I grew up in Yorkshire and of all the likeable local traits there is, there is one I despise. The gruff, basterdised local accent. Londoners mistakenly view you as a farmer and there is no risk of hearing the tones of how we speak on the ten o’clock news. I was 12 when I learnt that ‘nowt‘ was not a word – it’s actually ‘nothing’. Which might explain why it’s done nothing for me all my life and I make a conscious effort to remove these words from my voice at the first signs of a formal event. But this week it has been useful.
I noticed whilst on the phone to an unnamed council that their new phone switchboard would try to guess your answer and make allowances for my poor received pronunciation. It’s not a complicated affair, you dial the switchboard, the device answers the call and suggests you give it the name of a member of staff or department to pass the call too.
It’s little events like this that make me fill with joy as my brain takes it from a casual mistake to a repeatable, nation wide, anonymous social engineering attack in seconds. Let me get to what is happening here and why this a bad thing.
Impact
When any worthwhile attacker is doing his recon, a very valuable piece of information is the full staff directory. Obtaining this one document can make or break an attack. It’s quickly turned into a list of staff emails and usernames, using the same convention the organisation use. We know Phishing is a risk, it’s 2016 lets move on. Phishing with the full staff directory is devastating, accuracy is improved, failed emails drop. You can research all the staff and reveal even the most social media shy individuals. That one small mistake that made me happy on the phone system is the staff list. At least it will be shortly.
Exploitation
On to Apple Automator for exploitation. Nothing fancy here! Gather the most popular baby names from 1975. Set some well timed pauses, use my iPhone connected to my Mac as the dialler, Record the target automated call handlers responses. I found if the system was sure of a mismatch it wouldn’t disclose a staff name at all – The exploit depends on a mumble… So I used an edited version of the ‘mumble peg’ scene from Family Guy, inserted at the correct time.
Thank you for calling ***** council, please say the name of the person you would like to contact.
Apple Automator: “Joe”
iTunes: “mumble mumble”
“Did you mean Joe Bloggs”
Now collation of all the responses is quite time consuming, until you remember that computers don’t mumble and their audio is really clear – clear enough for voice to text software to turn it back into nice useable text.
The phone system is a popular automated one (Which after fair time for the company to respond I will name), they are all effected. If you use this type of system, you have your staff list available to all.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.