Thursday, November 30, 2006

Social Engineering - my attack.

An article on today's slasdot about how a penetration tester was able to break into a a bank's computer network caught my attention today. See First-Person Account of a Social Engineering Attack .

I have always been interested in social engineering attacks after reading the story of Kevin Mitnick . A lot of people are simply not aware of how simple it is to gather simple information by gaining thier trust of simply by snooping around.

I just thought of an attack on snooping someone's phone messages. This will only work on phones with an LCD display.

Me: Hi XXX, I left you a message but I did not hear back from you.
Him : Oh ok. I will check it now.
Me: Great.

He then proceedes to check the messages. Of course, he will not have had a message from me.

Him : I did not get a message from you.
Me : Can I use your phone to make call mine and make sure that everything is ok. Hey can you grab me that pencil over there.

Once he is distracted, I hit redial and viola, his voice mail number and most probably his password will appear on the screen. However, tis attack did not work on my Samsung phone.