A social engineers experiment

by Karl Niebuhr on July 5, 2016

This is a guest-post from a friend of mine. Without further ado, here it is.

Hey there! My name is Juno_Kruvchenko, of course, this is an alias I use to protect my identity. I’m a latin American, System Analyst and Certified Ethical Hacker by EC-Council.

Last year I started a job with a local company and since I’ve been always a very curious individual, that same day I decided to conduct a small Hacking experiment on human beings instead of technical systems.

I’m no trying to hide, au contraire because it is necessary for you to know me in order to know what I tried to do (and succeeded by the way). Despite my curiosity, I’m a very open-minded and friendly guy who likes to share everything with friends and acquaintances regardless their genre and/or religion, it’s 2016, the 21st Century! Well, the first day I arrived my Bosses received me with the usual kindness and predisposition that every good person does when they meet new people. Of course, this didn’t last a day and they already started to sneak around about what I was doing, why I was doing it that way and not the way the prior personnel used to do, it was clear to me that something was going on before I arrived.

It turns out that the people who worked there before me centralized every piece of information providing and gathering into their own workplace. People who already have experience in IT know that IT people have their own responsibilities which do not include administration and/or operative functions. So, I ended up giving people their original responsibilities and they didn’t like it. It was clear that I had to change my approach to them, so I started to do my job and demonstrated them that I couldn’t handle what the previous people handled (the amount of stuff that really doesn’t belong to IT), so they slowly started to “help me”. All this I did with the utmost respect for their job positions and kindness, always showing all this so they don’t feel attacked or discriminated for what they do because that tends to happen sometimes when a company it’s too large and people only seek their own promotion rather than helping others out.

So, the first day I was listening to everything (the Gathering Information stage) and since I’m a very good listener and an impartial one, people started to naturally like me because most of the things they disagreed with previous administrations I naturally agreed with them because, to be honest, the Company was doing the job in the wrong way and I knew it and I couldn’t disagree with something that from experience, I knew it wasn’t supposed to be like that.

The end of the first week I was exhausted. There was too much information, the previous administration left few to none company information (which should stay within the Company, not to take any of it) and I honestly did not know how to build my own information. So the next Monday I started to ask people how things were made “back in the old days” and they seemed to like the idea that I would “depend on them”.

Even things that I knew I asked them so they felt that “they shape my way into the Company” and then we all started to get along. The second and third week my coworkers started to ask me things here and there, because they knew I had knowledge regarding business and IT administration, so my manners and my attitudes towards them were always to treat them as professionals until this day (whether they were or not, because most of them didn’t have a degree yet but they are experts in what they do nonetheless. (Not having a degree doesn’t necessarily make them less professional for the record).  Then I started getting into the Company’s culture, it was quite a journey because I’ve never worked in a Company where people hide information to make them irreplaceable (not dismissable) for the Company. And then the work ambient started to improve, people started to laugh more often, I played white jokes on them and on myself so they know that I can laugh at myself too. It seemed innocent for them and eventually by the end of the month they didn’t see me as a stranger anymore, they started to see me as one more of the bunch, but they still kept an eye on me like a small distrust for being “the new guy”.

As you may see, the trust on both sides (from my side and theirs) started to build naturally and in the second week of the second month, I started to gather “further information” regarding their lives because we started to hang out after office and naturally people let loose with booze. I paid attention to them and made mental notes.  Every piece of information for every coworker I gathered, I combined to make small mind maps for their possible passwords.

As most hackers know, birthdays, dog names, ID numbers and other very personal stuff are often contained in peoples passwords. I tried some passwords with a few users that I already knew by giving them technical support at some point. I bounced a bunch of times but this only made me more motivated. It was the third week of the second month and since I’ve previously failed by accessing their system and email accounts, I changed again my approach and I started to look more at their behaviour in public, the words they constantly use, the way they behave with women or men, the body language they speak, the voice tone they use for every word they say, the voice tone they use when they talk to you, even how they look at my eyes.

All this may seem to you “just a bunch of bullshit” and “psychological crap from a guy who knows little to none from hacking computers”. But allow me to remind to that Hacking itself it isn’t that hard, even a 10-year-old can found a vulnerability from a computer, but it takes a lot of psychological knowledge and to be a social creature to actually get into the mind of a human being. To actually guess what they think and take advantage from what they tell you and what you see in the details. As an old quote goes: “the devil is in the details” and it’s quite true.

By the beginning of the third month in the Company, people treated me like a brother, like one more of them, joking with me, by that time they trusted my word like anyone else within the Company. By this time they’ve started to ask for my coffee, tea or sugar when they forgot their own and I was completely fine with it. At this point, they used to come to my office and sneak around my stuff seeking cookies or other treats that I’ve specially bought for that purpose. And eventually, I started to visit their workplace with my cookies or jerky in my hand offering them a few and they naturally accepted it. We all know that positive and good behavior comes from treats given to one subject (whether is animal or human) and we all know that we can enforce and even improve that good behavior to a better one with a little bit more treats (in this case cookies or chocolate bars that I shared with them).

And yes I did it with a double-purpose because I really liked them and because of my experiment. A few days after all this started to happen, they started to ask me more of my personal life, I gave them half truths and half lies, never the complete truth (they were my coworkers and they started to know me and besides, who tells the complete truth to they coworkers?) enough to keep them interested in me and enough to blend in. So then, they began to bring their breakfast to my office or me to their office and breakfast together, it was a healthy relationship between us and every additional detail that I obtained from their personal life, I added to my mind map.

I came to one point that I knew almost everything from the Company and by the fourth month, I knew everything from everyone (what they do in their spare time, what their most personal tastes are, what do they actually like, what they actually want to do in life, their dreams, their expectations, etc.) and even more corporate information that to be completely honest, I was not expecting to get. By that time when I got 100% of the corporate information and of the personnel involved in my experiment.

After all this I could finish my dictionary which was quite large and I slowly started to arrive earlier at work in the mornings and try their user and passwords, with 2 or 3 attempts it was enough to log into their accounts. I SUCCEEDED!

And yes, since I was the system administrator I could’ve just looked it up at the server but my ethics does not allow me to do that and my experiment wouldn’t be honest, so I did it “the hard way”. So this was for the Company computer accounts (whether email, system, server, etc.), but a little bit after the second week of the fifth month I started to see some particular behavior when they checked their personal or corporative phones. That change of behavior seemed 180 degrees different from the personal phone to the corporative phone. So I started again to the middle point where I studied their behavior.

What I found eventually by sneaky looking at them (and I confirmed that they didn’t notice me) is that they weren’t looking their personal phones the same way they look their corporate phones. Allow me to explain this: When they wanted to use their personal phones they looked more secretive, they remain more vigilant to their surroundings trying not to be caught with their phones. I saw some of them bought the same phone as the corporate one so, for the bosses, it was their corporate phone. Another sneaky thing that I’ve found was the way they communicate things to others, they didn’t use Whatsapp or any other IM, they accessed each other’s computers via VNC and chat on the Notepad (yes, that classic notepad from Windows).

So when the bosses were around they weren’t looking that often to their screen, so it appeared that they were working as hell, but actually, they were chatting with each other on the notepad. I found out occasionally when I went to a coworker’s desk to ask him something but he wasn’t around and I saw the notepad writing by itself just before it went to the screensaver. Then he arrived and he jump-scared because I was looking to his screen and he said: “why are you looking at my screen?” and I replied: “your screensaver it’s simple but it hangs my brain, I like it!” (he laughed and he didn’t notice that I saw anything else).

So, then I realized that something else was going on about which I was obviously not in the loop, so I started to try people’s phone passwords. I first failed to access their Android phones because they had mostly in pattern lock and iOS the 6-digit lock code. After this “massive fail” from me, I had to know what they use at most on daily basis and noticed this: every person using an Android phone within the Company had a simple pattern lock that was almost consistent with the words “L”, “P”, “V”, “M”, “6” or “□” (this square was particular in every case, some took the whole pattern and some a small part at top or bottom). For iPhones I saw almost a pattern between owners putting their passwords: 987654, 11221122, 123123, 456543, 111111, 000001, 456123 and the most complex that I’ve found was 753159 (which looks like a letter “X” when you look at the keypad layout). An additional Android owner had this password “9876”.

How I managed to see all these? You may not expect it. Since I was already “one of the bunch” and a trustworthy guy, people use to left their phones next to me and I started to look at the reflected light from the screen and because people usually don’t clean their phone after immediate unlock, I took advantage of it. I took note of what numbers they pressed and after 2 or more taps, the finger left a small smudge on the first number or second tapped. Almost the same for the pattern lock, people weren’t smart enough to clean their phones after entering their passwords. It took a dictionary-like pattern drawing from my part on paper to get the correct pattern… AND I SUCCEEDED!

People use to leave their phones when they rush somewhere else in a hurry or even when they go to the bathroom, so it was just a matter of timing for me to go to their office and take advantage of them not being there, and because there were no cameras in their offices and no listening devices, it wasn’t hard at all to snuggle around the office without being noticed. It took me 8 months and 23 days to complete this experiment and I’ve succeeded at 100% only because my curiosity took me this far and I know that you may feel that I betrayed the trust of these people but believe me that I did not. I never did anything with their personal accounts or phones and I won’t. This experiment was just that, AN EXPERIMENT to prove a serious point: Hackers can get personal information with some SERIOUS Social Engineering and it can be more powerful than expected when applied rigorously.

Now that I’m finished with this experiment I just want to forget the things that I know, it’s too much to one person to handle, it’s too compromising and I will not take any actions against these beautiful people who I call coworkers and friends. I think of myself as a White Hat Hacker and I will always remain like it. I exist as a Professional to protect people (even from themselves) and I will do everything in my power to protect them.

One day I was speaking to them and told them what I’ve found regarding their personal information security and they were kind of surprised. They completely forgot that I was a CEH and they started, as usual, to make jokes on me and we all laugh but between jokes and laughs I started to talk with them about the information they leaked out without noticing it. In order to make them a little paranoid for their own protection.

The thing is that 80% of the people believe that “hackers only hack computers” and now I’ve proved a point. When we (Hacker) want information, you won’t see our desire for information, you won’t see our hunger for access, you won’t know when we access something and you won’t know who we really are unless we reveal ourselves.