Social-Engineer.org receives a lot of submissions from people who have an interest in social engineering, deception, identity theft, information gathering and the rest of what makes up a true social engineer. Recently a social-engineer.org fan, Khash, wrote a very interesting paper/story on credential stealing. We hope you enjoy it as much as we did and please keep sending your submissions in to us.

Background

A number of years ago I was conducting a social engineering exercise for a client in which the goal was to identify possible flaws in the company’s operational procedures that could allow someone to compromise an employee’s Enterprise Web Access (EWA) credentials, a single user id and password, granting access to several internal systems.

The main objective was to compromise someone’s existing password which would provide ongoing opportunities to access all sorts of company systems in a stealth mode.

This exercise demonstrates what can be accomplished by an attacker, potentially an insider threat, in a very short period of time through non-technical means, mainly a telephone.

Ultimate Goal

My ultimate goal was to extract information from the company’s Help Desk staff via basic social engineering tactics to further exploit some of the known issues in the organization’s Enterprise Web Access (EWA) system. In particular I wanted to exploit the following flaws:

• Changing an EWA password did not require the old password to be entered. This means, an authenticated user could change the account’s password to a new one without providing the old one. So potentially, there was an opportunity to manually change someone’s password without knowing the original one.
• Once authenticated, the answers to the existing secret questions were presented in clear text. Once compromised, an account could always get compromised via the original secret questions and answers.
• When the password or secret questions were modified, no email notification was sent to inform the user of such changes, allowing her to revert back and reset her password. This flaw would allow an attacker to fully own a compromised account by changing the secret questions and preventing the user to recover her compromised account.

These vulnerabilities in the EWA application are serious because an unattended browser session can be easily compromised and its password changed. Secret questions are just as important as a password in this context because they allow the users to reset their passwords and act as another form of authentication.

Given some of the above application vulnerabilities, particularly the last two, my goal was to determine if I could leverage Help Desk to aid me with any of the following while only supplying limited personal or other identifying information:

• Help me reset a target’s secret questions & answers
• Help me retrieve the answers to a target’s existing secret questions
• Simply give me the password over the phone

General Information Gathering Phase

Like any social engineering exercise, a good amount of time was spent in reconnaissance and preparation to learn about the company lingo, telephone numbers for various departments, and basic operational procedure. The clear goal during this process was to gather as much relevant information as possible.

The Attack Phase

Step I

A focused information gathering stage to identify a potentially good target: The goal for this phase was to find a legitimate target and some basic identifiable information about him.

Note: A new employee often presents the best opportunity for a social engineer. A new employee is often timid, not familiar with internal processes, and they always want to impress others and never look bad.

Step 1A: Called Lucy the receptionist in the company Training Department:

“Hello Lucy, this is Emile Woodson, Executive Product Manager from IT Web Group. You folks recently facilitated an excellent training for us and I wanted to send an appreciation letter to your ops manager. Whom do I address it to?”

“Oh that’s wonderful. You can send it to Jack Malltaibo.”

“Excellent. I didn’t know Jack still ran that group. I should also give him a call later today after my meeting. Can you please remind me his extension and let me know if he’s going to be around at 5:00 PM or so? ”

“Sure, he’s at extension xxx-8844 and he gets here early and usually leaves around 4:30; so you may want to call him sooner.”

I did not want to end the conversation right after retrieving the data that I wanted. So I followed with some casual and generic conversation about their training services before hanging up.

Note: Lucy provided this information because she did not consider it sensitive, particularly because she was providing it to a fellow co-worker, a grateful executive product manager!

Step 1B: Spoofed my Caller ID to show Jack’s number, xxx-8844, and called the Human Resources Department at 5:00 PM.

“Hi, this is Jack Malltaibo, Sr. Operations Manager with corporate Training Department. I’m calling because we’re putting our annual mandatory compliance training together for all new hires and need to get that list from you. We require a list of all new hires for the past 6 months. Please make sure to include the Date of Hire and their EUIDs (Employee User ID). We have direction from Gina Blackstone, our Chief Compliance Officer to send out the email communication to all the trainees by COB tomorrow. I appreciate it if you could send that information to my lead analyst as soon as possible”

“Sure. I can email the information within the next hour.”

“Actually, it would be great if you could just fax it to her.”

“No problem, what’s her name and fax number?”

Note: Urgency and authority were the key elements here. A standard social engineering tactic was used to generate an organized chaos. Exploit a human emotion that wants to comply with an “authoritative figure”. Again, she was helping someone within the company and she considered the information insignificant.

I found a potentially good target from the list, Jose Vero, a new hire in the Marketing Department.

Step II

Impersonated the target and called Help Desk: This part of the exercise started by using a telephone and a caller ID spoofer to contact the Help Desk to initiate a password reset over the phone. The Help Desk representative answered the phone by asking for my name and my Employee User ID (EUID). Once I provided target’s name and EUID, I told him I needed assistance with the EWA system. I told him I forgot the answers to my secret questions and whether he could provide them to me over the phone. The answer was “No, we don’t have access to that information”. Then I asked if he was able to change my secret questions over the phone so that I could reset my own password later. Again, the answer was “No, we don’t have that capability”.

Then I stated that I didn’t have immediate access to my corporate email to receive my new password reset link, and asked if there was a way to get the new password over the phone. The support representative mentioned that resetting and giving the temp password over the phone is normal practice. I found my way in! Then he told me my First Name, Middle Name, and Last Name and asked if it was correct. I said “yes”. Then he asked if I worked in building A, cubicle 23PWE. And I said “yes”! He then asked for the last four digits of my social security number.

Uh oh! I wasn’t ready for this one, so had to come up with something quick.

“I don’t feel comfortable providing my social security number over the phone.”

“Well, sir, we only need the last 4 digits and that’s the only way to reset your password over the phone.”

“I understand. Let me think about it. Maybe I can just try again with my secret questions. I just don’t feel comfortable proving any sort of sensitive information over the phone. Since I’m new here, I need to run this by my supervisor to make sure it’s okay. I’ll be in touch.”

Step III

Compromise the last four digits of target’s SSN: For this portion of the exercise, I wanted to explore all possible attack vectors that could result in compromising our target’s last four digits of social security number. This information could be obtained either by standard social
engineering tactics, or by brute forcing one of several internal applications that do not provide account lockout.

Step 3A: Technical Approach

Employee ID Lookup, an internal web application, provides all employees a self-service solution to look up their employee IDs. After some examination, it was evident that the application does not implement any sort of lockout for look-ups. So essentially, any of the fields could be subject to a brute-force attack. After applying the first name and last name, I could enumerate valid SSN information. This was a simple brute force attack that would reveal the last four digits of SSN for any employee. More specifically, I used Burp Suite Intruder which is a great tool for automating customized brute force attacks for this kind of situation.

 Stealing Credentials via Social Engineering
Figure 1 – The last four digits of SSN can be retrieved by supplying the person’s first and last name. If the last 4 digits of SSN are correct, an Employee ID will be retrieved; if not, an error message will be displayed

Step 3B: Low-tech approach

Called Jose Vero, the victim, from a prepaid phone and spoofed caller ID.

“Hi Jose. This is David Lee with Corporate Travel Department. I have your airline ticket to New Orleans for the Marketing Conference and I need to know if you’ll be picking it up or should I use the interoffice mail to send it to you?”

“I don’t think I have any travel plans for New Orleans. This must be a mistake.”

“Well, Jose, someone has put in a request for you and we have your ticket now. Let me verify your name. Is your full name Jose Vero?”

“Yes.”

“In the Marketing Department?”

“Yes.”

“Let me do one more lookup to see who placed this request for you. What are the last 4 digits of your social?”

“8895.”

“Thank you Jose.”

Thank you indeed!

Step IV

Reset the password.

With all information in hand, I called the Help Desk again to reset Jose Vero’s Enterprise Web Access password. The representative asked for all required information, including the last four digits of social security number, which I provided and received a temporary password of “temppwd123”.

Using this information, I was able to fully own the account by authenticating and viewing answers to the secret questions.

Elapsed time, 60 minutes. Game over.

As described earlier, due to an application vulnerability, Jose Vero never received an email notification to know his password was changed. He simply thought that he forgot his password, which happens all the time. A few days later, he used the “flawed” password reset scheme and secret questions to regain access and continued using the account without any suspicion. Jose didn’t know that I had been in his account, viewed the answers to his secret questions due to one of the mentioned application vulnerabilities, and that I could always get back in using the same secret questions and answers.

Conclusion

It is human nature to want to trust others, keep others happy and comply with co-workers and other authoritative figures in the organization. The pertinent take-away from this exercise, and others like it, is that everyone is susceptible to social engineering attacks. Whether it’s lack of time or physical fatigue, there are times that we take mental shortcuts and don’t process everything carefully; and that’s when we’re vulnerable.

The best way to contain or prevent social engineering attacks is to train your workforce. Train them to practice a certain degree of caution in their daily interactions. Train them to understand they are not immune to these types of attacks, and show them how to detect and protect themselves from such attacks. Keep reminding your staff that all information, no matter how trivial and insignificant they believe it to be, may assist a social engineer to get what he came for.

(donated to social-engineer.org by Khash Kiani)

For more information on this very topic check out our podcast on Identity Theft