Sharon Conheady speaks about hi-tech devices and applications that facilitate social engineering attacks and outlines the advantages of outsourcing services.
So social networks are great, but there’s loads and loads of technology now that you can use to improve or automate your social engineering attacks to make them more effective or to make them more fun from the social engineer’s point of view as well.
You’ve got Photoshop and GIMP, you can make your own ID cards, you can make your own business cards, actually there are lots of sites that you can use online to produce ID cards and business cards as well, that’s not a problem. You can use Maltego or Pipl to do some passive reconnaissance. So you’ve got the name of an entity, whether it’s an organization or an individual, Maltego will give you really good graphical representation of links between that entity and other entities. So you put in the name of an individual, it may come back with email addresses, physical addresses, telephone numbers, etc. It’s really useful.
The Social Engineers Toolkit from Social-Engineer.org – again, it’s fantastic for social engineers, it’s a one stop social engineering shop. It’s really good for running any particular phishing program for example. It can recreate entire websites, it can automate sending a payload via a phishing email, it’s really good.And of course there are so many other things, like physical bugs that you can put into rooms. They are so much slicker now than they used to be. I’ve got a handbag with a secret hidden camera in it that I bring around, I can use it for shoulder surfing people when they type their passwords, or I can use it for recording an entire social engineering attack. And of course you’ve got caller ID spoofing which anybody could do these days, you just buy an application to do that. You can buy a spoof card or you can buy an application for your smartphone. And spoof cards are often the number 1 seller on sites like Spy Associates (see image). So it’s really easy to do. I feel like James Bond sometimes when I am doing my social engineering attacks because I have so much cool equipment. I really like this one – it’s a memory card inside a coin (see image). So sometimes when you are going to data centers, you have to hand over all your media and your mobile phone, everything like that, but they are hardly going to check every single coin you have in your pocket. You do have to be careful not to spend it.
But what about the technology and the equipment that we might expect to see in the future? A couple of months ago scientists made another development with regards to invisibility cloaks, so very Harry Potter style. Can you imagine if you had an invisibility cloak and you were trying to get into an organization?
Also there is a laser camera that takes photos around corners – what fantastic technology! So the whole idea of this laser camera – this is a quote from one of the guys that invented it – is: “You could generate a map before you go into a dangerous place like a building fire, or a robotic car could use the system to compute the path it should take around a corner before it takes it.” So it does have some pretty good uses. I thought – how fantastic would that be for shoulder surfing from afar!So this is where we are we are the purple spot just here (see screenshot), the red spots are banks nearby, presumably with ATMs. So how about you put a laser camera around the corner from each of these ATMs? You are not even near the ATM and you can get people’s PINs! A few complications at the moment are that the laser cameras are about the size of a room, and the picture quality is pretty poor for the moment. Can you imagine in the future, how useful that would be?
So finally, with social engineering, if you don’t want to do it yourself, you can outsource it now. They set up call centers all over the place that will do your social engineering for you. So they will provide you with professional callers, male and female, any language, any age that you want. And it’s approximately 7–15 USD per call.
So the whole idea behind this is obviously it is really easy to buy credit cards online. But getting a credit card, what do you do with it? It’s not actually that useful. What you want to do with it is buy valuable equipment, valuable things online and then sell them. So you’ve paid 2 USD for your credit card, you want to buy a laptop online, maybe the latest Mac, but you want to sell it for 500 USD, everyone’s getting a good deal, you make quite a good profit out of this. But the problem is the credit card is registered to a 77-year-old Italian lady, and you need to call up the bank to change the delivery address and to change the billing address. Well, the chances are; I don’t see anybody here that looks and sounds like a 77-year-old Italian lady.
So what do you do? You get one of these call centers onto the case. They’ve got some pretty slick ordering screens now where you provide the type of order, what age group, what you would like the person to sound like. And you pay 7–15 USD per call. So this particular professional call service example will make calls for 12 USD. They’ll only accept money for full calls. And if an operation fails because of insufficient data provided by the customer, they hold no responsibility: for example a question about the card holder’s neighbors, they might not have this info. So again, it’s encouraging you to research more and more about your target so that you can increase the chances of this call being successful.Scareware has been a huge issue over the past years. We often see a pop-up saying: “Would you like a free antivirus check of your PC?” But lately what we were seeing here in the UK is people are receiving telephone calls saying: “This is Microsoft, we’ve noticed that you’ve got a virus on your computer. Would you like to outsource the management of your computer to us? We will keep it safe. You just have to pay a small monthly fee.” Of course you give across all your user credentials, as well as paying them a monthly fee (see image). This is all happening via call centers as well. So if you don’t want to social-engineer directly, just outsource it.