff how ya doin today?
jeff: i'm fine..
se: great. well i'm chad and i've been monitoring your activity this evening and had a couple of things i wanted to run by you. firstly, have you been seated at your terminal all afternoon?
jeff: yes
se: so nobody else has had access to your workstation?
jeff: yes
se: ok, on my end it looks like you're mistyping credit card information for new members. i only see a couple of instances but it's something we do need to address, as it results in errors in our billing processing systems.
jeff: no i never mistyped anything today
se: hmm, ok. our data retrieval system might be misinterpreting something... ok i'm going to have you pull up a test account. navigate to your pegareach quick search screen and let me know when you're there.
jeff: ok i'm there
se: great. ok let me pull up my data retreival software. give me a moment....
se: *taps around on a keyboard for about 10 seconds* ok ready?
jeff: ready
se: jeff go ahead and look up the screen name "PhoneTest22"
when jeff looks up "PhoneTest22" he'll feel immediately at ease for two reasons:
1. you interrupted his phone call with a customer like a high level supervisor
2. you created the "PhoneTest22" account and all of the name/address fields say things like "THIS IS A TEST ACCOUNT"
attack scenario #1:
let's condition jeff into resetting account passwords
jeff: ok i've pulled it up
se: great, now go ahead and reset the password on the account to aoltest1
jeff: ok done
se: hmm, not seeing anything in my data retrieval software. some packet errors. let's try again.
navigate back to the search screen and let me know when you're there
jeff: i'm there
se: great. go ahead and pull up the scren name "target"
jeff: ok done
se: great, now go ahead and reset the password on the account to aoltest1
at this point you can either say "ok, looks like your mac address was misissued. i'll have noc address that. thanks" or you can just have him sit there and reset tons of passwords on multiple accounts all night until he asks about overtime.
other attack scenarios:
once you've earned the phone rep's confidence you can do various things such as:
1. ask him to press "prnt scrn" and copy and paste a screenshot of their internal software into new email addressed to you. this is useful in followup calls because you'll know more about their internal systems and how to speak the lingo.
2. have him install patch.exe because your darn data retrieval system is on the fritz
3. read off sensitive information on target accounts
backstory:
this was conceptualized in 2003/2004 by yours truly and used relentlessly on various utilities, carriers and isps. i'm convinced that variations of this technique would still work present day on virtually any large tech/communications company with enough phone jockeys. isps, registrars, banks, mobile carriers, etc. employees need to stay vigilant in the face of unorthodox social engineering vectors.
fun fact:
mark zuckerberg started out as an aol/aim hacker. one of us, one of us, gooble gobble and whathaveyou.
and now Jeff has to go sit through hours long classes about how not to fall prey to hackers. Jeff didn't like his job in the first place...
I think I had SE's call me a couple times when I worked at a call center doing tech support. The particular guys doing it screwed up though because their spoof accounts were pop culture references, so I yessed them along and escalated the calls so my leads were the ones on the hook. Not sure what came of those. God I hated that job.
There was also someone internally at another job of mine who SE'd password changes on work emails regularly. The security protocols were so lax that you just had to have minimal relevant information and be the same sex as the person whose account you were hacking. I figured this out because my email password kept not working repeatedly and I realized when I called to have it reset how easy it would be to just pretend to be me and do the same. I notified network security but they didn't take heed. They were super worried about someone stealing trade secrets with USB dongles though lol. They probably saw that in a movie or something. Funny part is that I don't really have much technical knowledge but I figured out their security holes before they did. For all I know you can still call and reset email passwords without any challenge at that company.