Welcome to the front lines...

Welcome to the front lines of our battle with an enemy that Wall Street rated the most secretive company.

Friday, July 11, 2014

Cigna Hacking 102: Fast no cost investigations anyone can do

Cigna Hacking 102: Fast investigations anyone can do...


or
...getting to know the enemy...
_________________________________________________________________

Greetings Pilgrims!!
Radical Ed here with part two of our series on Hacking Cigna 101. If you have not read, learned and adopted the lessons learned in lesson 1, please review them now. As with everything you read on the web, it comes with a 20 meter warranty; once it gets 20 meters from the website, it expires ;)

So now that you know how to get around safely and cover your own tracks, it is time to put those skills to use. This being a techie article, expect to learn something. What you learn in this article will allow you to do some things that some people might not be comfortable with. It is up to each of us to consult our experience with Cigna as well as our moral compass and decide what kind of fighter you need to be.  However before deciding on how nice a person you are, remember that in broad strokes, everything here is something that Cigna has done to Jeff Cobb and so probably  will do to you. We are just taking things to the next step.




The task is to learn everything you can about the people at Cigna that you are forced to deal with. This can be extremely powerful given:
  • How paranoid Cigna is about communicating with anyone.
  • How paranoid Cigna employees are about letting you know who you are really talking to.
  • The more you know about the person on the other end of the phone, it will allow you to make smarter decisions about how to handle them. This can be good or bad for them (but good for you in every case). If you investigate them and find they are front-line (read: expendable) soldiers, they are there because they have no other choice, no authority to do anything useful in the process. If they are an asshole to you then by all means have fun with them but if they are even remotely cool and we know what their situation is we tend to let the little ones go. More than one Cigna employee has escaped our wrath because of this. The bad part of this for the Cigna employee is what the entire rest of this article is about.
  • When you know even a little about a Cigna employee it becomes child's-play to catch them lying as they are wont to do. We are not sure if they lie so much they get lazy or what but these cretins are seriously easy to catch in a lie.
  • This also can work for the Cigna employee too. The ones that tell the truth are so few and far between that we treasure the ones that don't lie. Knowing more than they want you to about them before you speak to them is one way of confirming someone's good character.
  • It puts you on a more even footing, psychologically when dealing with them. At least it feels that way and sometimes sister, that can make all the difference.


The only evidence we have of an honest Cigna employee...

Easy initial investigations from the comfort of your armchair:
What follows is a quick guide anyone can follow to demonstrate how a mere mortal can quickly get the scoop on almost anyone. Armed with your Tor-based browser you are ready to start getting the goods on the people that are on your shit-list.

If Cigna has already started monitoring you then you know how sloppy a person can be with personal details on the web. While this sucks for you, karma being what it is it will be worse for your target. Let's just say for example you have some knob at Cigna trying to be secret squirrel, not giving out his last name, only first name and last initial. In our case it was Dick Puddle trying to game us; all he gave us was his first name, last initial and (by mistake) his job title. If you recall, Dick was the one who claimed not to have email.

Now here is where a little psychology comes into play. First, the way this guy presented himself to our team sent the vibe that this guy was stuck on some lower-management level, always a B player, never getting ahead, maybe with frustrated delusions of grandeur. Anyone who has worked in a corporation for any length of time knows exactly who this person is. Based on that, this person probably has two key things always going on in his head: how to climb the corporate ladder where he is now and where his next big break will come from. The first does little more than educate us as to his character but the second gives us the keys to the kingdom.

Anyone anywhere in the United States working in any kind of high-powered job will be wired into a few professional websites like LinkedIn.com. Here they can set up a little professional history page, post his or her resume, network with others in his or her field, etc. The thing is, the average person here is simply saying to any passing employer "please make me an offer". In order to expect that to work, this person will post an embarrassing amount of data that he would not normally do and this is where we come in. If you sniff out that the target is indeed job-hungry and you present yourself right, the target will voluntarily spew a ton of information your way. It is up to the reader what to do next. Just be careful about teasing the wildlife..


If you have first and last name already you are a step ahead but to quickly learn about someone you can do the following steps:

Step ZERO: Make sure you are using Tor as outlined here. Once you are up and running, it's time to get busy!


Step One: The Google search:
I know it sounds obvious but sometimes the best path between two points is indeed a straight line. Armed with your Tor browser, go to Google and search for what you have on the person. In the case of Dick Puddle (or "dick p." as we knew him then) we searched for what we knew of his name, his job title and the word "cigna".  Shortly we had a list of likely hits with a "Richard Puddle, Consumer Advocacy Specialist, Cigna Insurance". In this specific case, Dick turned out to be part of a family of Dicks and he was the third one. What this meant was there were Dick Puddles all over the place all working for different places.

If you did your research you will know that one of the main places Cigna processes appeals and claims like ours is in Pittsburgh, PA. When we filtered the list like that, Richard Puddle III leapt to the top of the list. We now had his full name, job title and place of employ. Next we wanted to find his email address so to confirm it we just used the typical Cigna format for an email address:

FirstName.LastName@Cigna.com. From that we built out all variations of that email address we could think of and using a blind mailer, emailed a simple nonsensical message to each. We tried dick.puddle@cigna.com, richard.puddle@cigna.com and so on. If you word your message wrong the spam filters at Cigna will catch it and toss it so make it seem like a mis-addressed email. All you are watching for is are the bounces. The address or addresses that do NOT bounce are the most likely candidates and most of the time you are left with just one. If you want to confirm, just email the target a hello message (innocent) asking about your claim. Bang, you got 'em!



Step Two: The Professional Profile:
So next up is to find out how smart or dense this person is. You handle people who are smart one way and idiots (even ones who think they are smart) completely differently. To know this you gotta learn more about them. This guy took himself as some kind of upwardly-mobile professional something or the other so we widened the search criteria again to include "linkedin" and after a few false hits we hit the mother-load on old Dick: He posted his resume, work history, practically life history on this site.

The problem was that LinkedIn advertised all of this information about him but would not give it up without us having an account there too (which was of course, insane). It would seem that we were stopped at the front gate, so to speak but here is a fun little fact about the way the 'net works:

Often sources of information about a target will hide it behind a log on and since you cannot log in as yourself you cannot access it directly. However most of the bigger search engines know the value of a website that has gone down so when they scour the 'net for pages, they save a copy of them in their local servers. This is known as a "cached" version of the page. This way if you are searching for something, find a hit but the site is down for whatever reason, you can often find a cache link within the results for that search hit that will display the saved version of the page. Different sites call this link something different but they largely amount to the same thing as you will see below.

What screws up places like LinkedIn trying to block people from seeing everything is that these search engines won't cache log on screens which is what LinkedIn throws at you when you click on the hit.

Here is what it looks like in real-life action. Since Dick Puddle is an alias I picked a name completely at random; this person is innocent of anything as far as I know or care so I did my best to hide actual identifying data from the images while still preserving the overall message. Unlike Cigna, we do not believe in collateral damage, no matter how easy the target or how juicy the ammunition is that we have. That is why one Cigna employee doesn't have to tell anyone about the cocaine possession charge in February. You are welcome, BTW.

Getting past the front door...
So the default search for a name + "linkedin" might produce a hit that looks like this:


If you click on the default link for the hit here:


You are hit by the classic bait-and-switch; baited with the info about this person you click on the name and get switched (redirected) to:


Without valid credentials you cannot get the info and with the credentials they can track who did it. However back at the main hit from the search engine, if you clicked here:

You suddenly jump past the redirect (or at least the crappy one) and get this:


While this may not seem like much information, the bonanza is just below this in the browser window. As a matter of fact, this trick reveals so much information about a person that to attempt to show it would require redacting just about the whole image. In this case you would have seen every school, research project, job and location this person has had for pretty much life.  If you still need convincing this works, just try it yourself.

Sometimes you get lucky...
Doing this simple trick for Dick Puddle opened the doors to his life to us. His entire work history, home contact information, photographs, educational background and so on were all available to us. A through Z, we had him. Not everything goes this easily but a surprising number of the background investigations get off the ground in just this way.

We did take Dick's investigation a bit further and discovered the fun but useless fact that there were 4 people with Dick's same name in the 20-mile area of his neighborhood; one works for Cigna and the other three are registered sexual predators. The upshot is we knew everything about Dick before speaking to him again so catching his lies was not even a dramatic event. Dick failed after that: he out and out lied to us about how to work with Cigna, he tried to blow smoke up our butts about other things we knew to be false and finally, he tried to exceed his station in life by trying to act like he had some kind of authority to do well, anything. In the end we knew he was a sad little middle-management type whose position in life has calcified and he is just frustrated by it. Not even worth going after except for the fact that Dick felt it important to remind us that Cigna would monitor us for the next 12 years. Guess what Dick? What is good for the goose is good for the gander so you are now part of the 12-year club where each member of the club gets to have zero privacy for the next 12 years (the length of time Cigna professes to have the right to do the same to the Cobb's life)! Turnabout is indeed fair-play.

The "other" low-hanging fruit: Social Media:So what if this does not yield enough information about your target? No problem, that is where you start tracking the social media sites; Cigna is already using this on you. There are at least two ways to get at social media postings on places like Facebook. The first is just a repeat of the trick that works for LinkedIn: the cached links are your friend.  The second and more formidable method is where the real social engineering methods come into their own.


Grepping the 'net:
"Grepping" is just an engineering term for searching thoroughly.  For what it is worth, Facebook is one of the social engineers best friends because people for some reason log onto Facebook and post just about everything about their lives. Personal pictures, addresses, phone numbers, what their family looks like (along with names and ages if you read the comments), everything.  People just do this sort of thing and it requires zero "mad haxor skillz" to do it. To dig into just about anyone, you can start with the Google tricks and sometimes you get lucky and get what you need in one go. However in about 9 cases out of 10 this just won't get it so that is where people finding search engines come in. These seem to come in roughly three forms:

  1. The "find lost friends online" site: This is where the pretense is you think some old childhood friend is on the 'net (somewhere), you think they must be on Facebook/Google+/Twitter/whatever and want to find them. These  search engines specialize in finding people in these areas; plugging the name of a recent target into an engine like this showed that this target had some 30 past accounts on places with as many as a dozen active accounts (with links into each), many email addresses with aliases and so on. This person basically puked all of their personal stuff on-line. Two clicks later and we were seeing her pictures, her circle of friends on Facebook (another treasure trove of intel), family and waaaaay more. Sadly for this person she went out of her way to be an ass to the Cobb's so guess what? She too is on the 12-year program. Sample search engine: PeekYou.
  2. The "no pretense investigation" site: This kind of site is there for one purpose and one purpose only: to dig up the dirt on anyone. Most at front-ends for businesses that will charge you say $30 US for a single complete background check, complete with criminal histories, civil judgments, personal and professional history, etc. This is the kind of place you can go once you know you have your target nailed and just want the heavy lifting to be over. There are hundreds of these sites out there, just search for something like "instant background check" and your cup will runneth over. Here is just one example: Instant Checkmate
  3. The "white pages" sites: These sites pretend to be more like a local telephone directory. Hitting one of these with a name and city or state can and often does give you everything from the street address of everyplace they have lived to current personal phone numbers to satellite pictures of their house! Here are three fun ones to try: ZabbaSearch, PIPL and MyLife.
  4. The last main form you have is the public-records directed search. These are almost always public records sites so they are free but are usually not user friendly. The other thing is where the rest search everywhere, you are only searching for one thing in one place. For example, the American National Sex Offenders database will show you all name-matches within a geographical location but you have to know the name and location (generally a city but you can expand the search radius) first. The odds are long that you will find any sexual predators working at Cigna but you never know. Search for "public records" and add the target state name and you will find what you need and sometimes more than you want. Records are on-line for checking licensing of all kinds, from drivers license of low-priority targets to medical licensing information for some of the more senior Cigna co-conspirators.


Using actual intelligence:
The thing to keep in mind with all but the raw public records sites is that they are in business to make money and at some point they will be asking for some. They also know nobody is going to just blindly give them money for information with no evidence that the data is real so they tend to dangle some real facts in front of you as an enticement to pay.

What makes this useful is there is no standard model for this so where one site might dangle a partial name, an age and a partially redacted email address, another might give the whole name, age and location.  In other words, no two sites give the same exact information the same way so if you survey enough of these search engines (stopping short of hitting the "buy report" button) writing down everything as you go, you wind up with a pretty complete picture of this person. At the very minimum you should have: Full name, married name (if applicable), satellite picture of their current address along with home, cell and work phone numbers, addresses of the past several places they lived, date and place of birth.  This is already a lot more than you had and probably more than they would like you to know but tough. Speaking of tough, this is just the quick-glance over for a target. In the next article we will take things to the next level, the one reserved for those special Cigna assholes on your Christmas list. How? For now just Google for "social engineering".

Until next time, keep hacking!

Radical Edward
CWJTechTeam at GMail dot com


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)