Successfully Social Engineering an ISP (more specifically, Sympatico) *** Social Engineering at any ISP can be easy. Knowing how they operate is key, knowing what the helpdesk is instructed to do and say in certain circumstances is imperative. DEFINITION Social Engineering: Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. See also the tiger team story in the patch entry. http://www.dictionary.com/cgi-bin/dict.pl?term=Social%20Engineering THE BASICS The first thing you need to do is determine what you want from the ISP. You may only want a user id or password, or you might be at the other end of the spectrum and want to create total havoc and chaos at the ISP. Either way, specifically figure out what you need. I'm going to focus on getting the password and user ID of Sympatico accounts. BASIC INFORMATION & SCENARIOS If it's your first shot at calling Sympatico Help Desk (310-SURF), I suggest calling and asking the help desk agent some simple questions to get a good idea of how stupid they are. Crack a few jokes and keep the conversation light. Never EVER let on that you know anything technical. Always play stupid, it'll make them feel smart and empowered (most help desk agents see themselves as knowing more than you anyway, so there's no point in getting into a "i know more than you" argument, it won't get you anywhere). As well, if they can't answer your technical question they'll have to either ask their supervisor or another help desk agent that may draw unnecessary attention to your call. I can't stress enuf, how important it is to come off as being their "buddy". If you sound nervous and unfriendly they'll question you and not feel bad about withholding information. At Sympatico, each call is logged in what they refer to as "tickets", they're all kept in a database called "remedy". Some help desk agents are lazy and don't log every call, as well, tickets are usually poorly written and not very specific. The only department that logs tickets properly (most of the time) is the Sympatico Abuse department, so be careful if you refer to that department. The good thing is that most of the staff at Sympatico, whether it be a help desk agent or supervisor (or who ever) doesn't know what the Abuse Department does. The abuse department is responsible for answering complaints for network abuse. Their only function is to either deal with people who get spammed or hacked, or deal with people on the Sympatico network who do the spamming and hacking (script kiddies mostly...). This is an important piece of knowledge because if you are trying to get a password, you can use the excuse that the Abuse Department reset your password and you can't remember it or you wrote it down wrong because it doesn't work. If you are going to use that excuse, you'll need to make up a sob story about how someone got your password and was using your account to Spam, or send hate mail or whatever. Don't go overboard, Make it believable! The help desk agent will feel sorry for you and will try to look up the ticket where the password change was documented, so make sure you make it a point to mention that you just got off the phone with the abuse people. They'll hopefully conclude that either they are still working on the "ticket" or that remedy isn't that quick. When you call Sympatico, the automated system will ask you to enter your account number, depending on what your strategy is you may or may not want to enter a number. The number you enter will bring up an account when the help desk agent answers the call. This can be a disadvantage or an advantage depending on how the help desk agent answers the call. What I mean is, sometimes the help desk agents will answer by saying the person's name, like "Sympatico Help Desk, How can I help you Mr. Doe?" then you'll already have the person's last name, if you don't know the first name you can always say you are Mr. Doe's daughter or son and that the account is yours but your parent's pay for it (or whatever.). If the help desk agent doesn't say the person's name (like they're supposed to) they'll say something like "Sympatico Help Desk, Can I have your user ID please?". People enter the wrong account number all the time, so it's no biggie - but you'll have to have a user ID. User ID's usually begin with b1xxxx (the x's represent numbers). If you live in the Yukon then they will start with y1xxxx, if you live in Newfoundland they'll start with a1xxxx, some areas in Nova Scotia also start with a1xxxx. Once you give them the user ID they may ask you for your address. This is when you need to get creative, you can say you just moved and don't remember so you have to look at a piece of mail - when the address doesn't correspond with their address you can say "well, I changed it yesterday with the Billing department. How long does it take for the address change to show in your database?" The help desk agent more than likely won't know that answer since the Billing department is responsible for address changes and such. You can say something like "well, when we're done here can you transfer me to billing so I can make sure they made the change? I don't want to be late paying my bill", showing concern for the well being of the account is always good, when they transfer you, just hang up. Just be creative and pay attention. If the help desk agent says the account holder's name at any point in time that's key. Even if it's some weird name and you aren't sure how to spell it, you can simply complain that companies never spell your name right and your bills have a different spelling on each one (or something like that). If you can get a Sympatico email address and you know the person's name then getting a password from help desk is very simple. The Sympatico email addresses resolve to the person's user id, so if you have the email address then you have the user id. If you have access to any mail server, it doesn't matter if it's in your name or not, telnet to the mail server and send yourself an email (be sure to put your email address as a blind carbon copy so your email address isn't visible), put the Sympatico email address in the "To:" or "CC:" field and the mail server will resolve the user id for you so when you get the email (they'll get the email too, so make sure you make it look like Spam or something) all of the Sympatico email addresses you entered will be in the form of their user id, it'll look like "b1xxxx@sympatico.ca". I'm sure there's an easier way to resolve the addresses if you only have one address to resolve, but if you have a bunch of email addresses (you can get tons of email addresses from the Sympatico newsgroups by the way) it's easier just to send yourself an email and it'll resolve all of the addresses at the same time. Once you have the user id and email address, there are several things you can do to get this account's password. The easier way would be to call help desk and say that you can't get into your mail box because you get an error message saying that the password is wrong (remember not to mention authentication or anything, choose your words carefully - you want to sound as computer illiterate as possible.). The help desk agent will ask you to verify the password - the Sympatico passwords usually contain lower case letters and numbers. The letters are always lower case and 8 characters long. You can say that it's already in the password field but you can't see it because of the *'s (asterisks) and that you had it written down somewhere (rustle paper around and stuff, make it sound like you are looking for it), just say you can't find it. Make up a convincing story about how you haven't changed it and it's been in the password field and worked yesterday. Ask them if they are having problems with mail (try not to mention mail servers, again this will make you sound smarter than you want to sound), eventually the help desk agent will get fed up and tell you to write down the password and they'll give it to you. This has worked more times than not for me - the key to sound really computer illiterate and really dumb. As with any call you make to the help desk, it just depends on who you get and how convincing you sound. The time you decide to call will also make things easier on you. It's always worse to get someone at the beginning of their shift. Most shifts are at either 7am - 3pm, 8am - 4pm, 4pm - midnight, 11pm - 7am (those are the regularly scheduled shifts for the help desk.). The abuse department works from 8am - 4pm and 4pm to midnight. So time your call properly and it'll make everything that much easier for you. The people who work from 11pm - 7am are never happy so if you call at like 2am, they're already sick of taking calls from drunken bastards who piss them off - it's always better to avoid calling those guys, they're tired and unpredictable! :) If you have to call back and try again, make sure you do it during high peak hours, like around 6pm (the help desk is in the eastern time zone ([-4 GMT], EST) because if the help desk agent you last spoke to is free you will get that person again. The system is designed to direct your call to the last person you spoke to unless they are already talking to someone else. There are probably a couple of hundred help desk agents, including billing and the high speed agents, so if you call during high peak hours the chances of getting the same person are slim. If you call back using the same user ID and/or account information there will more than likely be a ticket already logged in remedy that describes the last call. If you messed up really bad and the help desk agent noticed, it would be logged in the ticket. Even if you mess up you can always leave the call open by saying something like "I can't find the address (or whatever piece of info it is you are stuck on), I'll have to call back" then when you do call back it won't seem so weird because the fact that you are calling back will be logged in the ticket. CONCLUSION Don't be afraid to use this information, the worst thing that can happen is you won't get the information you want and will have to call back. Try not to raise any suspicion by hanging up on the person, ride it out until they give you the information you need. Be persistent and creative, you'll get what you want. This information should help, it's not meant to be the official guide - use it for tips and bits of information. As with everything else, you have to figure stuff out on your own. WonderWench 12/28/2000 *** resist, unlearn, defy ***