Variation: the president of the United States is calling

As co-host of a radio show in Los Angeles called "Darkside of the Internet" on KFI Talk Radio, I worked under the station's program director. David, one of the most committed and hardworking people I've ever met, is very difficult to reach by telephone because he's so busy. He's one of those people who doesn't answer a call unless he sees from the caller ID that it's someone he needs to talk to.

 

When I'd phone him, because I have call blocking on my cell phone, he could not tell who was calling and wouldn't pick up the call. It would roll over to voice mail, and it became very frustrating for me.

 

I talked over what to do about this with a long-time friend who is the cofounder of a real estate firm that provides office space for high-tech companies. Together we came up with a plan. He had access to his company's Meridian telephone switch, which gives him the ability to program the calling party number, as described in the previous story. Whenever I needed to reach the program director and couldn't get a call through, I would ask my friend to program any number of my choosing to appear on the caller ID. Sometimes I'd have him make the call look as if it was coming from David's office assistant, or sometimes from the holding company that owns the station.

 

But my favorite was programming the call to appear from David's own home telephone number, which he always picked up. H1 give the guy credit, though. He always had a good sense of humor about it when he'd pick up the phone and discover I had fooled him once again. The best part

 

 

 

was that he'd then stay on the line long enough to find out what I wanted and resolve whatever the issue was.

 

When I demonstrated this little trick on the Art Bell Show, I spoofed my caller ID to display the name and number of the Los Angeles headquarters of the FBI. Art was quite shocked about the whole affair and admonished me for doing something illegal. But I pointed out to him that it's perfectly legal, as long as it's not an attempt to commit fraud. After the program I received several hundred emails asking me to explain how I had done it. Now you know.

 

This is the perfect tool to build credibility for the social engineer. If, for example, during the research stage of the social engineering attack cycle, it was discovered that the target had caller ID, the attacker could spoof his or her own number as being from a trusted company or employee. A bill collector can make his or her calls appear to come from your place of business.

 

But stop and think about the implications. A computer intruder can call you at home claiming to be from the IT department at your company. The person on the line urgently needs your password to restore your files from a server crash. Or the caller ID displays the name and number of your bank or stock brokerage house, the pretty sounding girl just needs to verify your account numbers and your mother's maiden name. For good measure, she also needs to verify your ATM PIN because of some system problem. A stock market boiler-room operation can make their calls seem to come from Merrill Lynch or Citibank. Someone out to steal your identity could call, apparently from Visa, and convince you to tell him your Visa card number. A guy with a grudge could call and claim to be from the IRS or the FBI.

 

If you have access to a telephone system connected to a PRI, plus a bit of programming knowledge that you can probably acquire from the system vendor's Web site, you can use this tactic for playing cool tricks on your friends. Know anybody with overblown political aspirations? You could program the referral number as 202 456-1414, and his caller ID will display the name "WHITE HOUSE."

 

He'll think he's getting a call from the president!

 

The moral of the story is simple: Caller ID cannot be trusted, except when being used to identify internal calls. Both at work and at home, everyone needs to become aware of the caller ID trick and recognize that the name or phone number shown in a caller ID display cannot ever be trusted for verification of identity.

 

 

MITNICK MESSAGE

The next time you receive a call and your caller ID shows it's from your dear old mom, you never know--it might be from a sweet little old social engineer.

 

THE INVISIBLE EMPLOYEE

Shirley Cutlass has found a new and exciting way to make fast money. No more putting in long hours at the salt mine. She has joined the hundreds of other scam artists involved in the crime of the decade. She is an identity thief.

 

Today she has set her sights on getting confidential information from the customer service department of a credit card company. After doing the usual kind of homework, she calls the target company and tells the switchboard operator who answers that she'd like to be connected to the Telecom Department. Reaching Telecom, she asks for the voice mail administrator.

 

Using information gathered from her research, she explains that her name is Norma Todd from the Cleveland office. Using a ruse that should by now be familiar to you, she says she'll be traveling to corporate headquarters for a week, and she'll need a voice mailbox there so she won't have to make long distance calls to check her voice mail messages. No need for a physical telephone connection, she says, just a voice mailbox. He says he'll take care of it, he'll call her back when it's set up to give her the information she'll need.

 

In a seductive voice, she says "I'm on my way into a meeting, can I call you back in an hour.

 

When she calls back, he says it's all set up, and gives her the information-- her extension number and temporary password. He asks whether she knows how to change the voice mail password, and she lets him talk her through the steps, though she knows them at least as well as he does.

 

"And by the way," she asks, "from my hotel, what number do I call to check my messages?" He gives her the number.

 

Shirley phones in, changes the password, and records her new outgoing greeting.

 

Shirley Attacks

So far it's all been an easy setup. She's now ready to use the art of deception.

 

 

 

She calls the customer service department of the company. "I'm with Collections, in the Cleveland office," she says, and then launches into a variation on the by-now familiar excuse. "My computer is being fixed by technical support and I need your help looking up this information." And she goes on to provide the name and date of birth of the person whose identity she is intent on stealing. Then she lists the information she wants: address, mother's maiden name, card number, credit limit, available credit, and payment history. "Call me back at this number," she says, giving the internal extension number that the voice mail administrator set up for her. "And if I'm not available, just leave the information on my voice mail."

 

She keeps busy with errands for the rest of the morning, and then checks her voice mail that afternoon. It's all there, everything she asked for. Before hanging up, Shirley clears the outgoing message; it would be careless to leave a recording of her voice behind.

 

And identify theft, the fastest growing crime in America, the "in" crime of the new century, is about to have another victim. Shirley uses the credit-card and identity information she just obtained, and begins running up charges on the victim's card.

 

Analyzing the Con

In this ruse, the attacker first duped the company’s voice mail administrator into believing she was an employee, so that he would set up a temporary voice mailbox. If he bothered to check at all, he would have found that the name and telephone number she gave matched the listings in the corporate employee database.

 

The rest was simply a matter of giving a reasonable excuse about a computer

 problem, asking for the desired information, and requesting that the response be left on voice mail. And why would any employee be reluctant to share information with a co-worker? Since the phone number that Shirley provided was clearly an internal extension, there was no reason for any suspicion.

 

MITNICK MESSAGE

Try calling your own voice mail once in a while; if you hear an outgoing message that's not yours, you may have just encountered your first social engineer.

 

THE HELPFUL SECRETARY

Cracker Robert Jorday had been regularly breaking into the computer net works of a global company, Rudolfo Shipping, Inc. The company eventually recognized that someone was hacking into their terminal server, an, that through that server the user could connect to any computer system at the company. To safeguard the corporate network, the company decide, to require a dial-up password on every terminal server.

 

Robert called the Network Operations Center posing as an attorney with the Legal Department and said he was having trouble connecting to the network. The network administrator he reached explained that there had been some recent security issues, so all dial-up access users would need to obtain the monthly password from their manager. Robert wondered what method was being used to communicate each month's password to the managers and how he could obtain it. The answer, it turned out, was that the password for the upcoming month was sent in a memo via office, mail to each company manager.

 

That made things easy. Robert did a little research, called the company just after the first of the month, and reached the secretary of one manager who gave her name as Janet. He said, "Janet, hi. This is Randy Goldstein in Research and Development. I know I probably got the memo with this month's password for logging into the terminal server from outside the company but I can't find it anywhere. Did you get your memo for this, month?"

 

Yes, she said, she did get it.

 

He asked her if she would fax it to him, and she agreed. He gave her the fax number of the lobby receptionist in a different building on the company campus, where he had already made arrangements for faxes to be held for him, and would then arrange for the password fax to be forwarded. This time, though, Robert used a different fax-forwarding method. He gave the receptionist a fax number that went to an on-line fax service. When this service receives a fax, the automated system sends it to the subscriber's email address.

 

The new password arrived at the email dead drop that Robert set up on a free email service in China. He was sure that if the fax was ever traced, the investigator would be pulling out his hair trying to gain cooperation from Chinese officials, who, he knew, were more than a little reluctant to be helpful in matters like this. Best of all, he never had to show up physically at the location of the fax machine.

 

MITNICK MESSAGE

The skilled social engineer is very clever at influencing other people to do favors for him. Receiving a fax and forwarding it to another location appears so harmless that it's all too easy to persuade a receptionist or someone else to agree to do it. When somebody asks for a favor involving information, if you don't know him or can't verify his identity, just say no.

 

TRAFFIC COURT

Probably everyone who has ever been given a speeding ticket has daydreamed about some way of beating it. Not by going to traffic school, or simply paying the fine, or taking a chance on trying to convince the judge about some technicality like how long it has been since the police-car speedometer or the radar gun was checked. No, the sweetest scenario would be beating the ticket by outsmarting the system.

The Con
Although I would not recommend trying this method of beating a traffic ticket (as the saying goes, don't try this at home) still, this is a good example of how the art of deception can be used to help the social engineer.

 

Let's call this traffic violater Paul Durea.
                                                                                                

First Steps

"LAPD, Hollenbeck Division."

"Hi, I'd like to talk to the Subpoena Control."

"I'm the subpoena clerk."

"Fine. This is Attorney John Leland, of Meecham, Meecham, and Talbott. I need to subpoena an officer on a case."

"Okay, which officer?"

"Do you have Officer Kendall in your division?"

"What's his serial number?"

"21349."

"Yes. When do you need him?"

"Some time next month, but I need to subpoena several other witnesses on the case and then tell the court what days will work for us. Are there any days next month Officer Kendall won't be available?"

 

"Let's see... He has vacation days on the 20th through the 23rd, and he has training days on the 8th and 16th."

"Thanks. That's all I need right now. I'll call you back when the court date is set."