Friday, October 25, 2013

Cute-Girl Voice: A Social Engineer's Secret Weapon

social engineering, pretexting, security awareness, training
This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

My Short Career as a Social Engineer. 

See, I wear a lot of hats around here at Sight Training: blogger, course writer, social media manager, bringer-in of sweets and baked goods. So it was natural for me to try on the (white) social engineering hat about a year ago when we needed an extra pretext caller for a social engineering pen test.

Now, you should know that my colleagues are total pros. They’ve been hired by dozens of companies and have done hundreds of these tests using pretext phone calls and phishing emails. And they’ll tell you that, even on your best day, you’ll probably only get a small part of the information you want.

Newbie translation: “Hey, you’re new at this and it’s really hard—so don’t worry if you screw it up.”

I played this advice over and over in my mind as I sorted through my call list. I had a giant cup of coffee, a prepaid cell phone, an employee to impersonate, and fifteen people to call.

Here was the shtick: I was from the IT department, and I was in major trouble (sniff, sniff). We were having “server issues” and I needed to make sure that everyone was only logged into the company system once to avoid a data breach.

Note: this is not a real thing. This was total made up junk and jargon. And it totally worked. 

“Miss” Demeanor

With sweaty palms and a shaky voice, I made the first call…and no one answered. Second number…still no answer. But on the third call, I struck gold. Here’s pretty much how it went:

Joe Employee: Hello?
Me: Oh, hi Joe. I’m so-and-so from the IT department. How are you?
Joe: Oh…hi. I’m fine. How are you? Me: Well, not so good. We’re having a really rough day over here (pause….sigh…). But you might be able to help me.
Joe: Oh, ok! Yeah, whatever you need.
Me: (somewhat surprised) Well, it would really help me out if I could check and make sure that you’re only logged in one time on the system.
Joe: Oh, ok sure. I’m not sure what that means, but ok.
Me: Great. Ok, I think…well, just a second…yeah, I’ll need your login and password to check that on my end.
Joe: Alright. You ready? OK, it’s………………..

And there it was. I had just swiped a guy’s corporate login information. We closed the phone call with pleasantries, and he told me he hoped that my day improved. I assured him that it already had.

And here’s the best part. My damsel-in-distress routine worked. Every. Single. Time. From my short list of fifteen, I got through to ten people—and got ten logins and ten passwords.

First try, perfect record. I was the secret weapon.

This is not surprising—and I’m not the first to try it. In fact, a young lady named Christina cleaned up in this year’s Social Engineering Capture the Flag (SECTF) contest at DefCon in August. Christina is not an IT professional—but she held her own with very little time to prepare.

See, Christina and I have something that “ubiquitous northwestern guy” or “dude with slight Texas accent” could never have. We might be princesses who need saving or the nice lady next door—and it gets them every time.

It would not be an overstatement to say that, between my calls, my colleague’s calls, and one very clever phishing email, we demolished this group of employees—and it wasn’t long before the folks in charge realized they needed serious social engineering training.

The Takeaway—Be Alert: Anyone Could Be a Social Engineer.

This is by no means a comprehensive or scientific test. It’s just one girl’s experience. But there are definitely some things we can learn here:

First, when you get a call you don’t expect, listen carefully and ask questions. One of the gentlemen I called actually knew the guy I was impersonating...yes, guy. My alias was a man from the IT department with a gender-neutral name. Unfortunately, I got all the way through to his login and password before that caller realized his mistake.

Second, don’t let jargon confuse you. Yeah, you may not want to look dumb and ill informed when someone starts throwing around technical terms. But it never hurts to say “You know what, I’m not familiar with what you’re talking about. Why don’t you speak to my manager?”

And here’s the obvious third: trust no one. Never make assumptions about the lengths to which a social engineer will go to get the building blocks they need for success. They will play on your weaknesses and find ways to get in your head. And for many men, that weakness is a friendly girl.

Like what you just read? Great! It's the first in a running blog series we're calling "Oh, The Humanity: Stories from the White Side." Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our first hand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. Tune in next week!

More About Social Engineering