Influential Angles

by The Third Man

"Truth Is A Technical Advantage"  -- Kim Philby, circa. 1940

"Hi there, my name's Paul Susskind, and I really need your help."

Actually, that is a complete lie.  It's the opening line in a social engineering attempt I used back in 2001.  I live in Scotland, United Kingdom and worked for a debt collection/investigation company for almost seven years.  I won't mention who they were.  I left a long time ago and why should they get free publicity?

Sometimes, to help our clients make the correct decision to either get their money back through the courts or to write off the debt, we had to get information that we didn't truly have the right to possess.  Although my job was mainly to prepare cases and perform administration for our department, my true calling was obtaining this incredibly useful information by devious means.  The chief technique that was used to obtain this data was social engineering.

Now, social engineering can also take place face-to-face but, on most occasions, my attempts took place over the phone, so that's what I'll be discussing.

All the incidents I am about to describe occurred at least six years ago, so I figure it's O.K. to tell you about them.  Also, the people and company names and addresses have been changed to protect the guilty (and my bank balance).  I don't do social engineering or investigations any longer, so there are no colleagues or confidences to protect anymore.  Because I live in Britain, some terms I use might sound strange to American readers, so I'll try to explain as I go.

What It Means

My dictionary describes the two words that make up the phrase social engineering as:

social - "mutual relations of men or classes of men"

engineer - "(colloq.) arrange, contrive, bring about"

So we can say that the objective of social engineering is to bring about or contrive mutual relations between the engineer and the target he or she is talking to in order to get information or access that one is not entitled to, or to obtain trust that will lead to information being given or some action being taken.

In his excellent book The Hacker Crackdown, author Bruce Sterling describes social engineering as "fast talk, fake-outs, impersonation, conning, scamming."  And although that description does have an energetic "Huggy Bear" kind of ring about it, the most effective social engineering situations are very low key.  Obviously, the less attention that an engineering attempt draws, the more successful it is.  If no one ever realizes that they have been manipulated, then it must rank as a complete success.

Social engineering has had a long and interesting history.  It is used extensively by phone phreaks (according to Jason Scott of textfiles.com, Fargo-4A were reputed to have persuaded the entire directory assistance team in Fargo to up and leave), hackers (the legendary Kevin Mitnick was a master at this), and professional magicians (misdirection and lies for your viewing pleasure).  But you don't often meet these individuals in everyday life.

So Who Does It?

Who is there out there that most people deal with everyday who could use this kind of manipulation against you?

Principal culprits within the family include domineering husbands or wives, or children who throw a tantrum to get their way... all individuals wanting something that they have no right to have and manipulating the person with the power to obtain it - social engineering summed up succinctly.

What about telemarketing companies, the phone company, or businesses that are going to sell you a service?  They want your money, but they also want to know about you (albeit for different reasons: some want as much information as they can get, to sell, while others just want to cover their backs in case you default on your agreement and they have to take you to court) and will ask questions and have situations come your way in order to determine what they want to know.

Telemarketers have got social engineering skills in abundance.  I once worked in a telemarketing office and was amazed to hear one operative saying on the phone to a randomly dialed person, "Do you remember me?  I spoke to you at a trade fair about four months ago about our opening a new show home in your area.  Because you showed interest, we can have a rep call you for a quote and we'll give you free..."  This operative had never met that person before; she had simply taken a telephone number from the phone book!  A tele-salesman friend of mine at the time by the name of Alan worked there and he summed up his objectives (and, unwittingly, those of any social engineer) as:

1.)  Start a dialogue.

2.)  Build a relationship.

3.)  Close successfully.

He then demonstrated this technique for me by calling the next number in the telephone directory.

He got a little girl who put him onto her mother.  "Is that your daughter?  Wow, she sounded just like my little niece - yeah, she's four.  It was uncanny!"  He then explained the reason for his call.  "My name's Alan and I work for Sunshine Windows in Glasgow.  We're offering a new line in conservatories and are doing a special campaign to offer all the homes in your postcode reduced prices."  A bit of chat ensued and then, "You live in Bearsden, do you?  That's a nice place.  My grandmother actually lives there, on Wallace Street.  Oh, maybe you've met her around?"  Not surprisingly, Alan got her name and address and a time and date for a representative to visit her.

He also got his commission.  But all these keystones of the conversation were complete fabrications.  Alan didn't have a niece, didn't have a gran in Bearsden, and there were no postcode targeted sales and no reduced prices.  The company didn't even have a new line in conservatories.  They had all been social misdirection; points designed to build a relationship with the woman on the end of the phone and make it harder for her to say no to him.

Now, O.K., this article is not a daring exposé of telemarketing calls (I can see the headline of 2600 now, "Telesales Lie!  Millions Shocked!  Full Exclusive inside!!") - you obviously didn't read this to have your intelligence insulted.  But this is the kind of thing that is becoming more prevalent each day - people will try to manipulate you to sell a product or, worse, learn personal information about you, your business and your private life for all sorts of reasons, like identity fraud.

So how can you and I protect ourselves from social engineering in our businesses and our homes?  To answer that, it's good if we examine how social engineering is accomplished.

As my friend Alan said, once an engineer has found the person with the data or information needed, the next step is to build a relationship with them.  The approach will vary dramatically depending on the engineer and the target.

The Social Engineer

Everybody has a personality.

Some people are uptight and high strung.  Others are laid back.  Naïve.  Prone to anger.  Gregarious.  So a successful engineer will play to his or her strengths.  A social engineer is effectively an actor, playing his/her character.  There's a saying in the theater: "Conviction Convinces."  So if you are claiming to be a salesman, you have to believe it yourself.  The best and most convincing characters are extensions of your everyday self.  If you're a nice guy, then the "I'm not really sure if you can help me, but..." approach comes over well.  If you're an angry or excitable person, then the "Look, I've had a really bad day and this is the last straw" approach is going to work better for you.

An engineer first of all has to consider their objective.  What is it that you want to obtain?  A name, a number, an address, an action?  The approach will be determined by what it is you want to cause to happen.

Next comes character.  What role are you going to play?  A survey-taker?  The security officer at reception?  Head office?  A puzzled customer?  A friend of a friend?  Ideally, these roles should be tailored to your own personality and then to the soft spot of your target.  Companies want happy customers so, depending on the information you are looking for, a puzzled customer or someone from head office can work really well.  A small business will be receptive to customers, whereas a franchise or hotel will jump at the words "head office."  Restaurants are susceptible to newspaper and Internet sites that advertise places to eat out.  Corporations, unusually, show great respect to "accounts payable."  Remember, you are trying to build a relationship with the target and not all relationships are equal.  Sometimes being lower (e.g. a customer) or higher (e.g. from head office) will yield better results rather than behaving as an equal (e.g. a fellow employee) of the target.

However, buzzwords are great if you want to sound like the equal of the target.  Does your target have a specific jargon they use, like the phone company, or lawyers?  If you talk the same "language" as your target, you will be quicker accepted as a member of their tribe.  Use the jargon fluently, with conviction and in the right areas!

Insider knowledge is exceptionally useful.  With the kinds of things I investigated, I tended to have been given one or two little facts by our clients that came in handy.  Jargon, names of employees or managers, job titles, internal telephone numbers, the make of computer and its software are all helpful launch points into interrogating individuals.  Complaining to a target that "Opera isn't working again, can you help me?" or that "I've just spoken to Mr. Dittenfriss, he's a pain in the neck, isn't he?" can open up the lines of communication and give the impression you are who you say you are.

Take things in stages.  A single piece of information can help to crack a problem.  On the first attempt, obtaining the VAT or company registration number can give you the bedrock on which to start your second call, targeting the accounts department of a company.  The esteemed Emmanuel Goldstein demonstrated this technique at one of the HOPE conferences first obtaining a store number of Taco Bell, then using that information to persuade a manager to not ring the orders through the cash registers between 9.00 and 9.05!

I would like to stress that you should always be polite to the target - people who work behind phones nowadays are treated like they're subhuman (especially in the U.K.).  They are just ordinary individuals, trying to eke out a living doing their job.  Politeness, treating them like a human being, earns gratitude, which in turn makes people willing to help you.  If your character is that of an angry person, make sure that the target knows that you are angry at the problem you claim you have, not at them personally, e.g.: "I know it's not your fault, you've been really helpful."  This will make them feel good that they are helping you.  "I wish I had spoken to you earlier, it would have saved a whole heap of time!"  Remember, (over the phone) the target is ignorant of who you are.  If you have given the information they request to identify yourself (if they even ask for it!), in their mind, you are that person!

An Example

I was assigned a job where my department had to determine the size of a certain company (we'll call it Leaf Ltd.) in order to guess at its total assets (to see if it was worth taking court action to recover the debt, which was about £2,000).  I called their office.

"Hello, my name is Alex Kipling.  I work for a charity called Disabled Action (which didn't exist at the time, but I'm sure I heard of it recently somewhere!) and I was wanting to ask you how many disabled members of staff you employ at Leaf Ltd., just to see if we can provide both them and your company with practical help and assistance."

"Oh, we have one."

"One?  Out of how many members of staff?"

"23."

"Oh, a one to 23 ratio.  That's really commendable, we find that not many small businesses hire disabled employees.  Does this staff member have sufficient aids to help him or her perform their job without too many problems?"

The Receptionist then outlined the help this member of staff received, including a special computer screen, which was greatly magnified to help him see better, the gentleman in question being partially sighted.

"I see.  Does everybody have a computer in your offices?"

"Yes."

"Wow, you must have a large IT department to look after it!"

"We get IT support from IT Solutions in Bellshill."

"Oh, yeah, I've heard of them.  No, I just wondered if the gentleman had to hot desk, but that screen is all his.  That's great.  Would it be O.K. for me to send your company a brochure with information on how to get grants from the government to help companies with disabled members of staff?"

"Yes, please."

"O.K., who's the manager there?"

"Ian McIntosh."

"Thank you - I'll get that out to him.  Thank you for your help, goodbye."

So from one phone call, we learned that the company employed twenty-three individuals, each one using a computer and that they got technical support from an external IT company named IT Solutions in Bellshill.  So I called IT Solutions and was asked who I was.  I told them I was Ian McIntosh from Leaf Ltd.  I was then asked for a Customer Number, which I waved aside by saying "It's not a technical query and besides, I don't have it in front of me.  It's just something I need for a management meeting I'm going to - could you just confirm our contract details?"

Leaf Ltd. had an eight-month support contract, providing technical services for twenty-three PCs running Windows NT.  At the time this event occurred, seized PCs could be sold at open auction for about £200.  Windows operating system meant that ordinary people off the street would buy it at auction.  We could then, in theory, raise at least £4,600 if it went to warrant sale (where items are seized by the court and are auctioned off to pay the debt owed), more than enough to cover the original debt and the legal fees.  We passed on that information to our client, who sued them and eventually got their money back!

The Target

One guy, whom we shall call James Dunn, ran a business and owed one of our clients money.

But he made the deadly mistake of gloatingly telling my boss that we could never bring him to court because we didn't know where he lived.  Actually, under Scottish law, there are mechanisms that deal with this, but my boss was furious with the arrogance of the guy and wanted to nail him to the wall.  I was called into my boss' office, who made me drop every case I was dealing with so I could concentrate on this one.

The details we had were:

James Dunn, trading as Blue Pearl Showrooms
PO Box 1422,
Glasgow

That's all.

Glasgow is a big place, and Dunn is a pretty common name.  Besides, he could be unlisted in the phone book or living at a girlfriend's address.  He was trading as Blue Pearl Showrooms, not the director of a limited company, therefore no records would be kept at Companies House (the central location in Edinburgh where limited and public limited company registration details were stored, including director's home addresses - more on that later).

So I decided the weak link was his post office box number.

I opened the window of my office so that the person on the phone could hear the noise of the traffic, phoned the central post office in Glasgow, and got through to a nice lady who dealt with the post boxes.  I informed her I was a traveling rep for a kitchen manufacturer and I had an appointment to speak to James Dunn of Blue Pearl Showrooms.  Unfortunately, I neglected to check my paperwork this morning and I'm out in the middle of Glasgow looking for his office and all I had was a post office box number!  (We both had a good laugh at this).

"All my secretary at the office has is this PO box number, so that's no use.  Mr. Dunn isn't answering his telephone, so he can't help me," I continued, "I've tried everything I can think of and, well, you're my last throw of the dice.  I was just wondering if you might have an address for him?"

"Yeah, just a minute... here you are... it's..." and the next day, Mr. Dunn got the fright of his life when the letter we sent threatening court action arrived at his home address.  Not bad for a five minute phone call.

That approach worked because the lady in the post office sympathized with my "position," and she did what she could to help me.  There are targets like that lady who want to help you - you can usually tell pretty quickly who they are by their having a pleasant smiley voice and sounding like they are earnestly interested in your "problem."

The other kind of target is one who really isn't interested in helping you - they usually sound bored.  Instead of following your plight, they make uninterested noises, like "Uh-huh," "Huh?," and "Hmmm."

In my own experience, and with my personality, I've found that sob stories don't really work with these kinds of targets - they just aren't interested.  What does seem to work is the "angry" approach: "There's a problem, I've reported it numerous times, nobody's taking notice, fix it for me!"

A case in point - I was assigned to obtain a director of a limited company's home address.

Normally, one can use Companies House to obtain the data, but they charged quite a big fee and you had to be registered and cleared with them (at the time - it's so much easier and cheaper now for anyone to get information out of them).  We didn't want to go through all that rigmarole.  There was limited information on all registered companies that anyone could access for free on their Internet site: just the company name, registration number, and designation (this just clarifies the kind of business a company performs), which I jotted down.

I then called Companies House and spoke to a woman who sounded bored.  I gave her the "angry" treatment I outlined earlier, claiming that I was the director of the company I was investigating and that I had just received a call from someone who purported to be from Companies House telling me my company was going to be dissolved!

"You can't do that!  Without any legal papers or documentation?!  What's going on?!"  I tried to sound panicky.

Quickly, the woman bucked up and asked me for the company details.  I gave her "my" name (the company director we were investigating), the company's name, and the company registration number.  The woman looked at the entry and assured me that I "Must have received a prank call, there's nothing to worry about.  Your company is still registered here," and she explained to tell me the ways that a company could be dissolved (which I already knew).

I told her that it was quite a relief, but I was still a bit uneasy.  "You're sure there's no way someone could've done something to the details?  Could you just let me check the details are correct?"

"Sure, what do you want to check?"

"The date the company was formed - if that's been changed, I can imagine the IRS asking me where my accounts are for the years I wasn't in business.  I also want to make sure you've got my correct home address in case papers have to be served on me and that the company designation is correct so that I still qualify for tax rebates."

The woman told me all the details.

The middle one was the only one that I wanted and yes, I went away "reassured" and quite delighted with what I learned: 1.) the home address, and 2.) that Companies House could be social engineered to give out information... for free.

If It All Goes Wrong

Have an escape route prepared, just in case.

If looking for information on someone: "Oh, guess what?  They're calling up now on the other line.  I'll speak to them about it."

The other person in the office is helpful: "What's that, Ed?  Look, I'm on the phone!  What?  Listen, I have to call you back, Ed needs me to fix his computer and he won't listen to me.  I'll call back in a few minutes."

The supervisor: "Uh, I don't know the number I'm calling from.  I'll ask my supervisor and call you back.  Goodbye!"

If you are accused of not being who you say you are: "This is just crazy!  Why the heck would I take on this stupid problem if I'm not who I say I am!" or take the offensive: "Oh, really!  Well, that's brilliant - thanks a lot!  This is the last time I call AT&T (or whomever)!  Just before I go, who's your direct supervisor?  What's his name?  And your name?  Right, thanks.  He's going to get a glowing report of your customer services skills, I can promise you that!"

The last ditch "Eject!  Eject!  Eject!" is to press the hang-up key while you are talking.  Must be a problem on the line.  Also, this can work to your advantage when your target is in a large building.  If you call back immediately, you very often get a different Target and can try afresh with them, saying "I was speaking to someone and got cut-off - can you help me?"  On a humorous note, one of my colleagues once set off a fire alarm to escape a call, but I really don't recommend you do that!

How To Avoid It

It's important to have a specific framework in mind of what you will and will not answer.

For example, if you are at home and someone calls you up, saying they're looking for a certain number that is not yours, you personally must decide what information you will feel comfort able giving out.  Some individuals feel happy saying, "No, this is 832600.  My name's Eric and there's never been a Mr. Goldstein living here," while others will just say, "Wrong number" and hang up.  Certainly, the latter is safer if you want to avoid social engineering (but you do tend to miss out on funny experiences that way!).  Ask yourself: "Does this person have a right to know?"  Does your phone company really need to know how many children you have?  Does your gym need your email address?  If they don't, then don't give it to them.

You must be prepared to protect your personal information-shredding letters and bank statements to protect yourself against trashing and identity fraud (which is a different subject) is a good start, but what about the information you voluntarily give out?  What personal information is there of yours on MySpace, Facebook, Bebo or your own website?  As an experiment to highlight the dangers of these things (and with my boss' full written permission, I hasten to add), I was able to convince his 16-year-old daughter that I had attended the same school as she did - simply by looking at her Bebo account, reading which school she went to, and seeing the photos she took at the school dance (so I could describe rooms in the place).  These sites can provide anyone with enough data to pull an engineering attempt off and are truly frightening in their potential.

Did something odd come through the mail?

It's a little off-topic, but one of the highest priorities we had as investigators was to obtain the target's bank details.  Once a court action was started, we could perform a bank arrestment on dependence (freezing the money in the account, pending the result of the court action), which nearly always forced a debtor to the negotiating table.  To obtain a target's bank information, we sent the target, under the guise of our being a charitable company (complete with made-up stationary and a bank account in its name), a check for £10.  It was always cashed.

We then looked at our bank statement (using Internet banking).  There were the bank account, sorting code and name of the bank account of the target!  Within half an hour, instructions were sent to officers of the court (bailiffs) to have their bank account frozen!  But how simple it could be for someone to obtain your bank details using that technique!  So be incredibly careful with checks, unless you know the reasons you're getting them.

In a business context, there has to be clearly defined criteria of what information can and cannot be given out and then who is acceptable to receive it.  We are not just talking about private data, we are talking about the private data entrusted to you by your customers.  To let your customers down should be the last thing any decent business wants to do.  These criteria must be set by the highest level of management, so that:

1.)  It is organization-wide (everybody sings from the same hymn sheet)

2.)  No wily engineer comes in and countermands company policy (alarm bells should ring if someone asks for information that the company never gives out over the phone)

This should include a "no-blame" policy if an employee has suspicions and refuses to divulge information to a customer, if there is reasonable doubt as to their identity.

Ideally, any sensitive data, like credit cards, dates of birth, and the like, should not be available for the average employee to see.  Any request should be referred to someone higher in rank and specially trained to detect social engineering.

Three question and answers should be set by the customer to pick from.  Not "What is your National Insurance number (or Social Security number)?", but something vague, such as, "In what year did Abner Podunk sprain his ankle?"  Something that would be impossible to bluff and would immediately get the customer's attention if an attempt was made to engineer the answer out of them.

However, in numerous lines of work in the real world, like the hotel industry, important information like credit card numbers has to be available for the rank and file to see.

In my opinion, the biggest hole that social engineers exploit in the business world is that management leaves it to the employee to decide for themselves the value of the information or, even worse, does not inform the employee how protected something must be.  I recently worked for a hotel chain, performing admin and computer maintenance.  I heard that, before my arrival, four of the receptionists had recently left school and, when they got the job, they were simply told by management, "Here's the computer, here's the keys - get on with it."

No policies explained, no health and safety reviews, no "How to deal with complaints you receive" and no "Basic security procedures with customer data."

They were simply dropped into the deep end to sink or swim with exactly zero experience in their job.  As a result, a scam-artist happily social engineered over six guests' credit card numbers out of these kids.  Although it does sound like a complete lack of common-sense on the part of these youngsters, at least liability could have been prevented from reaching the hotel chain itself had management taken a little time to reinforce what is O.K. to share and what data needs to be protected.

Once these guidelines have been set in place, the individual employees must ask themselves, during every call or transaction if required, "Where is this conversation leading?  Could the data I have be considered private, proprietary, or damaging?  Am I being asked to divulge information that I have been told must not get out?"  And if they refuse because they are worried or unsure, they should not be penalized for doing so - higher-ups should take over and make a judgment themselves.

No matter how complex and airtight technology gets, people are always the weak spot.  Remember, the least likely can also be the most dangerous.

Trust me.