Welcome to the front lines...

Welcome to the front lines of our battle with an enemy that Wall Street rated the most secretive company.

Friday, July 11, 2014

Cigna Hacking 103: Swinging for the fence...

Cigna Hacking 103

 


...or Better Living through Social Engineering.
________________________________________________

Sun Tzu once said before you can know your enemy, you must know yourself. Well, if he didn't say that, he should have. You have your target name from the files you scoured here (link to warrior mindset). Your mission: find out all that you can. But how without elite haxor skillz? There is a whole branch of hacking known as Social Engineering. This is where you pair a little bit of knowledge of the world of the 'net with just a touch of confidence man to get what you need. 


Here is a little graphic to kind of sum up how social engineering works in the pure hacker world:


So how does the attacker actually get the information from the target? Here are the most common methods that social engineers use to get the goods:


Almost all of those techniques will be beyond most folks, we will concentrate on the ones that anyone can use with success. Surfing Online Content we dealt with last time; now it is time for the role-playing. Don't worry, you are not going to go crazy with this; with just a little effort you can really pull in the data and you are only limited by how badly you want it.

After the efforts of my last article you should have at least a brief but clear glimpse into the worlds of your targets but more to the point, you have enough information on those special assholes on your list to take things to the next level. This is role-playing but in fact, you are only actually role-playing for a search engine of one kind or another, gaming the results as you go. Lets say you have two targets picked out for special consideration, one that is a social (media) butterfly and another that wears a suit (professional). It is time to put this all into motion!


You should already know some key things about your targets, mostly about where they socialize on-line (a la Facebook, MySpace, LinkedIn, where ever), where they went to school, where they grew up, etc. Hobbies and interests are also important here. Sometimes family heritage can be used, sometimes it can be something as simple as children. With this information ready, what you want to do is to create a person that this person would want to know. In the case of the professional it can be alumni, perhaps a potential employer, someone from home town or better yet, in the same business and or in the same city (if the city is big enough). Matching the general age-group and/or name ethnicity helps too.

Start a new file for your first persona and establish (make up, etc) things like:
  • Full Name: Make one up, have fun with it. 
  • Marital Status: Match the target
  • Date of birth: Match the target age group but add 3 years. No idea why but people tend to believe someone older than them.
  • Physical address: This cannot "smell funny" so what we did was pick a town just outside of the one that the target lived in, then selected the address of a tattoo parlor, along with the area code for the telephone...
  • Telephone number: Using the area code from the previous example, make up any random number.
  • Email address: Now this is a little more work because the email address of course is not for a real person but many places use an email address as proof you are real. I know, I know but what you do is (again using the Tor browser) go to a place like Hushmail.com, fill in the new account stuff with the BS you made up above and register the address. Say your made up name was Fu Manchu; registering fmanchu@hushmail.com works fine. What is important here is that no actual information about you went out yet now you have a point of contact plus places like LinkedIn will sometimes mail a verification mail to that address and expects it to be answered. One thing about Hushmail is that the account is free and easy to set up but you have to check it once every three weeks or it lapses. It goes without saying that you never log into your fake email accounts, Facebook, etc under your own connection. Do it through Tor and you won't be traced. 
  • Work history: Here too you can have fun. Mix in some of the targets previous job titles in with competing company names in the same industry. If the target is male, add in as your "current" position what would be one level up from where he is currently. The reason for this is simple human nature: Much of the time females tend to live by the "misery loves company" theme and so relate to someone else in the same trenches as they; bosses are generally distrusted. Males on the other hand see a senior person and either look up to them as mentor or as someone whose position he desires. Not always and in every case but you would be surprised how often this little nugget comes in handy.
  • Education: Match the target but only to a point. Obvious you did not go to school in the same place during the same time but you can find other universities that teach the same things or maybe they are in the targets' home town, whatever. In this case, make the education good but not great. A little extra thought here can yield some fun results.
  • Hobbies: Match the target. If they like rafting, you like rafting. If they like reading, you like books too. Don't hit every hobby; generally one or two will suffice for what comes next.
Have a persona for every target...

The Payoff:
At this point you should be armed with a goosd-ish data sheet on each target, a persona tailored for that person and knowledge of what social sites they spend their time on. What you do is go to the social medial site for that person, sign up using the email address you got at Hushmail along with the rest of your personal "details".  You have now done enough so it is just a matter of waiting for the fun stuff to come in. These social sites make their money by helping people of similar interests, backgrounds and so on. To make this happen when a new person signs up, the website will try to generate a list of names of members that you might know based on your (made up, tailored) information. This puts you one link away from just about everything you could want about that person and the social media site trusts you because you are a member and you got that with a made-up email address.

More than that, once this has happened and you are sure you have the right target, you can usually "follow" (in Google+ speak) people so you can see when they post stuff and sister, they post EVERYTHING. And they keep doing it too. There is no way to describe the depth of personal information you can get just by burying this seed and watching what sprouts.


Real world examples:
Here are examples of this in action. This will be descriptive only because there is just too much personal information in any screen shot and if we are going to use it, we are saving the actual data for when it will hurt the most.

Test case #1: Target: Dick Puddle.In his case we made up a slightly older fellow following the template outlined above and entered it on LinkedIn where he is whoring himself out for another gig. Within 48 hours our interests and therefore our accounts were linked up and we were in business. It is up to the readers imagination as to what would happen from there had we chose to pursue him further.  One other bonus from this however is that LinkedIn helpfully gave us a link to every employee at Cigna that is registered with LinkedIn! Woowoo! We had a ball with this data and used it (along with other sources) to build a small organization chart for the parts of Cigna where our target worked. This also became some golden information for   later.

Test case #2: Target:Lucille Smalls. In this case Lucy is more of a social butterfly so we invented a special persona that could be someone that both Lucy and one or more of our other targets might like to know. We positioned this person in the industry, not in Lucille's chain of command but same general department (type). We also had this person graduate from Lucille's home town in Florida BUT also gave this person some medical training and a work history that included the same exact (bizarre) job title that another target had. This way we scooped Lucy, Nurse Ratchet and another target. This person we pushed onto both LinkedIn and (thanks to the work done last time) Facebook since more than one Cigna employee frequents there, even at work but that is another story ;)

For her we invented one "Agnes Feldweibel" of Youngstown, PA, originally from Florida.  Age was 50-something with both grown and young kids, working for the Onzin Insurance Company ("onzin" is Dutch for "bullshit"; if you know Pennsylvania, you get the joke). We originally had her born on a leap year but that wreaked havoc with just about every service we tried that wanted a date of birth. Oh and Agnes lived above a tattoo parlor in one of the seedier parts of town.

Remember, at this level the persona is simply a magnet for personal information in a place where people spew it. If you wish to take things further, that is up to the thespian in you. Or maybe the devil on your other shoulder; in the end it doesn't really matter. The point is now all the pieces are in place where you can monitor your targets as often and as little as you want. They (like you) will never know when the binoculars are pointed into their window and from what direction. A classic case of giving them their own medicine, it didn't cost you a cent and as long as you have an connection to the 'net, their privacy is gone as long as you want and the best part is, they really are dependent on your good will from here on......

So what do you get out of all of this? Well armed with this:

  • It is harder for them to lie and easier for you to catch them when they inevitably do.
  • When you know the person on the other end of the phone better than they do themselves, it can provide a feeling of empowerment, a definite psychological edge when dealing with the enemy.
  • The upside to knowing the target so well is that you can tell what motivates them and by extension of that, the likelihood that they will actually help or hurt you.
  • Knowing what this person holds dear and close to their heart can give you an in if you need to try to coax one of the enemy to your side by "relating" to kids/mothers/whatever you get out of your social engineering exercises. Serious role-playing but this works more than you think.
  • You remove a lot of the "bullshit" arrows from their quiver. The inter-department data collected from the LinkedIn step can yield much about the people your target works with and more importantly for. This way if your target says "let me ask my manager Felicia about such-and such policy" and you already know that "Felicia" is just another line-worker, you know the target is trying to pull a fast one. Catching the target right then and there with precise information about who Felicia is is the "one-punch" and then demanding to speak to the targets manager by name is the "two-punch" that basically yanks the chair out from under the target's little line of bullshit. When a Cigna employee cannot go to the easy lies they have to think on their feet and this is where they tend to screw up. Watch for it and have fun.
  • You can "monitor" your targets as long as you need or want to with no cost. If any of your persona's fall through, just crank out another one and have at it. Once you have done it a few times you will find the hardest part is thinking up the back-story without adding too many smart-ass details to it. Even if one or more of your persona's are discovered, that too is good because that is proof to them that they cannot trust anybody and that you are there keeping them "company"
Well, congratulations my friend! You have used what you have (your brain and your connection) to accomplish what might have otherwise been out of your reach. In some ways you have a better hold on them than they do you. At the same time, holding them by the balls may make them less likely to try anything stupid.

So where does the new-born Cigna hacker go from here? In the words of the great military strategist Major Kusenagi:


So until next time,



CWJTechTeam at Gmail dot com.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)