__ _ .: .' '. how to social engineer into anything /: / \_ or; the line-interruption method ;: ; ,-'/`:\ |: | | |() :| an infosec writeup to help protect ;: ; '-.\_:/ companies from filthy blackhat scum \: \ /` ':_'._.' || fucc steve case /__\ .---. {====} .' _,"-,__|:: | warning: this technique has been used / ((O)=;--.:: | to infiltrate various large companies ; `|: | |:: | resulting in dox and hax!1 | |: | |:: | | |: | |:: | warning 2 hackers: don't friggin do it! | |: | |:: | | |: | |:: | shouts: syphor, dropcode, egod, the|one | |: | |:: | mist and every >/int scroller from | /:'__\ |:: | the ao-daze. it's 2017 & aol hacking is | [______]|:: | finally retro and cool. we made it fams. | `----` |:: |__ | _.--|:: | ''--._ ; .' __{====}__ '. \ .'_.-'._ `""` _.'-._ '. '--'/` `''''` `\ '._ written by big pad tha don jgs '._ _.' `""--......--""` ###how it's done### i'll use a hypothetical aol attack to explain the process, but this can be reworked for pretty much anything. first, you'll need an accomplice or the ability to pull off two very distinct voices. second, you'll need to make an account on the target service with the name and address information filled out with things like "THIS IS A TEST ACCOUNT", "TEST PURPOSES ONLY" etc. friend = person #1, the oblivous customer se = person #2, the social engineer jeff = phone rep > pregame jeff: thank you for calling america online's new registrations department, my name is #jeff# how many i help you? friend: hello i'm tony and i need internet. now you guys have the email and the web, right? jeff: we certainly do! with america online you can blahblahblah *let this exchange go on for about a full minute* se: #beep boop# (use two rapid touch tones) se: hello, i'm sorry to interrupt this phone call. jeff how ya doin today? jeff: i'm fine.. se: great, [name of friend] do you mind if i place you on hold for a minute or two? friend: n.. no that's fine se: great thanks. #beep boop# se: ok i've placed the caller on hold, jeff how ya doin today? jeff: i'm fine.. se: great. well i'm chad and i've been monitoring your activity this evening and had a couple of things i wanted to run by you. firstly, have you been seated at your terminal all afternoon? jeff: yes se: so nobody else has had access to your workstation? jeff: yes se: ok, on my end it looks like you're mistyping credit card information for new members. i only see a couple of instances but it's something we do need to address, as it results in errors in our billing processing systems. jeff: no i never mistyped anything today se: hmm, ok. our data retrieval system might be misinterpreting something... ok i'm going to have you pull up a test account. navigate to your pegareach quick search screen and let me know when you're there. jeff: ok i'm there se: great. ok let me pull up my data retreival software. give me a moment.... se: *taps around on a keyboard for about 10 seconds* ok ready? jeff: ready se: jeff go ahead and look up the screen name "PhoneTest22" > when jeff looks up "PhoneTest22" he'll feel immediately at ease for two reasons 1. you interrupted his phone call with a customer like some leet high level supervisor 2. you created the "PhoneTest22" account and all of the name/address fields say things like "THIS IS A TEST ACCOUNT" > attack scenario #1: let's condition jeff into resetting account passwords jeff: ok i've pulled it up se: great, now go ahead and reset the password on the account to aoltest1 jeff: ok done se: hmm, not seeing anything in my data retrieval software. some packet errors. let's try again. navigate back to the search screen and let me know when you're there jeff: i'm there se: great. go ahead and pull up the scren name "target" jeff: ok done se: great, now go ahead and reset the password on the account to aoltest1 > at this point you can either say "ok, looks like your mac address was misissued. i'll have noc address that. thanks" or you can just have him sit there and reset tons of passwords on multiple accounts all night until he asks about overtime. > other attack scenarios - once you've earned the phone rep's confidence you can do various things such as: 1. ask him to press "prnt scrn" and copy and paste a screenshot of their internal software into new email addressed to you. this is useful in followup calls because you'll know more about their internal systems and how to speak the lingo. 2. have him install patch.exe because your darn data retrieval system is on the fritz 3. read off sensitive information on target accounts ......... .'------.' | | .-----. | | | |owned| | | __| | :o | | |;. _______________ / |*`-----'.|.' `; // / `---------' .;' // /| / .''''////////;' // |=| .../ ######### /;/ //| |/ / / ######### // //|| / `-----------' // || /________________________________//| || `--------------------------------' | || : | || | || |__LL__|| || | || : | || | || | || `""' n | || `""' | || M | || | || | || | || `""' `""' ###backstory### this was conceptualized in 2003/2004 by yours truly and used relentlessly on various utilities, carriers and isps. i'm convinced that variations of this technique would still work present day on virtually any large tech/communications company with enough phone jockeys. isps, registrars, banks, mobile carriers, etc. employees need to stay vigilant in the face of unorthodox social engineering vectors. ###fun fact### mark zuckerberg started out as an aol/aim hacker. one of us, one of us, gooble gobble and whathaveyou.