Pub. 5 2016 Issue 1

19 s p r i n g | 2016 phones that can disguise his voice and even create background sounds to disguise his location, he selects the telephone num- ber he wants Maria’s caller ID to display. Maria, who is trying to hit deadlines and really doesn't need any distractions, sees that her caller ID is displaying the telephone number of the branch that is located the farthest from the Main Office. She knows this could be a problem that needs to be resolved, so she decides to answer the telephone. SE: "Hi, Maria! I’m a new employee at the branch on Route 6. Our manager has gone to lunch and a customer is asking me about how to make a wire transfer. Can you help me?" If Maria actually believes she’s talking to a new teller, she might explain how to perform the transfer. And if the social engineer senses reluctance on her part, he might mention the yellow book, as in: "I’m not sure what entry I need to make to the yellow book." XYZ: "Debit account 31556 and credit your branch account. Then fill in the paperwork and send it to me. Oh, and have the customer sign our customer service agreement and fax that infor- mation to our department at XXX -XXXX." Success! Now, the social engineer has the inside number to fax requests for wire transfers, but he still lacks that pesky customer service agreement. In order to get it, he’s going to use the owner of the local car dealership, “Mr. Big Bucks,” as his target because he has already purchased his basic identity -- so he knows his social security number, account number, and home address. Keep in mind that some “confidential” informa- tion is as easy to obtain as purchasing a monthly subscription to a website like Spokeo.com. Next, our social engineer checks the owner’s home address on Google Maps, looking for the location of the branch nearest his home. He decides to call the branch to see if they’ll tell him whether the wire service agreement is on file. XYZ branch: “How may I help you?" SE: "Hi! My name is Dave, and I’m Mr. Big Bucks’ bookkeeper. He’s going to need to make a wire transfer later and I wanted to confirm that he’s signed a wire service agreement." XYZ: "I’m sorry, but because of privacy rules we can’t disclose that information to anyone but Mr. Big Bucks." SE: "Are you sure you can't you help me? He’s out of the office now and told me to find out before he got back.” XYZ: "Sorry, that information is confidential." The branch hangs up. Since that tactic didn’t work, our social engineer thinks about his next move and decides to pose as a bank employee once again. He looks for the branch nearest the car dealer- ship, discovers it’s on Yates Avenue, and finds the telephone number. After waiting ten minutes, he uses his smart phone to call the same office he just called, this time making sure that the Yates Avenue phone number is displayed on caller ID. SE: "Hi, this is Jim, and I’m a new employee over at Yates. Mr. Big Bucks is here and wants to wire money from his personal account. I can't find anything on the computer to show that he’s signed a wire service agreement and I need the off-setting account number for the yellow book.” XYZ: "Let me check . . . OK, the account number is 31556." The voice responding is a different one than our social engineer talked to last time -- which is the benefit of waiting ten minutes. And merely mentioning the yellow book is enough to convince this bank employee that he’s legit. XYZ: "Yes, Mr. Big Bucks signed the agreement." SE: "OK, so do I have to have you send a copy of the agreement to Maria?" XYZ: "No, just note on the wire form that the agreement is on file. It’s in the system; it just isn't on the home screen. You have to go to the savings screen to find it.” SE: "Thanks! I gotta take care of this right away. He’s in a hurry.” Finally, our social engineer has all the information he needs to complete a wire transfer. First, he calls Mr. Big Bucks’ home number, claiming to be the telephone company. He tells Mr. Big Bucks’ wife, who answers the phone, that he’s handling a service problem, and that he needs her to enter some num- bers so he can check the system. The nice lady on the telephone willingly helps him by entering the numbers, which results in all of Mr. Big Bucks’ calls being forwarded to his phone. The bank soon receives the wire transfer faxed from Mr. Big Bucks’ telephone number. Our social engineer has already obtained the form by visiting a branch a month earlier and posing as a photocopier repairman. The confirmation call is made to Mr. Big Bucks’ “home,” where our helpful social engineer verifies the transfer Attack completed! And the bank won’t even find out it has been hit until Mr. Big Bucks calls to complain. And there you have it: a basic social engineering scam that allows the social engineer to maintain anonymity. The ironic thing is that it could have been prevented by using a technique known as the “word of the day.” Each morning, a word of the day can be sent to all employees, and every staff member must be able to provide it on demand. This ensures that confidential information isn’t leaked to people who aren’t staff members. Indeed, sometimes the simplest and most cost-effective measures are among the most successful solutions to the grow- ing problem of social engineering. Copyright, 2014, Barry Thompson, All rights reserved Thompson Consulting Group 315-342-5931 info@tgroupline.com www.tgroupline.com