Security consultant Adam Pointon was hired to conduct a penetration test against a relatively small, low-profile organisation that holds very commercially sensitive information. Company management dictated the audit must include a physical and social engineering component. Due to the small size of the organisation, Pointon decided a password reset would be too risky -- all the staff knew each other. So, he took a different tack. He would send a staff member a customised "proof of concept" Trojan he had written in C++ which would give him access to the corporate LAN. When executed, it would connect back to one of his systems.
"After the PABX audit which was conducted out of hours, I was able to determine the names of people in key positions within the company, including the full name and contact number of the communications manager. I got full read-and-write access to his voicemail, too, but that's another story," Pointon says.
"The next day I called and asked to be put through to the communications manager, without mentioning his name, I was forwarded through."
The following is a transcript of the call Pointon made. He uses his prior knowledge of the communications manager's last name, Smith, to assist his social engineering attempt. Names of both staff and companies have been changed.
Communications Manager [CM]: Hello James speaking.
Adam Pointon [AP]: Hi Mr Smith, it's Matt South from Acme Oz Telecommunications here, I'm calling to inform you that we are installing a new tail of our fibre loop at the rear of 28 Blah St, and I need your cooperation on the matter.
CM: [Cuts in] You're what? You're installing a fibre tail and you need my cooperation?!
AP: Yes. We are adding a new section to our fibre loop which will require us to access the rear of your premises. I need to find out if anyone will be there on Saturday from 9am until 4pm to assist us with access.
CM: OK hang on a minute. Where exactly is this fibre tail going to be laid?
AP: At the rear of 28 Blah St. There is an Acme Oz Telecommunications pit that currently provides lines to your building. We need to open the pit and feed through some cable.
CM: OK, well, I'm not sure if anyone will be here this weekend. Are you going to allow us to connect to this new fibre loop? We have asked you guys numerous times if we can get a faster feed in here but no one has every got back to me about it.
AP: Well we must have taken that into consideration because on this document I have here it mentions your company as being a possible future user of the service.
CM: What's the document?
AP: I will send it to you if you like.
CM: OK, well send it through. I'll speak to my colleagues and see if anyone will be here this weekend.
AP: OK, one thing to note: the document is a protected Acme document which is in self-extracting .EXE format it will be coming from my e-mail address matt.south@acmedomain.com
CM: OK, send it through [said impatiently].
AP: Give me five minutes.
CM: Right, bye.
The victim's desire for a faster Internet connection into the premises appears to be at the crux of his downfall, Pointon says. Being able to register a free e-mail address with the telecommunications company also helped â€" if the victim were to send a response to Pointon, he would have received it, which would not have been possible if he forged the mail from a fictitious address.
The attachment was executed within two minutes of Pointon sending it.
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian