Analyzing the Con

Analyzing the Con
This entire ruse was based on one of the fundamental tactics of social
engineering: gaining access to information that a company employee
treats as innocuous, when it isn't.
The first bank clerk confirmed the terminology to describe the identifying
number used when calling CreditChex: the Merchant ID. The second
provided the phone number for calling CreditChex, and the most vital
piece of information, the bank's Merchant ID number. All this information
appeared to the clerk to be innocuous. After all, the bank clerk thought
she was talking to someone from CreditChex -so what could be the harm
in disclosing the number?
All of this laid the groundwork for the third call. Grace had everything he
needed to phone CreditChex, pass himself off as a rep from one of their
customer banks, National, and simply ask for the information he was
after.
With as much skill at stealing information as a good swindler has at
stealing your money, Grace had well-honed talents for reading people. He
knew the common tactic of burying the key questions among innocent
ones. He knew a personal question would test the second clerk's
willingness to cooperate, before innocently asking for the Merchant ID number.
The first clerk's error in confirming the terminology for the CreditChex ID
number would be almost impossible to protect against. The information is
so widely known within the banking industry that it appears to be
unimportant - the very model of the innocuous. But the second clerk,
Chris, should not have been so willing to answer questions without
positively verifying that the caller was really who he claimed to be. She
should, at the very least, have taken his name and number and called
back; that way, if any questions arose later, she may have kept a record of
what phone number the person had used. In this case, making a call like
that would have made it much more difficult for the attacker to
masquerade as a representative from CreditChex.
MITNICK MESSAGE
A Merchant ID in this situation is analogous to a password. If bank
personnel treated it like an ATM PIN, they might appreciate the sensitive nature of the information. Is there an internal code or number in your
organization that people aren't treating with enough care?

Better still would have been a call to CreditChex using a nun bank already
had on record - not a number provided by the caller – to verify that the
person really worked there, and that the company was really doing a
customer survey. Given the practicalities of the real world and the time
pressures that most people work under today, though, this kind of
verification phone call is a lot to expect, except when an employee is
suspicious that some kind of attack is being made.
THE ENGINEER TRAP
It is widely known that head-hunter firms use social engineering to recruit
corporate talent. Here's an example of how it can happen.
In the late 1990s, a not very ethical employment agency signed a new
client, a company looking for electrical engineers with experience in the
telephone industry. The honcho on the project was a lady endowed with a
throaty voice and sexy manner that she had learned to use to develop
initial trust and rapport over the phone.
The lady decided to stage a raid on a cellular phone service provider to
see if she could locate some engineers who might be tempted to walk
across the street to a competitor. She couldn't exactly call the switch board
and say, "Let me talk to anybody with five years of engineering
experience." Instead, for reasons that will become clear in a moment, she
began the talent assault by seeking a piece of information that appeared to have no sensitivity at all, information that company people give out to
almost anybody who asks.
The First Call: The receptionist
The attacker, using the name Didi Sands, placed a call to the corporate
offices of the cellular phone service. In part, the conversation went like
this:
Receptionist: Good afternoon. This is Marie, how may I help you?
Didi: Can you connect me to the Transportation Department?
R: I'm not sure if we have one, I'll look in my directory. Who's calling?
D: It's Didi.
R: Are you in the building, or... ?
D: No, I'm outside the building. R: Didi who?
D: Didi Sands. I had the extension for Transportation, but I forgot what
it was.
R: One moment.
To allay suspicions, at this point Didi asked a casual, just making
conversation question designed to establish that she was on the "inside,"
familiar with company locations.
D: What building are you in - Lakeview or Main Place?
R: Main Place. (pause) It's 805 555 6469.
To provide herself with a backup in case the call to Transportation didn't
provide what she was looking for, Didi said she also wanted to talk to
Real Estate. The receptionist gave her that number, as well. When Didi
asked to be connected to the Transportation number, the receptionist tried,
but the line was busy.
At that point Didi asked for a third phone number, for Accounts
Receivable, located at a corporate facility in Austin, Texas. The
receptionist asked her to wait a moment, and went off the line. Reporting
to Security that she had a suspicious phone call and thought there was
something fishy going on? Not at all, and Didi didn't have the least bit of
concern. She was being a bit of a nuisance, but to the reception ist it was
all part of a typical workday. After about a minute, the receptionist came
back on the line, looked up the Accounts Receivable number, tried it, and
put Didi through.
The Second Call: Peggy
The next conversation went like this:
Peggy: Accounts Receivable, Peggy.
Didi: Hi, Peggy. This is Didi, in Thousand Oaks.
P: Hi, Didi.
D: How ya doing?
P: Fine.
Didi then used a familiar term in the corporate world that describes the
charge code for assigning expenses against the budget of a specific
organization or workgroup: D: Excellent. I have a question for you. How do I find out the cost center
for a particular department?
P: You'd have to get a hold of the budget analyst for the department. D: Do you know who'd be the budget analyst
for Thousand Oaks - headquarters? I'm trying to
fill out a form and I don't know the proper cost
center.
P: I just know when y'all need a cost center number, you call your
budget analyst.
D: Do you have a cost center for your department there in Texas?
P: We have our own cost center but they don't give us a complete list of
them.
D: How many digits is the cost center? FOr example, what's your cost
center?
P: Well, like, are you with 9WC or with SAT?
Didi had no idea what departments or groups these referred to, but it
didn't matter. She answered:
D: 9WC.
P: Then it's usually four digits. Who did you say you were with?
D: Headquarters--Thousand Oaks.
P: Well, here's one for Thousand Oaks. It's 1A5N, that's N like in
Nancy.
By just hanging out long enough with somebody willing to be helpful,
Didi had the cost center number she needed - one of those pieces of
information that no one thinks to protect because it seems like something
that couldn't be of any value to an outsider.
The Third Call: A Helpful Wrong Number
Didi's next step would be to parlay the cost center number into something
of real value by using it as a poker chip.
She began by calling the Real Estate department, pretending she had
reached a wrong number. Starting with a "Sorry to bother you, but .... "
she claimed she was an employee who had lost her company directory,
and asked who you were supposed to call to get a new copy. The man said
the print copy was out of date because it was available on the company
intranet site.
Didi said she preferred using a hard copy, and the man told her to call
Publications, and then, without being asked - maybe just to keep the sexy-
sounding lady on the phone a little longer - helpfully looked up the
number and gave it to her.