Wednesday, July 6, 2011

Building Trust

Some of these stories might lead you to think that I believe everyone in business
is a complete idiot, ready, even eager, to give away every secret in his or her
possession. The social engineer knows isn't true. Why are social engineering
attacks so successful? It isn't because people are stupid or lack common sense.
But we, as human beings are all vulnerable to being deceived because people can
misplace their trust if manipulated in certain ways.
The social engineer anticipates suspicion and resistance, and he's always prepared
to turn distrust into trust. A good social engineer plans his attack like a chess
game, anticipating the questions his target might ask so he can be ready with the
proper answers.
One of his common techniques involves building a sense of trust on the part of
his victims. How does a con man make you trust him? Trust me, he can.
The more a social engineer can make his contact seem like business as usual, the
more he allays suspicion. When people don't have a reason to be suspicious, it's
easy for a social engineer to gain their trust.
Once he's got your trust, the drawbridge is lowered and the castle door thrown
open so he can enter and take whatever information he wants.
You may notice I refer to social engineers, phone phreaks, and con-game
operators as 'he" through most of these stories. This is not chauvinism; it simply
reflects the truth that most practitioners in these fields are male. But though there
aren’t many women social engineers, the number is growing. There are enough
female social engineers out there that you shouldn’t let your guard down just
because you hear a women’s voice. In fact, female social engineers have a
distinct advantage because they can use their sexuality to obtain cooperation.
You’ll find a small number of the so-called gentler sex represented in these pages
The First Call: Andrea Lopez
Andrea Lopez answered the phone at the video rental store where she worked,
and in a moment was smiling: It's always a pleasure when a customer takes the
trouble to say he's happy about the service. This caller said he had had a very
good experience dealing with the store, and he wanted to send the manager a
letter about it.
He asked for the manager's name and the mailing address, and she told him it was
Tommy Allison, and gave him the address. As he was about to hang up, he had
another idea and said, "I might want to write to your company headquarters, too.
What's your store number?" She gave him that information, as well. He said
thanks, added something pleasant about how helpful she had been, and said
"A call like that," she thought, "always seems to make the shift go by faster. How
nice it would be if people did that more often."
The Second Call: Ginny
"Thanks for calling Studio Video. This is Ginny, how can I help you?"
"Hi, Ginny," the caller said enthusiastically, sounding as if he talked to Ginny
every week or so. "It's Tommy Allison, manager at Forest Park, Store 863. We
have a customer in here who wants to rent Rocky 5 and we're all out of copies.
Can you check on what you've got?"
She came back on the line after a few moments and said, "Yeah, we've got
three copies."
"Okay, I'll see if he wants to drive over there. Listen, thanks. If you ever need any
help from our store, just call and ask for Tommy. I'll be glad to do whatever I can
for you."
Three or four times over the next couple of weeks, Ginny got calls from Tommy
for help with one thing or another. They were seemingly legitimate requests, and
he was always very friendly without sounding like he was trying to come on to
her. He was a little chatty along the way, as well - "Did you hear about the big
fire in Oak Park? Bunch of streets closed over there," and the like. The calls were
a little break from the routine of the day, and Ginny was always glad to hear from
One day Tommy called sounding stressed. He asked, "Have you guys been
having trouble with your computers?"
"No," Ginny answered. "Why?"
"Some guy crashed his car into a telephone pole, and the phone company
repairman says a whole part of the city will lose their phones and Internet
connection till they get this fixed."
"Oh, no. Was the man hurt?"
"They took him away in an ambulance. Anyway, I could use a little help. I've got
a customer of yours here who wants to rent Godfather II and doesn't have his
card with him. Could you verify his information for me?"
"Yeah, sure."
Tommy gave the customer's name and address, and Ginny found him in the
computer. She gave Tommy the account number.
"Any late returns or balance owed?" Tommy asked.
"Nothing showing."
"Okay, great. I'll sign him up by hand for an account here and put it in our
database later on when the computers come back up again. And he wants to put
this charge on the Visa card he uses at your store, and he doesn't have it with him.
What's the card number and expiration date?"
She gave it to him, along with the expiration date. Tommy said, "Hey, thanks for
the help. Talk to you soon," and hung up.
Doyle Lonnegan's Story
Lonnegan is not a young man you would want to find waiting when you open
your front door. A one-time collection man for bad gambling debts, he still does
an occasional favor, if it doesn't put him out very much. In this case, he was
offered a sizable bundle of cash for little more than making some phone calls to
a video store. Sounds easy enough. It's just that none of his "customers" knew
how to run this con; they needed somebody with Lonnegan's talent and knowhow.
People don't write checks to cover their bets when they're unlucky or stupid at the
poker table. Everybody knows that. Why did these friends of mine keep on
playing with a cheat that didn't have green out on the table? Don't ask. Maybe
they're a little light in the IQ department. But they're friends of mine--what can
you do?
This guy didn't have the money, so they took a check. I ask you! Should of drove
him to an ATM machine, is what they should of done. But no, a check. For
Naturally, it bounced. What would you expect? So then they call me; can I help?
I don't close doors on people's knuckles any more. Besides, there are better ways
nowadays. I told them, 30 percent commission, I'd see what I could do. So they
give me his name and address, and I go up on the computer to see what's the
closest video store to him. I wasn't in a big hurry. Four phone calls to cozy up to
the store manager, and then, bingo, I've got the cheat's Visa card number.
Another friend of mine owns a topless bar. For fifty bucks, he put the guy's poker
money through as a Visa charge from the bar. Let the cheat explain that to his
wife. You think he might try to tell Visa it's not his charge? Think again. He
knows we know who he is. And if we could get his Visa number, he'll figure we
could get a lot more besides. No worries on that score.
Analyzing the Con
Tommy's initial calls to Ginny were simply to build up trust. When time came for
the actual attack, she let her guard down and accepted Tommy for who he
claimed to be, the manager at another store in the chain.
And why wouldn't she accept him--she already knew him. She'd only met him
over the telephone, of course, but they had established a business friendship that
is the basis for trust. Once she had accepted him as an authority figure, a manager
in the same company, the trust had been established and the rest was a walk in the
The sting technique of building trust is one of the most effective social
engineering tactics. You have to think whether you really know the person you're
talking to. In some rare instances, the person might not be who he claims to be.
Accordingly, we all have to learn to observe, think, and question authority.
Building a sense of trust doesn't necessarily demand a series of phone calls with
the victim, as suggested by the previous story. I recall one incident I witnessed
where five minutes was all it took.
Surprise, Dad
I once sat at a table in a restaurant with Henry and his father. In the course of
conversation, Henry scolded his father for giving out his credit card number as if
it were his phone number. "Sure, you have to give your card number when you
buy something," he said. "But giving it to a store that files your number in their
records - that's real dumb."
The only place I do that is at Studio Video," Mr. Conklin said, naming the same
chain of video stores. "But I go over my Visa bill every month. If they started
running up charges, I'd know it.
Sure," said Henry, "but once they have your number, it's so easy for somebody to
steal it "
You mean a crooked employee."
No, anybody - not just an employee."
You're talking through your hat," Mr. Conklin said.
I can call up right now and get them to tell me your Visa number," Henry shot
No, you can't, "his father said.
"I can do it in five minutes, right here in front of you without ever leaving
the table."
Mr. Conklin looked tight around the eyes, the look of somebody feeling sure of
himself, but not wanting to show it. "I say you don't know that you're talking
about," he barked, taking out his wallet and slapping fifty dollar bill down on the
table. "If you can do what you say, that's
"I don't want your money, Dad," Henry said.
He pulled out his cell phone, asked his father which branch he used, and called
Directory Assistance for the phone number, as well as the number of the store in
nearby Sherman Oaks.
He then called the Sherman Oaks store. Using pretty much the same approach
described in the previous story, he quickly got the manager's name and the store
Then he called the store where his father had an account. He pulled the old
impersonate-the-manager trick, using the manager's name as his own and giving
the store number he had just obtained. Then he used the same ruse: "Are your
computers working okay? Ours have been up and down." He listened to her reply
and then said, "Well, look, I've got one of your customers here who wants to rent
a video, but our computers are down right now. I need you to look up the
customer account and make sure he's a customer at your branch."
Henry gave him his father's name. Then, using only a slight variation in
technique, he made the request to read off the account information: address,
phone number, and date the account was opened. And then he said, "Hey, listen,
I'm holding up a long line of customers here. What's the credit card number and
expiration date?"
Henry held the cell phone to his ear with one hand while he wrote on a
paper napkin with the other. As he finished the call, he slid the napkin in
front of his father, who stared at it with his mouth hanging open. The to poor guy
looked totally shocked, as if his whole system of trust had just gone down the
Analyzing the Con
Think of your own attitude when somebody you don't know asks you for
something. If a shabby stranger comes to your door, you're not likely to let him
in; if a stranger comes to your door nicely dressed, shoes shined, hair perfect,
with polite manner and a smile, you're likely to be much less suspicious. Maybe
he's really Jason from the Friday the 13th movies, but you're willing to start out
trusting that person as long as he looks normal and doesn't have a carving knife in
his hand.
What's less obvious is that we judge people on the telephone the same way. Does
this person sound like he's trying to sell me something? Is he friendly and
outgoing or do I sense some kind of hostility or pressure? Does he or she have the
speech of an educated person? We judge these things and perhaps a dozen others
unconsciously, in a flash, often in the first few moments of the conversation.
It's human nature to think that it's unlikely you're being deceived in any particular
transaction, at least until you have some reason to believe otherwise. We weigh
the risks and then, most of the time, give people the benefit of the doubt. That's
the natural behavior of civilized people.., at least civilized people who have never
been conned or manipulated or cheated out of a large amount of money.
As children our parents taught us not to trust strangers. Maybe we should all heed
this age-old principle in today's workplace.
At work, people make requests of us all the time. Do you have an email address
for this guy? Where's the latest version of the customer list? Who's the
subcontractor on this part of the project? Please send me the latest project update.
I need the new version of the source code.
And guess what: Sometimes people who make those requests are people your
don't personally know, folks who work for some other part of the company, or
claim they do. But if the information they give checks out, and they appear to be
in the know ("Marianne said . . ."; "It's on the K-16 server..."; "... revision 26 of
the new product plans"), we extend our circle of trust to include them, and
blithely give them what they're asking for.
Sure, we may stumble a little, asking ourselves "Why does somebody in the
Dallas plant need to see the new product plans?" or "Could it hurt anything to
give out the name of the server it's on?" So we ask another question or two. If the
answers appear reasonable and the person's manner is reassuring, we let down
our guard, return to our natural inclination to trust our fellow man or woman, and
do (within reason) whatever it is we're being asked to do.
And don't think for a moment that the attacker will only target people 'ho use
company computer systems. What about the guy in the mail room? "Will you do
me a quick favor? Drop this into the intra company mail pouch?" Does the mail
room clerk know it contains a floppy disk with a special little program for the
CEO's secretary? Now that attacker gets his own personal copy of the CEO's
email. Wow! Could that really happen at your company? The answer is,
Many people look around until the); find a better deal; social engineers don't look
for a better deal, they find a way to make a deal better. For example, sometimes a
company launches a marketing campaign that's so you can hardly bear to pass it
up, while the social engineer looks at the offer and wonders how he can sweeten
the deal.
Not long ago, a nationwide wireless company had a major promotion underway
offering a brand-new phone for one cent when you signed up for one of their
calling plans.
As lots of people have discovered too late, there are a good many questions a
prudent shopper should ask before signing up for a cell phone calling plan
whether the service is analog, digital, or a combination; the number of anytime
minutes you can use in a month; whether roaming charges are included.., and on,
and on. Especially important to understand up front is the contract term of
commitment--how many months or years will you have to commit to?
Picture a social engineer in Philadelphia who is attracted by a cheap phone model
offered by a cellular phone company on sign-up, but he hates the calling plan that
goes with it. Not a problem. Here's one way he might handle the situation.
The First Call: Ted
First, the social engineer dials an electronics chain store on West Girard.
"Electron City. This is Ted."
"Hi, Ted. This is Adam. Listen, I was in a few nights ago talking to a sales guy
about a cell phone. I said I'd call him back when I decided on the plan I wanted,
and I forgot his name. Who's the guy who works in that department on the night
"There's more than one. Was it William?"
"I'm not sure. Maybe it was William. What's he look like?" "Tall guy. Kind of
"I think that's him. What's his last name, again?
"Hadley. H--A--D--L--E-- Y."
"Yeah, that sounds right. When's he going to be on?"
"Don't know his schedule this week, but the evening people come in about five."
"Good. I'll try him this evening, then. Thanks, Ted."
The Second Call: Katie
The next call is to a store of the same chain on North Broad Street.
"Hi, Electron City. Katie speaking, how can I help you?"
"Katie, hi. This is William Hadley, over at the West Girard store. How're you
"Little slow, what's up?"
"I've got a customer who came in for that one-cent cell phone program. You
know the one I mean?"
"Right. I sold a couple of those last week."
"You still have some of the phones that go with that plan?"
"Got a stack of them."
"Great. 'Cause I just sold one to a customer. The guy passed credit; we signed
him up on the contract. I checked the damned inventory and we don't have any
phones left. I'm so embarrassed. Can you do me a favor? I'll send him over to
your store to pick up a phone. Can you sell him the phone for one cent and write
him up a receipt? And he's supposed to call me back once he's got the phone so I
can talk him through how to program it."
"Yeah, sure. Send him over."
"Okay. His name is Ted. Ted Yancy."
When the guy who calls himself Ted Yancy shows up at the
North Broad St. store, Katie writes up an invoice and sells him
the cell phone for one cent, just as she had been asked to do
by her "co worker." She fell for the con hook, line, and sinker.
When it's time to pay, the customer doesn't have any pennies in his pocket, so he
reaches into the little dish of pennies at the cashier's counter, takes one out, and
gives it to the girl at the register. He gets the phone without paying even the one
cent for it.
He's then free to go to another wireless company that uses the same model of
phone, and choose any service plan he likes. Preferably one on a month-to-month
basis, with no commitment required.
Analyzing the Con
Its natural for people to have a higher degree of acceptance for anyone who
claims to be a fellow employee, and who knows company procedures ,d lingo.
The social engineer in this story took advantage of that by finding out the details
of a promotion, identifying himself as a company
employee, and asking for a favor from another branch. This happens
between branches of retail stores and between departments in a company, people
are physically separated and deal with fellow employees they have never actually
met day in and day out.
People often don't stop to think about what materials their organization is making
available on the Web. For my weekly show on KFI Talk Radio in Los Angeles,
the producer did a search on line and found a copy of an instruction manual for
accessing-the database of the National Crime Information Center. Later he found
the actual NCIC manual itself on line, a sensitive document that gives all the
instructions for retrieving information from the FBI's national crime database.
The manual is a handbook for law enforcement agencies that gives the formatting
and codes for retrieving information on criminals and crimes from the national
database. Agencies all over the country can search the same database for
information to help solve crimes in their own jurisdiction. The manual contains
the codes used in the database for designating everything from different kinds of
tattoos, to different boat hulls, to denominations of stolen money and bonds.
Anybody with access to the manual can look up the syntax and the commands to
extract information from the national database. Then, following instructions from
the procedures guide, with a little nerve, anyone can extract information from the
database. The manual also gives phone numbers to call for support in using the
system. You may have similar manuals in your company offering product codes
or codes for retrieving sensitive information.
The FBI almost certainly has never discovered that their sensitive manual and
procedural instructions are available to anyone on line, and I don't think they'd be
very happy about it if they knew. One copy was posted by a government
department in Oregon, the other by a law enforcement agency in Texas. Why? In
each case, somebody probably thought the information was of no value and
posting it couldn't do any harm. Maybe somebody posted it on their intranet just
as a convenience to their own employees, never realizing that it made the
information available to everyone on the Internet who has access to a good search
engine such as Google - including the just-plain-curious, the wannabe cop, the
hacker, and the organized crime boss.

Currently have 0 Comments:

Leave a Reply