How to Win Passwords and Hackfluence Corporations: An Interview with a Social Engineer
After I stopped freaking out about how security is an illusion and no one is safe from people like Ghost, he explained to me how he operates in this crazily intrusive line of work.
How most people imagine hacking... From 'Hackers.' via Flickr.
A lot of people think of hacking as a process whereby some greasy nerd clacks away on a keyboard so much that they end up gaining access to another computer, in wash of neon green, blinking command prompts—like something out of Keanu’s “Follow the White Rabbit” scene in The Matrix. That’s not necessarily an untrue or unfair way to picture it. But in reality, there’s a whole other stream of hacking called social engineering that mostly relies on tricking people into giving up their personal information, or confidential information belonging to their employer. And in a world where almost everyone’s personal and/or corporate data is floating around on the internet, social engineering is only becoming a more popular line of work for those who are trained in deception, manipulation, and computer hacking.
I met up with a hacker who specializes in offence security (protecting one’s self through data-driven attacks, rather than firewall-style defense) and social engineering, to gain some insight into how this all works. He goes by ‘Ghost,’ because well, of course he does. Over coffee, Ghost showed me some examples of the systems he had socially engineered his way into, including the backend of a major corporation whose income was in the tens of millions of dollars. In a matter of seconds, we were inside their network and from here it was remarkable how much we could see—everything from customer’s full names, Social Insurance Numbers, direct deposit slips and home addresses, to private internal emails between executives about company spending. We even had easy access to copies of employee’s passports, with none of their personal information blacked out.
After I stopped freaking out about how security is an illusion and no one is safe from people like Ghost, he explained to me how he operates in this crazily intrusive line of work, and how companies end up getting duped by people like him.
VICE: What is social engineering?
Ghost: Social engineering is the planned altering of an interaction between yourself and a target to produce an outcome that works in your favor. There are different types of social engineers, but in regards to what I do, the desired outcome is usually to gain access to a secured network. I do this by performing a social engineering attack. My job is to take a social scenario and engineer it to achieve a desired outcome after careful planning and profiling of certain targets.
What exactly is a social engineering attack?
A social engineering attack can take many forms, and can be done in person, over email or phone or without the person even realizing you’re there. The attack is the actual execution of manipulating your target using your toolkit.
A social engineer’s toolkit is made up of various skills: Communication (listening skills are imperative), patience, psychology, elicitation, intelligence gathering, deductive logic, acting, and the list goes on.
What or who is “the target”?
The target is the person a social engineer decides to use in order to get into the company’s secured network. Social engineers use profiling to get to know their targets so they can better understand how it will be best to manipulate their way in.
What is the most effective or common way to attack?
The most common attack tool is the phone. A lot of social engineering happens over the phone. People will give away their lives without thinking because someone on the other line has asked what type of antivirus you use. You should never give away anything over the phone. But I actually find direct contact is always the best way to do it, if you can.
What’s your usual approach?
The most common strategy I use is to build a rapport quickly is based around humor. Humor does something to people. If you can make someone laugh within 30 seconds, I’ve already shattered several barriers. It’s the easiest way in. You can roll with it. It’s amazing to hit someone with a few laughs and keep them going, then: “Hey, I got distracted. Do you know if Mike Bradley is here?” Receptionist: “Sure, just go in.” She’s still laughing about the joke, she thinks I’m a nice guy and I’ve built a rapport. This woman was already thinking that she knows me and at that point I can get her to do anything.
How do you decide who your target is going to be?
This is the part that takes the most time and research. First I learn about the company, by going online usually, I can read about what they do, check out things like their stocks or any interviews they’ve done with the media. Then I start looking at whom to engage.
How do you begin that process?
I can go online and check out their employee list, see what I can find. But I usually start by calling the company. A very easy way to gain access into a secured network is through the receptionist; they are usually friendly and also are the first point of contact.
So have you personally engineered your way into a secure network through the receptionist?
Yes. Several times. You wouldn’t believe how easy it is for me to get employees to break policies I know their business has in place, just because I was able to pull on their heart strings, after profiling them. Social Engineers try to make quick friends out of people, because for the most part, people want to help their friends, right?
Right. Can you give me an example?
A couple of months ago I was working to gain access to a very large and highly secured company. I started by calling the head office. “Amanda” picked up and said, “Hello?” I hung up before responding. Then I Googled “Amanda” and the company name. I quickly found her LinkedIn profile. Then I had her last name. In this case, I headed to a site called Pipl, which is an aggregate that will search the person’s name, email account and any other online presence. With Amanda, I was able to do a background check and find everything I needed to create an extensive profile on her.
I found pictures of her kids, what school they go to. Whether or not she is divorced, and for how long. How much money she makes, what kind of car she drives, where she lives, where she eats, who she hangs out with, if she is involved in charity work, what her extracurricular activities are. In this case, it was even valuable to know what TV shows she likes.
For example, when I saw that Amanda likes Dexter, this becomes an important part of her profile because it could be how I strike up a conversation with her. You need to have multiple angles. This kind of stuff makes it easier for me to start planning how to chat her up.
If you just stop answering the phone, you'll be safe from social engineers... From 'Hackers.' via Flickr.
What are some other things you will look for?
Honestly anything that will tell me the type of person they might be. Even their clothes can give me a good indication of who that person is.
Yes, actually one of the best ways to judge how you might attack someone is how they dress. You can tell a lot, like how much money they make, and often the kind of music they listen to. For example, I’m probably not going to start up a conversation with a hipster about the latest Lamb of God album.
So, that all sounds pretty easy. Are there any roadblocks?
Honestly, not really. When you know how to work with the internet, it’s pretty incredible what you can find out about people by doing pretty basic searches. In this case, all the information I really needed was found on Amanda’s Facebook account. If it had been private, which it wasn’t, I would just create a fake account to make her add me—this almost always works. I was able to find out everything I needed to start a pretty strong profile on her. I also found out her address because she was publicly listed.
What would you do with an address?
One of the first things I did was use Google Maps to see where she lives, and then plan some spots in her neighborhood where I could profile her in person. For example, there’s a Starbucks near her apartment that she probably goes to—I could hang out there if I needed to do more investigating.
OK, so how did you attack Amanda?
After profiling her for about a month, I was able to have a pretty specific outline in terms of how to approach her. I showed up at the company on a day I knew they were doing interviews. Amanda is a single mom, so my character was a single dad who was a half-hour late for an interview. I showed up frazzled at her desk, and pretended I couldn’t find my resume. I started a conversation with her about how I’d had to drop off my kids with the sitter and now I was late. “I really need this job,” I explained while looking for my resume. There was a lot of manipulation used here obviously. I didn’t want to be too pathetic, but I was searching for sympathy and empathy in this scenario, I was trying to provide her the power to help me. I‘m late, I couldn’t get my suit on right, “I cannot get a break.”
And she fell for it?
Yes. I waited until I had her so locked in that she hardly realized I was putting a USB key on her desk and that she was printing my resume. I had to keep her engaged in a conversation about how my awful luck keeps getting me into trouble while she printed it off. The USB has a resume.pdf file, but embedded into that file is what is called a “reverse shell.” The file is infected; it has a reverse TCP exploit.
What does that mean?
Basically when she opens that file, this exploit is going to trigger it. Back at my place, I have a piece of software – an attacking framework – that is waiting for a connection. If I can get you to open an infected file, it’s going to send a connection right over to my computer, which is waiting, that will then allow me to operate from home as whoever is logged in at that moment. From there, it’s pretty straightforward stuff, but it’s also where my computer skills take over. I work to escalate my privileges. Amanda’s access to the network is limited, she can print documents and read her email and that’s about it. My goal is to escalate my privileges to the administrator account.
How easy is that to do?
Well, now that I’m connected to her machine all it takes is time. I have remote access, and I’m going to infect her computer because she’s part of the company’s network. Then I will do an exploit attack to get in and then Pivoting begins.
From home I can start pivoting through the network to access pretty much everything I want, including everything on the network. My goal in this job was to see if I could get into the accounting server and get the data off of it. I was successful. I was able to get everything. In a pretty short period of time, I was able to retrieve not only all the information on employees, but also all their customer information too, including credit card numbers, Social Insurance Numbers, direct deposit slips with signatures, addresses—pretty much anything you could ever need.
What could you do with this information?
Well, I’m a good guy, but if I wasn’t, I could easily steal someone’s identity, for starters. Not to mention all their money, if I wanted to. Something popular these days, is organized crime that is utilizing hackers for things such as financial theft and bribery. Things like denial of service attacks that basically shutdown sites until someone pays to get it back. Destructive hacking isn’t uncommon.
All because Amanda is a nice person?
Do you find it is easier to hack into a computer or a person?
People are much easier to work, absolutely. The number one flaw in any system is the human condition. People’s minds are not as secure and tough as they like to think. They’re usually pretty easy to manipulate. You don’t need a degree in psychology to do what I do. The way I grew up and the experiences I had, really allowed me to learn very quickly how people work, think and react.
What was your childhood like?
I grew up around a lot of hidden emotion. I was always watching for subtle changes in people—there was no obvious love or emotion flowing around my house. It was all about people being cold and hiding things. But I realized that those thoughts and feelings, that we all have, are always bursting through, whether you like or not. So I was always watching and learning this stuff, studying how people work. Basically a lot of fake shit, but I’ve been logging it all in my head, like taking quick snapshots of how it looks when someone is actually happy or surprised or mad and kept filing it away.
What’s the hardest part of being a social engineer?
Detaching from feelings can be hard, but it’s something that you need to do. The hardest part is remembering who you really are and what your actual values are. It’s very easy to compromise that in my line of work. It’s also very easy to stop liking yourself because of the situations you get into. You can easily cross your own lines when your job is to pretend and basically to lie to and manipulate good people. Is it what I do? Yes. Is it who I am? No.
How does someone become a social engineer?
Well, it usually starts with being a hacker. Social engineering is basically the next step. You have to be good at manipulating and be ready to engage actual people. You need to be willing to find the weakness in all systems and humans as well.
What else should people be aware of?
Never give away your password to anyone. It absolutely blows me away that this happens. If happens all the time. Also, people need to find a way to get past the idea that you are letting down humanity because you don’t do a stranger a favor. If I’d worded it differently with Amanda, for instance, and I’d said what was really happening: “Please risk your job and the security of all your co-workers for me” she probably wouldn’t have helped me. In fact, I can guarantee you she wouldn’t have.
Follow Angela on Twitter: @angelamaries
More on hackers: