Observations of lack of research in social engineering

Phone call social engineering is considered the easiest methods of social engineering: It does not involve personal contact, and leaves little in way of electronic trail (e-mail can leave much more eletronic trail if not approached properly).


In the past months Shortinfosec had the fortune to review an social engineering attack performed by a pen-test team on a company. While the pen-test was considered a failure by the client, significant elements of the attack point to open issues with the client. Publication of this information is based on the provision all information regarding the pen-test client and provider location, business and identity to be unidentifiable.

The attack
The social engineering attack was performed over a phone line, not even being in the same city as the client, with the pen-testers using publicly accessible lines. The targets of the attack were chosen from social networks.

The attack was three-stage:
  1. Collect information about order delivery process (delays, timing etc...)
  2. Collect information about current order in pipeline (order prepared but not delivered to customer)
  3. Divert order to different address.
 The attack was performed by multiple phone calls, which created contact with multiple targets. Each call was a probing attempt to collect as much information possible. The first and second stage of attack was targeted at the same targets but with several days delay between stages. Two persons performed all attacks.
  • In the first stage of attack, the attackers simulated a disgruntled customer, which insisted on getting details on the process as his delivery was not proper. Approximately half of the targets responded were either compliant to explain the process, or were unable to reach the account manager and proceeded to divulge information to the attackers.
  • In the second stage of the attack, the attackers approached targets that were deemed 'soft' - that were most compliant and divulged most information. They misrepresented as persons from multiple client companies, until they received information of a current order in pipeline. A minor number of targets responded with required details, simply because they most targets did not have access to order information. 
  • In the third stage of the attack, the attackers again approached the 'soft' targets attempting to divert the order from pipeline to a different delivery address. Most targets did not have the authority to change the delivery address. The attackers reached a target with appropriate authority, but that target contacted the real client while on the phone to verify. The client denied any change, which caused the all kinds of alarms to go off. At the end, police were notified immediately, and the pen-testers nearly ended up in custody.

The review
When investigating the approach used by the social engineering attack, we found missteps in the following areas:
  • The process research - the failure of the attack had one primary reason: The requested redirection address was outside of the free delivery area, and the targeted person actually sent out an electronic invoice to the real client for the redirection. This invoice was rushed by the client's accounting department since it was for an outstanding order, and immediately disputed by the client, thus exposing the attack. This shows insufficient research of the process
  • The selection of targets - the targets of the attack were selected purely by one criteria: anyone who has a public information regarding their employment at the pen-test client on social sites. This approach is easy, but there were very little criteria of how useful these targets are in the further stages of the attack, and how they tend to react. This caused multiple calls of relatively low quality information or response in the first and second stage - thus spreading the attacker resources thin.
  • The selection of faked client - the faked client was not researched, and was selected by random from the information received in the second stage of the attack. The client should have been approached to research its process. A contact center channel would be an excellent 'cover' for such a task. This is especially true since the pen-test client operates via a phone channel. But instead researching the client through impersonation of an anonymous service like an Appointment Setting Service, the attackers merely dropped a name of a client. This lack of research, combined with insufficient process research caused the inability of the pen-testers to prevent the invoice reaction.
Apart from these missteps, the actual amount of achieved information gathering was quite interesting: The attackers collected information about business process, customers and current orders. Even without being able to redirect an order, the collected information could be valuable for sale to competitors or for publication to discredit the business.


The conclusion
This particular case was deemed by the pen-test client as a failed social engineering attack, but that is obviously a purely formal treatment of the outcome.
The missteps in the process which were identified are not uncommon in a pen-test scenario, where deadlines are short, and results need to be produced by the pen-testers on time and under budget.  The entire process and results has lessons for both pen-test client and pen-test team:
  • The pen-test team should reserve sufficient time in the project schedule for investigation, which is crucial when playing with the emotions and reactions of human beings. 
  • On the other side of the fence, the pen-test client is still quite exposed, with information leaking left and right, which was  proven by the amount of information collected by a pen-test team with relatively small amount of research.


Talkback and comments are most welcome

27 comments:

Accommodation Planet said...

Good read thanks.

David said...

Moral of the story, always do you research. Still alarming though that employees are that eager to give away information without first verifying who they are giving it to.

Dave at Dell

Vanzari apartamente said...

Congrats for the article!!

Aparate aer conditionat said...

It is a very successful article.

Cadou said...

Thanx for the information and keep informing us....

Centrale termice pe lemn said...

I actually added your blog to my favorites and will look forward for more updates. Great Job, Keep it up.

Anvelope iarna said...

Good moral @David and the article is nice

Agentie imobiliara said...

An article and a successful conclusion.

Credite la banca said...

Interesting article!

Fonduri europene nerambursabile said...

Thanx for the information and keep informing us....

Idei de afaceri said...

Good to know!

soniboni said...

good Straight forward get to options>Applications. useful source notice 4/5, h5, h6, htc one or any additional comparable gadget and Download Videoder great.

Lee Geek said...

Finally, all video lovers can download youtube videos from mobile phone using videoder app. Check this site see more here and then enjoy with it.

dirlinigritton said...

good Check out will let you become a member of without employing the stanza. Read Full Post Face Swap with Photo the software features a pressure contact characteristic. nice.

robertgreene said...

good obtainable on Computer then simply it will much easier for updating. prisma for pc art work, learning how to paint, etc. nice.

meganscott said...

good Provide us your responses and if any complications Live.ly for iOS Live.ly can be an outstanding multimedia and video software nice.

dunncandace said...

Great Bigo Application is Really Different after that the Facebook Whatsapp. Bigo Live Download Now set up Bluestacks App on your PC and also Mac Nice.

HannahAMueller said...

good camera filters for pictures only. A brand-new App Artisto artisto for android swipe and also select a result you like most and click on APPLY nice.

Sunmugam Chidambaram said...

Download xender for pc
Very good for share FILES ,PICTURES PC To any Android
Nice to see

cathrynzbrown said...

good as well as videographers who will promise that this is one of one of http://bigphotographers.com as well as videographers who will promise that this is one of one of great.

Tom Parker said...

When it comes to gaming consoles, there is always a big fight between Sony's Playstation and Microsoft's XBox. Now this rivalry is going to increase even more because Microsoft is getting ready to launch it's next console, the Xbox 2. You can check out all the details from my site here Xbox 2 Features

Hoài Lương Thanh said...

See tips for repairing your washing machine here suamaygiatelectrolux.vn or #See tips for repairing your washing machine here suamaygiatelectrolux.vn or #suamaygiatelectrolux

Smily Nisha said...

Download the BHIM app from here. Find the Step by step process to Install BHIM Android version.
bhim

Smily Nisha said...

Root Checker iOS Download latest version v6.0.8. See Steps to install Root Checker for iOS and download Root Checker iPhone /iPad.
root checker ios

Smily Nisha said...

ZArchiver pro apk best and most unique application works on files Zip. Here is the apk download link of Zarchiver.
download zarchiver apk

Smily Nisha said...

Moviebox is the application used to watch movies, TV Shows and many other videos online anywhere on your mobile.
moviebox apk

Raghav said...

Moviebox is the application used to IMO For PC, TV Shows and many other videos online anywhere on your mobile.

Designed by Posicionamiento Web