Social Engineering – Sometimes It’s Too Easy
A fun story from an adventure in social engineering not too long ago. Thought I’d pass on some things I learned and ways to be more prepared in the future.
The Goal
Call the IT Help Desk for a customer and try to reset the password for five users.
I was not provided the IT Help Desk number or the names of employees.
I called the general contact number listed on the “contact us” web page and asked for the phone # of the IT help desk. That was easy.
I searched social media for employee names. That was easy too.
The Ruse
I’m on maternity leave and can’t access email via Outlook Web Access (OWA)
First Call
The help desk asks for my employee number . . . “Uh, I don’t have that handy, can you look it up by my last name?” . . . she does and then provides it to me.
She takes me through the built-in forgot password functionality where I can have an email or text sent to the number on file. I wasn’t prepared for this and didn’t want to send a reset to the actual employee so I pretended to do the reset and thanked her for helping me get in.
Second Call
Same story but this time I’m prepared to say that the contact information for the password reset is not correct.
Attendant asks me to go to a remote assistance site so she can connect to my computer. This gives her remote control of my test Virtual Machine (thankfully it is a VM specific to this customer). I was not expecting this and I’ve got the Burp Suite tool running in the background (hope she doesn’t know what that tool is for). She brings up the login page and goes to enter my email address on the OWA login and a couple other employee logins come as autofill suggestions because of other accounts I already got access to through password spraying.
Then she brings up Outlook where I’m already logged into another employee’s account. (Oops!) … I tell her it is a co-worker.
Then she brings up the windows command prompt which says “Users/Carrie Roberts” , not the person I was posing as but this did not appear to raise suspicions.
She gives me a new password for the OWA account: “Password@123” and I’m in. I ask if I should change my password now and she says “As you prefer” … interesting advice.
The Help Desk calls my cell number back . . . SIX TIMES . . . maybe they wanted the password back? I never answer but decide that perhaps I should be using my “caller ID faker” app, which I do for the remaining calls.
Third Call
Using the caller ID faker this time, part way into the call the call drops . . . stupid app. I call back a couple of times and get back with the same person. She says ‘I tried to call you back but it said it couldn’t connect’ …
Me: “Uhhhhhhhh, that’s odd… anyway, about that reset . . .”
Attendant says resetting my password requires manager approval.
Crumbs . . .
Fourth Call
“Sorry, resetting your password is against security policy.”
But she did say, “My heart is in my throat for you,” so that made me feel better!
Fifth Call
I wait two days before making the last call. This time I created a new user account on my Windows VM with a username to match the ruse and no other suspicious things like concurrent logins as other employees.
Attendant does the remote access thing to remotely control my PC. I play a baby crying soundtrack in the background to go along with the maternity leave ruse, I just had to. She says she will chat with me via the chat window and hangs up. I guess the baby was too much?
She uninstalls Microsoft office. Why? I don’t know because I told her I wanted to login online to OWA and I even had it open. After that, she resets my password and enters it and lets me set the new password. Then she installs Office 365 from the victim’s account and configures Outlook for me. I thank her and let her know that this will be very handy.
You can learn more from Carrie in her classes!
Check them out here:
Attack Emulation Tools: Atomic Red Team, CALDERA and More
Available live/virtual and on-demand!