Today, I listened to an intriguing episode of Darknet Diaries featuring Rachel Tobac, an ethical hacker and the CEO of SocialProof Security. Tobac, a three-time second-place winner at DEF CON’s Social Engineering Capture the Flag competition, shared invaluable insights into social engineering tactics used to exploit human and system vulnerabilities.
For a tl;dr version, check out the cyber wiki version of this article here.
Here’s what I learned from her about social engineering:
Hack 1: Attacking a Consulting Firm
Conducting Reconnaissance
The first step in any social engineering attack is thorough reconnaissance. Spend up to a month gathering detailed information about the target company. Understand its structure, key personnel, and internal processes. This groundwork is essential for knowing who to contact and what to ask.
Attack 1: New Employee Ruse
Contact the target company posing as a confused new employee. This approach leverages the expectation that new employees will ask numerous questions, making it easier to gather sensitive information without raising suspicion. This tactic was successfully employed to infiltrate a consulting firm.
Hack 2: Extracting Money from Customer Accounts
The objective here is to demonstrate vulnerabilities in accessing customer accounts (using fake accounts to avoid actual harm).
Attempt 1: Chat-Based Approach
Rachel begins testing with the chat service, posing as a customer needing urgent access due to losing control over communication tools while traveling. Her sob story goes:
“I lost access to my phone, email, laptop. I got lost after a night out and really need access to my bank account because I’m stuck and need money.”
The primary aim is to change the registered email address or phone number on the account. Achieving this would grant administrative privileges.
However, the bank adheres to its protocol and only offers to send a password reset to the account’s original contact details.
Attempt 2: Phone Call-Based Attack
Realizing the limitations of chat, Rachel switches to a phone call-based attack.
Benefits of Phone Calls:
- Less of a digital paper trail.
- Ability to build rapport through voice, making it easier to sound trustworthy and persuasive.
Method:
Rachel uses a caller ID spoofing app to appear as the customer, costing just $1 in the app.
Script:
“Hi, I am so sorry. I am Kelly Smith. I am traveling and cannot access any of my funds. I am super stressed out. Can you please please help me?”
Using two-factor authentication (2FA) instead of knowledge-based authentication proves smarter because personal information like the last four digits of an SSN or a mother’s maiden name can be easily found online.
Limitations of Phone Spoofing:
- Cannot receive text messages.
- If the bank calls back, it won’t reach Rachel’s phone.
- It only appears as though she’s calling from the customer’s number without actually having access.
Unfortunately the bank said no and followed protocol, but spoke to a manager and since this is a rare fringe case, they would allow her to send alternative verifiection via photo.
When asked for additional verification, such as a driver’s license, social security card, and a utility bill, Rachel’s husband photoshops these documents. The bank, often not verifying beyond matching names and addresses, grants her full admin access by the next morning, allowing her to transfer the funds out.
Hack 3: Investigating Insider Threats and Leaks
Rachel’s objective was to uncover information about an upcoming merger and acquisition (M&A) using social engineering techniques.
Attack 1: Posing as a Journalist
Rachel applied for a product manager role, using the hiring process to extract information. She created a fake journalist identity, complete with email, background, and social media profiles. This tactic involved direct messaging, emailing, and texting potential insiders to gather M&A details.
Method:
- Develop a full online persona with a history, photos, and connections.
- Use LinkedIn to identify key personnel with relevant skills and roles.
It ultimately did not work because people don’t really trust journalists.
Attack 2: Exploiting the Hiring Process
Rachel applied for jobs to exploit the hiring process, leaking information about the company’s activities and technologies.
Steps:
- Create a convincing fake profile with a resume, LinkedIn, and other social media accounts.
- Apply for a job and get through initial interviews.
- During the final round, ask targeted questions to extract sensitive information.
Rachel found that by asking well-crafted questions, she could glean significant details even when interviewers knew they couldn’t confirm anything directly.
Hack 4: Using AI to Trick a 60 Minutes Host
Rachel used AI to trick a 60 Minutes host, who knew she was going to be targeted, into revealing sensitive information.
Method:
- Conduct extensive OSINT to gather background information.
- Use a voice cloning tool to mimic the host’s coworker’s voice.
- Create a plausible scenario requiring the host’s cooperation.
Script:
“Elizabeth, sorry, need my passport number because the Ukraine trip is on. Can you read that out to me?”
Execution:
Rachel spoofed the phone number and used the cloned voice to request the information. Despite the host’s awareness, the well-timed and convincing call succeeded.
Protective Measures Against Social Engineering Attacks
Organizations can safeguard against social engineering tactics by implementing several key measures:
- Identify Edge Cases: Understand scenarios that could be exploited.
- Implement Callbacks: Verify the caller’s identity through a callback system to thwart spoofing.
- Email Verification and One-Time Passwords: Ensure secure communication and identity verification.
- Use 2FA: Replace knowledge-based authentication with more secure methods.
- Service Codes, PINs, and Verbal Passcodes: Add layers of security for account access.
- Involve Management: Loop in higher-level personnel for internal support tickets and sensitive requests.
By adopting these measures, folks can significantly reduce their vulnerability to social engineering attacks, safeguarding both their operations and their customers.
Overall, it was an amazing podcast and I recommend that everyone listens to it!
