General security

I Social Engineered my Dad!

Nikos Danopoulos
November 25, 2016 by
Nikos Danopoulos

Introduction

I'd like to tell you a short story about how I performed a Social Engineering attack against my lovely Dad! Of course, everything that I did would never expose him in any way. Grab a beer or coffee and enjoy the rest of the story. I hope you find this story funny, educational and, as usual, I hope you will enjoy it as much as I did.

Storyline

Everything began when I went out of cash. Well, this happens frequently, but this time, I had several issues with my Prepaid Card. I gave a call to my dad and asked him if I could borrow his Visa Prepaid Card to go a three-day trip to Thessaloniki, Greece as my favorite artist was coming for a live performance. Of course, I ensured him that I will return the money as soon as my Prepaid Card was fixed. He replied positively and by the afternoon I was holding the Prepaid Card! On my way to the - let's say - Perfect Bank, I was listening to some music, and at the same time I was "playing" with the card on my hands - turning it over and over again -as the Perfect Bank is just 2 blocks from my house. While playing with the card though I noticed that small white letters etched on the card saying: "Expire 12/2016".

Sorry for the painting edits!
As it was 16th of November - and this is important - I thought to call my dad and warn him that his card will expire soon. It wasn't a long after I changed my mind and decided to write this article, though!

My plan was to see how I could cleverly use the information I have, of the expiration day, against a middle-aged, non-technical man. Well, he knows how to use his smartphone, browse the web and download Apps but nothing more than that. As it wouldn't be a realistic attack just to learn the card's expiration day by looking at it, I decided to use some social engineering.

My dad, of course, would recognize my voice, so I called a friend with some good Social Engineering skills, Dimitris Katsarosto come by and help me. As we needed more information, I called the Perfect Bank pretending to be a new customer and asked what happens when my Prepaid Card expires. Their answer: we will send you a new one to your home address a few days before your card expiration. That was clearly a gift!

On 17th of November, early in the morning, Dimitris performed a phone call to my dad. The phone call took place at 9:30 am. This is the time my dad goes to his Cafe. He wouldn't have his coffee yet! Dimitris pretended to be an employee at the Perfect Bank and wanted assistance from my dad as a cyber-attack took place on the dawn and they have lost critical information from some of their customers. He said my father's name, surname, current home address, my father's birthday and asked confirmation for all of this information. After the confirmation, my father sounded much more serious. Dimitris kindly asked him for the information he had "lost" from the attack. Those were the name of my father's father and the expiration day of the credit card just to make sure that he will be able to send a new Prepaid Card to my dad on time when it's needed.

Unfortunately - or luckily - my dad replied by giving the information we asked him. For those who wonder, yes, I held my passion to grab the phone and scream "What are you doing?!". So now, even if I wasn't able to physically see the expiration day of the card, I knew it with just a single phone call. For the next few days, I set a goal, to learn my father's Prepaid Card number and CVV (3 digit number) with just Social Engineering.

For those who are not familiar with Visa cards, this is the 3-digit number also called verification number in both Visas and American Express.

Plan

I had several days until my dad gets his new Prepaid Card, so I had to come up with a nice and believable plan. I know that the following scenario may not work for most people, but it really worked for my dad and several other people we tested it after attacking my father. So yes, I am not a social engineering guru, but it worked!

What I did was to:

  1. Buy a simple VPS
  2. Register a domain: www.account-confirmation.eu

I was planning to send my dad at www.account-confirmation.eu. Dimitris would call him saying that he is informed that my dad has received his new card and that he would like to perform some extra steps to authenticate him and enable the web banking.

My father does not use web banking, but he knows that sometimes I borrow his card to purchase things online. Moreover, he is really busy with the cafe, so I thought that If he were told that an authorization is needed online instead of going to the bank, he would accept. On the website, I created a page which looks like this:

There were also several logos and images included taken from the bank's official site that for obvious reasons I decided to hide in the screenshot. I had also included an "I agree to the terms and conditions" checkbox. Moreover, I created a PHP file which would retrieve the form inputs. Let's see an example.

And here are the results:

I was pretty sure that my dad wouldn't just go there and submit that critical information just because a random guy who pretended to call from Perfect Bank asked him to. But he did. I couldn't believe it. And we tried it to other people, friends, and family too. And almost anyone did what we told him/her to.

So now, you may wonder why I just asked for 12 digits only. Well, I will explain later! For now, it was just a way to "gain" some trust as many people think that we couldn't do anything with just 12 digits.

A few days later, on November 22, we were sure that my dad had received his new card. Dimitris came at my home at around 10:00 am and we agreed to act as I explained previously.

He would call my father saying how glad he is for having him as a customer and that he is informed that his new card arrived. He would then tell him that a final step to enable web banking and to authorize him is needed, and he would send him to the web page we created.

That's what we did, but my father was very busy this day and asked if we could call again tomorrow, at the same time. Moreover, he asked the name of the employee he is speaking to but we were ready for this, and we provided a valid name we have previously found (Google). We also provided a valid email address (theHarvester). Finally, my dad asked why he can not provide this information from the phone, and Dimitris said that for security reasons the bank's policy requires customers to submit such information online, over secure connections that they can verify from the top left corner of their browser (green padlock, HTTPS).

The next day, we called again and asked my father for the information we needed. He said that he will visit the web page later and he will give us what we asked for. Of course, we "warned" him to provide only the 12 digits of his card for security reasons. Two hours later I was able to see this on my screen:

I still can't believe that he gave 12 digits of his Prepaid Card and his CVV to someone he didn't know just because he pretended to call from the bank.

So now the big question is how I can get those other 4 digits. That turned out to be simple. My dad is registered to a Greek website which informs him about the news. There is an option there where you can pay a small amount each month - or year - to receive a printed version of their blog posts to your home. Something like a monthly newspaper. Guess what, there is no HTTPS there.

I visited my father's cafe, and I performed a Man In The Middle attack. I dropped all his current alive sessions he had, and I waited until he logs in again. After a while, I was able to get his credentials. I used Wireshark to view them. After logging in, I went to his account preferences, and I clicked on "Change payment method." There, I was able to see something like this:

Visa Prepaid Card: ************1234.

This didn't come to my mind out of nowhere. I have seen this again on sites such as Spotify, bet365 and several others. So I decided to give it a try there too. As you can see, we were able to retrieve his 4 final digits.

The only part of the story that I have changed and it is not 100% real is the website I used. Of course, I didn't buy the website I mention. I bought a domain which is very similar to the one my dad's bank has. Again, for obvious reasons, I am not able to publish it. Even if the story you just heard sounds "hard to believe," I assure you that it was worked against several middle-aged friends we have. At least, they have been warned about Social Engineering and how they can be more protected! Moreover, it goes without saying that this story is educational and I would never harm my dad! He even bought me a beer after hacking him:

I hope you enjoyed my story as much as I did!

Thank you.

Nikos Danopoulos
Nikos Danopoulos

Nikos Danopoulos has worked as Junior IT Security Researcher at eLearnSecurity. Moreover he was contributed on several projects such as: HACKADEMIC - OWASP, Hack.me and more. You can contact him at danopoulosnikos@gmail.com or you can find him on Twitter: @nikosdanopoulos.