A Real Social Engineering Case
A few days back I have been assigned a project to get back a domain from a couple of guys who took over it. The project also has a limited time to complete.
The main purpose of me attending to this job is to prove to my friends, colleagues and associates that anything can be achieved if you set it in your mind no matter how difficult the process is. Also this was an opportunity for me to try and test my social engineering (for a good cause) and technological skills.
What is Social Engineering?
Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.
The following is a real case of social engineering. I have changed the names of the domain, the registrar and some other things in order not to reveal the real identities involved. The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.
Project: Getting back the domain.com
Project Code Name: domain
Type of work: Combination of Technology and Social Engineering.
Details:
Domain.com has been taken over by someone and it has to be retrieved back at the earliest.
Tasks:
1. Getting the domain back
How it was done:
Looking at the situation from different angles, it was believed that the best approach to this task would be to attempt a combination of technology and social engineering attack rather than a technological one alone.
Getting the Domain.
Contacted the Domain Registrar to see how the Administrative email can be changed as soon as possible to retrieve the password for the domain.
Played the sympathy role with a story of an ex administrator taking away all the passwords when he left the company. Also played dumb to get the support guy to give me specific information on how to fill in the form to reset the administrative account.
Can You Help Me?
The social engineer manipulates by pretending he needs the other person to help him. We can all sympathize with people in a tight spot, and the approach proves effective over and over again in allowing a social engineer to reach his goal
The attacker asking the organisation’s support personnel to walk him through the steps of carrying out a form filling process he didn’t know how to do. A powerful and effective turning of the tables, this is equivalent of asking the owner of a store to help you carry a box containing items you’ve just stolen from his shelves out to your car.
The Administrative email was successfully changed and the domain password was retrieved. After login to the system using this password, I came to know I was in for more trouble as this domain account resides in another main account (known as One Click Domain Manager or OCDM account). The password to this OCDM account still resides with the guys who took over this domain.
The next attempt was to see how powerful this so called OCDM account is. In order to learn about this OCDM account, its capabilities and how the total system works, I created my own OCDM account. This led me to learn all the capabilities of this OCDM account.
After using the OCDM account for a couple of minutes, I found out that a domain can be imported into an OCDM if I know the password of that domain. Since I have the password to the domain.com, I tried importing it into my OCDM account and came to know that the domain domain.com has to be first removed from the original OCDM account in which it resides now. Then only I would be able to import it into my OCDM account.
I took advantage of the above by finding out the details of how the OCDM accounts work and the lingo and asking directly for it.
Trust:
Think of your own attitude when somebody you don’t know asks you for something. If a shabby stranger comes to your door, you’re not likely to let him in; if a stranger comes to your door nicely dressed, shoes shined, hair perfect, with polite manner and a smile, you’re likely to be much less suspicious.
What’s less obvious is that we judge people on the telephone the same way. Does this person sound like he’s trying to sell me something? Is he friendly and outgoing or do I sense some kind of hostility or pressure? Does he or she have the speech of an educated person? We judge these things and perhaps a dozen others unconsciously, in a flash, often in the first few moments of the conversation.
It’s natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, customer and who knows the company procedures and lingo.
I called up Domain Registrar support again and told the support guy that I am having problems logging into my OCDM and that I have been managing my domain from the domain password. Also I have explained to him that I have created another OCDM and that I need to move my domain (domain.com) into it. I then explained to him that I am unable to do so as it resides in the old OCDM account which I am unable to access as I have forgotten the password for it. The very helpful support guy Mr. …… (He feels sorry and bends the rules a little to help the poor customer) had assured to me that he will remove my domain from my old OCDM so that I can import it to my OCDM.
The Direct Attack: Just Asking for It
Many social engineering attacks are intricate, involving a number of steps and elaborate planning, combining a mix of manipulation and technological know-how
A skillful social engineer can often achieve his goal with a simple. Straightforward, direct attack. Just asking outright for the information may be all that’s needed—as you’ll see.
Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.
After waiting for 4 hours for it to be removed from the old OCDM, I called up the Domain Registrar support again and told the support guy that I need to get my domain removed from the old OCDM and that I have been assured by his colleague Mr. ….. before 4 hours that he will do it and but it has not been done yet. (Feeling guilty about what his co-worker couldn’t do, he bends the rules a little to help out a fellow employee who couldn’t provide support to this customer). This support guy assured to me that it will be done in 5 minutes and he proved that by removing it from the old OCDM. At last I was able to move the domain to my new OCDM and become the total control for the domain.
Using Sympathy, Guilt and Intimidation
A social engineer uses the psychology of influence to lead his target to comply with his request. Skilled social engineers are very adept at developing a ruse that stimulates emotions, such as fear, excitement, or guilt. They do this by using psychological triggers—automatic mechanisms that lead people to respond to requests without in-depth analysis if all the available information. Sympathy, guilt and intimidation are three very popular psychological triggers used by social engineers.
We all want to avoid difficult situations for ourselves and others. Based on this positive impulse, the attacker can play on a person’s sympathy, make his victim feel guilty, or use intimidation as a weapon.
The emotional ploy of “I’m in trouble, won’t you help me?” was all it took to win.
Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with two different support personnel.
Now that the domain is in my full control and that the job is completed.
Conclusion
The impossible was made possible after all with a few tricks of social engineering and learning a bit of technology.
During this process, I found out that every organization or company be it government or private is vulnerable to such social engineering attacks. The organization for which I did this work was also vulnerable to such attacks.