||Due to length of topic,
out for easier reading. Click
on PRINT in browser toolbar.
By Ira S. Winkler © 1
President, Information Security Advisors Group
It took only three days and little more
effort than you might expend making airline reservations. Using only a telephone and a
certain facility for prevarication, I was able to infiltrate a large financial
organization, secure computer access to every significant computer system, and accumulate
a wealth of information about the company's employees and the projects they were working
on. I could have obtained additional personal information about employees, including
credit card numbers, home addresses, and the names of their next of kin. If I had been a
true spy, my activities would have been devastating to the organization. I could have
crippled the company at will.
This case study demonstrates what can be
accomplished by a persistent attacker in a very short period of time through nontechnical
means. Specifically, this study looks at a pure social engineering strategy, in which the
telephone is the only tool.
To protect my clients, the example described
here is actually a compilation of several penetration test attacks launched by myself and
accomplices against very large financial institutions. The tests were part of a
comprehensive vulnerability assessment commissioned by the organizations. For the sake of
clarity, I've assumed the lead role in the narrative. Every activity described here,
although not always carried out by me personally, actually happened at several banks.
The goal of this penetration exercise was to
identify holes in the company's operational procedures that could be exploited to
compromise the bank. I was after not merely computer access but wide entry into the bank,
which would provide ongoing opportunities to compromise the entire organization. Although
the corporate officers of the bank were aware of the test, the remainder of the company's
employees were not.
In this penetration test, I had no previous
knowledge of the organizational structure, function, or personnel of the target company.
Time constraints required that I utilize a bolder than-normal approach; a true social
engineering attack would likely have taken weeks, if not months. Also, an actual attack
would probably have included several visits to the company's offices; an attacker might
even have secured a job at the company. And, of course, a real attacker would have used
the information gathered to further his or her criminal aims.
I began the attack, as I very often do, with
a search of Internet based library databases and resources, along with other open source
information. In a local telephone directory, I found the telephone number of a company
office in my area. A call to the local office furnished me with a copy of the company's
annual report as well as the toll-free telephone number of company headquarters. From the
annual report and the Internet searches, I found lists of names of numerous company
employees and officials, their job responsibilities and the projects they worked on, a
large number of news articles about senior company officials, problems with computers,
strategic directions of the company, and more. All this would prove to be critical
To conduct an effective telephone attack, I
needed to get my hands on a copy of the corporate telephone directory. I expected this
document to contain a tremendous amount of information useful to a telephone-based attack,
including all corporate locations, the names of all employees at those locations,
important telephone numbers, lists of all departments, and a comprehensive view of the
company's corporate structure.
The first thing to do to start any attack is
to figure out how a company handles its internal charge-back procedures. Toward this end,
I called the company's toll-free number and asked for the mail room, claiming to be a new
employee needing information about how to ship packages both within the United States and
abroad. I learned that generally two numbers were required to perform a transaction within
the company: an employee number and a cost center number. A call to the corporate graphics
department confirmed the importance of these numbers.
My team reviewed the list of people we had
collected information on, and we chose an executive that we probably knew the most about.
This executive's recent accomplishment had been noted in the annual report. I put in a
call to his office through the company's toll-free telephone number and spoke with his
secretary. Claiming to be from the company's public relations department, I told her that
I would be highlighting her boss's recent success in an upcoming edition of the
corporate newsletter and I therefore needed some information about him. I asked a series
of basic and harmless questions about the executive's background.
I then told the secretary that I might have
more questions later, and that if she gave me the executive's employee number I could
probably look up the information myself. She gladly gave me the number. A later call to
the secretary by an accomplice posing as an auditor secured the man's cost center number.
My accomplice merely inquired about what department should be charged for the employee's
I called the department responsible for
distributing corporate telephone directories. Posing as the executive, I requested that a
directory be sent to a "subcontractor" with a valid need for the book. After I
gave the employee and cost center numbers, the department shipped the directory to me via
overnight courier at the company's expense.
Once I had the telephone directory in my
hands, I was able to contact dozens of employees, at all levels of management and in every
department, to obtain general corporate information and their employee numbers. I usually
obtained the numbers by impersonating a human resources employee who had accidentally
contacted the wrong employee to pick up a travel package. The travel package ruse worked
because it caught people off guard, and it was easy to joke about the "mix-up."
I started each call by saying that I had a travel package to San Francisco ready for
pickup. After the initial shock wore off, the person usually told me that he or she wasn't
going to San Francisco. The quick joke, "Well, would you like to go?" put the
person completely at ease. I then asked for his or her employee number and apologized for
the confusion. To obtain corporate information, I pretended to be a new employee who
needed to know something in order to do my job.
In this way -- by simply lying over the
telephone -- I was able to accumulate a significant amount of sensitive information. This
included information on sensitive projects throughout the firm and detailed information
about its people and computer architecture. While it might not seem important, I had the
specific knowledge required to know how to take down the most important systems in the
firm, along with detailed information on the financial systems.
We were about two days into the attack, and
the results were staggering to the target. Our contact inside the bank wanted us to be
more aggressive and to actually obtain access to the computer systems. Selective computer
access would make it possible to exploit much more information in a very short period of
time and to get to the financial systems. To gain the access I needed, I would have to
acquire user IDs and passwords to a variety of accounts on systems throughout the company
and at least one point of entry on to their network. I decided that the most vulnerable
targets for this level of attack were new company hires. Not only were new hires likely to
be the most naive, they would also be scattered throughout the company.
To obtain the names of the company's newest
employees, I called the new hire administration office. My plan was to pretend to be the
assistant to a high-level executive who wanted to personally welcome new employees to the
company. My boss was extremely upset, I would claim, because the list of new hires was
overdue. (I found the executive's name in a variety of open sources. The company telephone
directory and the annual report indicated that he was one of the most senior people in the
firm. Scouring through the directory provided the name of the employee who could be his
As luck would have it, my initial call to the
new hire office was picked up by an answering machine. The message on the machine revealed
that the office had moved, and it gave the new telephone number as well as the name of the
person assigned to the telephone number. Learning the name of the person in the new hire
office was critical, because knowledge of a specific name increases the credibility of any
It was late afternoon when I called the new
number. I asked for the new hire administrator by name; the new hire administrator had
left for the day. The person who took my call turned out to be a relatively new clerical
worker with full computer access. I simply told the clerk that the absent administrator
provided me with the information I wanted on a regular basis. Because the information was
already overdue and my boss -- one of the most senior people in the company -- was upset
(and because my pleading was so pathetic), the clerk told me everything I wanted to know.
In short order, I'd obtained the names of all the employees who had started work in the
past three weeks, along with most of the names of their departments. In total, I acquired
the names of fifty-five employees in departments throughout the organization.
Impersonating an information systems
employee, I contacted the new hires, supposedly to provide them with a "computer
security awareness briefing." I had decided to avoid contacting any actual
information systems employees, because they were more likely to be aware of the importance
of protecting passwords; this criteria eliminated seven of the fifty-five employees. I
used the security briefing ruse, because people are usually intimidated by any contact
dealing with security and they usually provide all requested information without
challenge. Additionally, people are unlikely to suspect that anyone would commit such a
I started my "awareness briefings"
by first finding out about their hardware and software environments. I obtained
information about the types of computers the employee used, the names of the systems, the
types of software applications used, and the employee number of each person I spoke with,
along with their user ID and password. If the person accessed the company via modem, I
asked for the modem number and password. During one of the telephone interviews, an
employee did not know the information I asked for, so she put her supervisor on the phone.
Her boss gladly answered all my questions.
I did not start out the interviews by asking,
"What's your password?" This type of question is extremely sensitive. It is a
Red Flag question. If a person has even a basic understanding of security issues, he or
she would stop the conversation in its tracks. Using basic intelligence elicitation
techniques, I asked the innocuous questions first (I even tried to sound bored as I was
asking them). After I asked a series of questions that anybody would answer, I started
working in the sensitive questions. After I had the answers to those, I then asked some
additional boring questions. This leaves the impression that no important questions have
been asked. After the questioning ended, I made up some basic security guidelines to tell
the employee as part of the official briefing.
From the telephone directory, I was able to
identify all of the banks telephone exchanges. One of my accomplices then used a war
dialer (a computer tool that dials every telephone number in a specified range to search
for possible modems) to find the computer access points. A call to the information systems
help desk enabled me to locate some additional modem lines. The modem numbers provided me
with computer access and the ability to exploit the compromised user accounts. Obtaining
the modem information effectively circumvented a very sophisticated firewall system and
rendered it useless. During a later attack, I used similar social engineering methods to
establish my own computer account with the company. I also was able to convince company
employees to send me communications software that accessed a "secure" modem
Despite strong technical security
countermeasures, the penetration activities described in this case study were extremely
successful in a very short period of time. This attack bypassed millions of dollars of
technical security mechanisms and put the company at my team's mercy. By the time I was
finished, I had access to almost all significant systems.
Although the attack appears to have focused
on computer access, I should point out that the company's computers were targeted only
because of the information or services they could provide. Many of the early telephone
attacks were exploratory in nature, designed to determine which departments and systems
were critical to the organization. Certain individuals were targeted because of their
access to information.
The attack might seem from my description to
be very complicated and time consuming, but it was a relatively simple operation,
accomplished in less than three days. It was also cheap: I used the company's toll-free
telephone number and resources to pay for any costs incurred in telephone calls and
overnight delivery expenses.
Even though my cumulative activities were
unusually blatant, no reports were made to security about any strange or unusual
incidents. This is understandable, since the assault was built from many small actions,
which were, in themselves, innocuous.
Many of the vulnerabilities exploited in this
penetration exercise are common to most companies and definitely to investment banks. The
following discussion of the specific weaknesses I took advantage of should provide
insights that will help you protect yourself against social engineers.
As the Target
If the goal of the attackers in this case
had been only to obtain computer access, they could have easily accomplished this by
randomly telephoning people and asking them for their passwords. The parts of the
organization attacked would also have been totally random. Little research would have been
necessary, and the attack could have been accomplished in about an hour.
What I was after, however, was specific data
that would allow me to significantly compromise a large cross section of the entire
organization. I first conducted research to determine which information was valuable, and
then I conducted further research to develop a plan of attack. The specific targets in
this attack were carefully chosen for the information they could provide.
Computer access is important, because it can
provide access to large volumes of data from remote locations with minimal effort.
However, when financial organizations are involved, the potential volume of information
obtained is irrelevant when compared to the potential value of a specific piece of
information. I was very well aware that a single report containing insider information
about a stock purchase or information about how to perform financial transactions was much
more valuable than the combined value of millions of other random files. Using this
knowledge, I chose specific parts of the company to attack. This allowed me to weed out a
lot of garbage and focus on targets most likely to have extreme value.
I began my attack by examining open source
information. Open source information is any piece of information that is publicly
available, including newspapers, corporate annual reports, library computer search
facilities, help wanted advertisements, and technical magazines. I acquired an incredible
amount of "internal" knowledge by examining these kinds of materials, which are
freely available to anyone.
This information provided accurate details on
corporate budgets and major company projects. I also used it to learn about the
individuals leading current projects, the names of major hardware and software vendors,
and any significant problems in the organization. Through the publicly available annual
report, my team learned about the company's high level organizational structure and was
therefore able to determine which groups within the organization were most likely to have
the types of information we wanted. By accumulating information about the ongoing
activities of the company, I was able to present myself as a company employee. Armed with
this information, I was able to talk and act like a true insider.
Most of the people I contacted during the
attack were genuinely interested in helping out a fellow employee. This is an extremely
desirable attribute, but one that is easily exploitable. Although some employees did
attempt to verify my identity, once I offered a valid employee number, they handed over
great chunks of information. More important, even if I had been the person I was claiming
to be, I really had no need of the information I was asking for. Whenever I connected with
a very helpful person, I "played dumb," which inspired my targets to fill in
many gaps in my knowledge and give me much more information than anyone would have needed.
within Large Corporations
Every phase of this attack was enabled by the
immense size of the target organization. Most employees only know a small percentage of
their fellow employees personally, greatly reducing my chances of impersonating a friend
Additionally, most employees know very little
about the jobs of other employees. For example, even though an employee might work for the
information systems department, there is no way for another employee to know whether that
person is actually responsible for providing a "security awareness briefing."
Common Internal Identifiers
During the early phases of the attack, it
became clear that the employee number was a critical identifier used throughout the
organization. This number was used when requesting capital assets and when requesting help
desk support. Unfortunately, the employee number was used much too frequently (it appeared
on all personnel forms), making it natural to disclose the identifier to just about anyone
within the organization that seems to have any need for the number. To an employee, it is
a tool for getting things accomplished and not a piece of information that needs to be
protected. Even employees who were reluctant to disclose information to me during my
attacks were willing to hand over their employee numbers with minimal coaxing.
This situation is common in every large
organization in this country. When numbers are so widely distributed, they cannot be
considered valid identifiers. In organizations using Social Security numbers, this problem
is even more serious. A criminal who obtains an individual's Social Security number
can impersonate that person in all aspects of his or her life. Numerous cases have
involved a criminal using a Social Security number alone to retrieve a credit report,
which contains all information about credit cards and bank accounts. The information was
then used to reroute checkbooks and credit card statements, while the criminal ran up
balances on the credit card and withdrew all funds from the bank accounts.
Organizations must differentiate between
personnel identifiers and personal validation codes.
Security professionals, especially
information systems security professionals, tend to believe that individuals understand
basic security principles, such as protecting computer passwords and locking up sensitive
information at the end of the day. They believe that everyone is aware of the threat to
information and the importance of the controls in place. In the organizations penetrated
in this case, an incredible amount of effort had been put into implementing very strong
technical security mechanisms. Unfortunately, minimal (if any) effort was put into
Common sense cannot exist without common
knowledge. People were not made aware of which data was important or how to protect
important information. In this case, even the technical people were compromised. Remember,
this attack was I00 percent successful.
Verification of Callers' Identities
Again, this case study is actually a
compilation of penetration tests against several financial institutions. In every one of
those institutions, I found no procedures for verifying callers' identities or their need
for the information they requested. All the financial institutions in this case relied
solely on employee numbers, which were very easy to come by and did not hinder the effort
Early in the attack, it became obvious that
even if people had thought I was up to something, they could have done very little about
it. There was no obvious place for them to report strange occurrences.
The problem here is threefold. First, the
employees did not understand exactly what a possible "security-related problem"
was. Second, there were no means for reporting unusual incidents to the right people
(i.e., the security department). Third, assuming the incident was reported to the
appropriate people, there was no way for those people to spread the word throughout the
organization. In the absence of any one of these procedures, the attacks could continue
with minimal modifications. Future attacks would only be improved by this detection,
because it tells the attackers how to avoid getting caught.
1. This article is excerpted from the book Corporate Espionage
by Ira Winkler (Prima Publishing, 1997). It is reproduced here with the author's
permission. It remains copyrighted and may not be reproduced without the author's
permission. The author may be contacted by e-mail at firstname.lastname@example.org.