How most people imagine hacking... from Hackers_; via Flickr._
A lot of people think of hacking as a greasy nerd clacking away on a keyboard until they end up gaining access to "the mainframe". This is normally accompanied by bleeping (seriously, what on a computer actually "bleeps") and a wash of neon green blinking command prompts, very similar to Keanu’s “Follow the White Rabbit” scene in The Matrix. That’s not necessarily an untrue or unfair way to picture it but in reality there’s a big wide world of hacking, very far away from techy kids wearing leather coats in basements. One particular strand of hacking called social engineering relies largely on tricking people into giving up personal or confidential information belonging to their employer. Unsurprisingly, in a world where almost everyone’s personal and/or corporate data is floating around on the internet, social engineering is becoming an increasingly popular line of work for those trained in deception and manipulation.
I met up with a hacker called "Ghost" who specialises in both offence security (protection with data-driven attacks, rather than a firewall-style defence) and social engineering, to gain some insight into how it works. Over coffee, Ghost showed me some examples of the systems he'd socially engineered his way into, including the backend of a major corporation whose income was in the multiple millions of dollars bracket. In a matter of seconds we were inside their network and could see everything from customers' full names, Social Insurance Numbers, direct deposit slips and home addresses, to private internal emails between executives about company spending. We even had easy access to copies of employees' passports, with none of their personal information blacked out.
After I stopped hyperventilating about how security is an illusion and no one is safe from people like Ghost, he explained to me how it all works. Or doesn't work, depending on how you look at it.
VICE: Hello, Ghost. What is social engineering?
Ghost: Social engineering is the planned altering of an interaction between yourself and a target, to produce an outcome that works in your favour. There are different types of social engineers, but in regards to what I do, the desired outcome is usually to gain access to a secured network. I do this by performing a social engineering attack. My job is to take a social scenario and engineer it to achieve a desired outcome after careful planning and profiling of certain targets.
What exactly is a social engineering attack?
A social engineering attack can take many forms and can be done in person, over email or on the phone, without the person even realising you’re there. The attack is the actual execution of manipulating your target using your toolkit.
A social engineer’s toolkit is made up of various skills: Communication (listening skills are imperative), patience, psychology, elicitation, intelligence gathering, deductive logic, acting... The list goes on.
What or who is “the target”?
The target is the person a social engineer decides to use in order to get into the company’s secured network. Social engineers use profiling to get to know their targets so they can better understand how it will be best to manipulate their way in.
What is the most effective or common way to attack?
The most common attack tool is the phone. A lot of social engineering happens over the phone. People will give away their lives without thinking because someone on the other line has asked what type of antivirus you use. You should never give away anything over the phone. But I actually find direct contact is always the best way to do it, if you can.
What’s your usual approach?
The most common strategy I use is to build a rapport quickly is based around humour. Humour does something to people. If you can make someone laugh within 30 seconds, you’ve already shattered several barriers. It’s the easiest way in. It’s amazing to hit someone with a few laughs and keep them going, then: “Hey, I got distracted. Do you know if Mike Bradley is here?” Receptionist: “Sure, just go in.” She’s still laughing about the joke, she thinks I’m a nice guy and I’ve built a rapport. This woman is already thinking she knows me, by which point I can get her to do anything.
How do you decide who your target is going to be?
This is the part that takes the most time and research. First, I learn about the company. Online I can read about what they do, check out things like their stocks or any interviews they’ve done with the media. Then I start looking at who to engage.
How does that work?
I could go online and check out their employee list, see what I can find, but I usually start by calling the company. A very easy way to gain access into a secured network is through the receptionist; they are usually friendly and the first point of contact.
So have you personally engineered your way into a secure network through the receptionist?
Yes. Several times. You wouldn’t believe how easy it is for me to get employees to break policies I know their business has in place, just because I was able to pull on their heart strings, after profiling them. Social Engineers try to make quick friends out of people, because for the most part, people want to help their friends, right?
Right. Can you give me an example?
A couple of months ago I was working to gain access to a very large and highly secured company. I started by calling the head office. “Amanda” picked up and said, “Hello?” I hung up before responding. Then I googled “Amanda” and the company name. I quickly found her LinkedIn profile. Then I had her last name. In this case, I headed to a site called people.com, which is an aggregate that will search the person’s name, email account and any other online presence. With Amanda, I was able to do a background check and find everything I needed to create an extensive profile on her.
I found pictures of her kids, what school they go to, whether or not she is divorced, and for how long. How much money she makes, what kind of car she drives, where she lives, where she eats, who she hangs out with, if she is involved in charity work, what her extracurricular activities are. In this case, it was even valuable to know what TV shows she likes.
Jeez. Is it really?
Amanda likes Dexter so it becomes an important part of her profile because it might be how I strike up a conversation with her. You need to have multiple angles. This kind of stuff makes it easier for me to start planning how to chat her up.
If you just stop answering the phone, you'll be safe from social engineers... from Hackers_; via Flickr._
What are some other things you will look for?
Honestly anything that will tell me the type of person they might be. Even their clothes can give me a good indication of who that person is.
Yes, actually one of the best ways to judge how you might attack someone is how they dress. You can tell a lot, like how much money they make, and often the kind of music they listen to. For example, I’m probably not going to start up a conversation with a hipster about the latest Lamb of God album.
So, that all sounds pretty easy. Are there any roadblocks?
Honestly, not really. When you know how to work with the internet, it’s pretty incredible what you can find out about people by doing pretty basic searches. In this case, all the information I really needed was found on Amanda’s Facebook account. If it had been private, which it wasn’t, I would just create a fake account to make her add me – this almost always works. I was able to find out everything I needed to start a pretty strong profile on her. I also found out her address because she was publicly listed.
What would you do with an address?
One of the first things I did was use Google Maps to see where she lives, and then plan some spots in her neighbourhood where I could profile her in person. For example, there’s a Starbucks near her apartment that she probably goes to – I could hang out there if I needed to do more investigating.
Pretty creepy. So how did you "attack" Amanda?
After profiling her for about a month, I was able to have a pretty specific outline in terms of how to approach her. I showed up at the company on a day I knew they were doing interviews. Amanda is a single mum, so my character was a single dad who was a half-hour late for an interview. I showed up frazzled at her desk, and pretended I couldn’t find my resume. I started a conversation with her about how I’d had to drop off my kids with the sitter and now I was late. “I really need this job,” I explained while looking for my resume. There was a lot of manipulation used here obviously. I didn’t want to be too pathetic, but I was searching for sympathy and empathy in this scenario, I was trying to provide her the power to help me. I‘m late, I couldn’t get my suit on right, “I cannot get a break.”
And she fell for it?
Yes. I waited until I had her so locked in that she hardly realised I was putting a USB key on her desk and that she was printing my resume. I had to keep her engaged in a conversation about how my awful luck keeps getting me into trouble while she printed it off. The USB has a resume.pdf file, but embedded into that file is what is called a “reverse shell.” The file is infected; it has a reverse TCP exploit.
What does that mean?
Basically when she opens that file, this exploit is going to trigger it. Back at my place, I have a piece of software – an attacking framework – that is waiting for a connection. If I can get you to open an infected file, it’s going to send a connection right over to my computer, which is waiting, that will then allow me to operate from home as whoever is logged in at that moment. From there, it’s pretty straightforward stuff, but it’s also where my computer skills take over. I work to escalate my privileges. Amanda’s access to the network is limited, she can print documents and read her email and that’s about it. My goal is to escalate my privileges to the administrator account.
How easy is that to do?
Well, now that I’m connected to her machine all it takes is time. I have remote access, and I’m going to infect her computer because she’s part of the company’s network. Then I will do an exploit attack to get in and then Pivoting begins.
From home I can start pivoting through the network to access pretty much everything I want, including everything on the network. My goal in this job was to see if I could get into the accounting server and get the data off of it. I was successful. I was able to get everything. In a pretty short period of time, I was able to retrieve not only all the information on employees, but also all their customer information too, including credit card numbers, Social Insurance Numbers, direct deposit slips with signatures, addresses – pretty much anything you could ever need.
What could you do with this information?
Well, I’m a good guy, but if I wasn’t, I could easily steal someone’s identity, for starters. Not to mention all their money, if I wanted to. Something popular these days is utilising hackers for things such as financial theft and bribery. Things like denial of service attacks that basically shut down sites until someone pays to get it back. Destructive hacking isn’t uncommon.
All because Amanda is a nice person?
Do you find it is easier to hack into a computer or a person?
People are much easier to work, absolutely. The number one flaw in any system is the human condition. People’s minds are not as secure and tough as they like to think. They’re usually pretty easy to manipulate. You don’t need a degree in Psychology to do what I do. The way I grew up and the experiences I had, really allowed me to learn very quickly how people work, think and react.
In what way?
There was no obvious love or emotion flowing around my house, it was all about people being cold and hiding things. But I realised that those thoughts and feelings that we all have are always bursting through, whether you like it or not. So I was always watching and learning this stuff, studying how people work, taking quick snapshots of how it looks when someone is actually happy or surprised or mad.
Is it difficult to know you're exploiting people's good nature, and do it anyway?
Detaching from feelings can be hard, but it’s something that you need to do. The hardest part is remembering who you really are and what your actual values are. It’s very easy to compromise that in my line of work. It’s also very easy to stop liking yourself because of the situations you get into. You can easily cross your own lines when your job is basically to lie to and manipulate good people. Is it what I do? Yes. Is it who I am? No.
How does someone become a social engineer?
It usually starts with being a hacker. Social engineering is basically the next step. You have to be good at manipulating and be ready to engage actual people. You need to be willing to find the weakness in all systems and humans as well.
What else should people be aware of?
Never give away your password to anyone. It absolutely blows me away that this happens. If happens all the time. Also, people need to find a way to get past the idea that you are letting down humanity because you don’t do a stranger a favour. If I’d worded it differently with Amanda, for instance, and I’d said what was really happening: “Please risk your job and the security of all your co-workers for me” she probably wouldn’t have helped me. In fact, I can guarantee you she wouldn’t have.
Follow Angela on Twitter: @angelamaries
More on hackers: