Social Engineering Example 1 (09-19-06)
Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may be damaging to the organization's reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not.
Tony told us that he wanted to start making some phone calls to see if he could get user IDs and passwords from people. The week before, he started examining the company web sites and other publicly available information. He had collected dozens of names of employees, along with information about their locations and job functions. Tony started his calls by phoning the Help Desk and pretending to be an employee who forgot his password. The support person told him that she wanted his social security number to verify his identity. Tony told her his boss was coming and he would call back. He had all the information he needed at this time.
At that point, Tony knew he could call employees and either get their passwords or their social security numbers. He decided to try for social security numbers first, because it can be assumed that if people would give up their social security number, they would more than likely give up something less personally sensitive such as a password. Tony decided to say he was with the Help Desk and was investigating a security incident.
He began the call by asking users whether they had recently changed their password. Of course, nobody ever said they did. Tony then told the person that there was a security incident where someone pretended to be a user and changed that user's password. He said he would set it back to what it was, but he needed to verify the user's identity due to the nature of this problem. He then asked for the social security number, and received it on all but one occasion. Having the social security number meant he could call the Help Desk at any time and have the password changed for his use. This meant that he would have unlimited access to just about any account he wanted. He compromised dozens of accounts over several hours.
Just to prove that it could be done, after going through his same spiel, he told some people that he could set the password back to what it was originally, "if you tell me what it was." This way, he wouldn't need to go through the Help Desk to access the accounts. He was always successful.
There was one woman who would not give Tony any information. She was the only person, out of almost 100, who did the right thing. Fortunately, or unfortunately depending on your perspective, it appeared that she didn't know to whom she should report the incident.
From the book Spies Among Us, by Ira Winkler.